2 证书问题
OpenSSL与CRL一起使用,对于证书链中的某些CA,其CRL不包含在“TLSCRLFile”中
TLS服务器日志在mbed TLS(PolarSSL)和OpenSSL对等(peer)的情况下:
failed to accept an incoming connection: from 127.0.0.1: TLS handshake with 127.0.0.1 returned error code 1: \
file s3_srvr.c line 3251: error:14089086: SSL routines:ssl3_get_client_certificate:certificate verify failed: \
TLS write fatal alert "unknown CA"
在TLS服务器日志在GnuTLS对等(peer)的情况下:
failed to accept an incoming connection: from 127.0.0.1: TLS handshake with 127.0.0.1 returned error code 1: \
file rsa_pk1.c line 103: error:0407006A: rsa routines:RSA_padding_check_PKCS1_type_1:\
block type is not 01 file rsa_eay.c line 705: error:04067072: rsa routines:RSA_EAY_PUBLIC_DECRYPT:paddin
服务器运行期间CRL过期或到期
OpenSSL, 在服务器日志中:
- 到期前:
cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\
SSL_connect() returned SSL_ERROR_SSL: file s3_clnt.c line 1253: error:14090086:\
SSL routines:ssl3_get_server_certificate:certificate verify failed:\
TLS write fatal alert "certificate revoked"
- 过期后:
cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\
SSL_connect() returned SSL_ERROR_SSL: file s3_clnt.c line 1253: error:14090086:\
SSL routines:ssl3_get_server_certificate:certificate verify failed:\
TLS write fatal alert "certificate expired"
这里的意思是,使用有效的CRL,撤销的证书将被报告为“已撤销证书”。当CRL过期时,错误消息更改为“证书已过期”,这是相当误导的。
GnuTLS, 在服务器日志中:
- 过期前后相同:
cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\
invalid peer certificate: The certificate is NOT trusted. The certificate chain is revoked.
mbed TLS (PolarSSL), 在服务器日志中:
- 到期前:
cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\
invalid peer certificate: revoked
- 过期后:
cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\
invalid peer certificate: revoked, CRL expired