2 证书问题

OpenSSL与CRL一起使用,对于证书链中的某些CA,其CRL不在“TLSCRLFile”中

mbed TLS (PolarSSL)OpenSSL 对等(peers)情形TLS服务器日志:

  1. failed to accept an incoming connection: from 127.0.0.1: TLS handshake with 127.0.0.1 returned error code 1: \
  2.     file s3_srvr.c line 3251: error:14089086: SSL routines:ssl3_get_client_certificate:certificate verify failed: \
  3.     TLS write fatal alert "unknown CA"

GnuTLS 对等(peer)情形TLS服务器日志:

  1. failed to accept an incoming connection: from 127.0.0.1: TLS handshake with 127.0.0.1 returned error code 1: \
  2.     file rsa_pk1.c line 103: error:0407006A: rsa routines:RSA_padding_check_PKCS1_type_1:\
  3.     block type is not 01 file rsa_eay.c line 705: error:04067072: rsa routines:RSA_EAY_PUBLIC_DECRYPT:paddin

服务器运行期间CRL过期或到期

OpenSSL 在服务器端日志:

  • 过期前:
  1. cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\
  2.     SSL_connect() returned SSL_ERROR_SSL: file s3_clnt.c line 1253: error:14090086:\
  3.     SSL routines:ssl3_get_server_certificate:certificate verify failed:\
  4.     TLS write fatal alert "certificate revoked"
  • 过期后:
  1. cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\
  2.     SSL_connect() returned SSL_ERROR_SSL: file s3_clnt.c line 1253: error:14090086:\
  3.     SSL routines:ssl3_get_server_certificate:certificate verify failed:\
  4.     TLS write fatal alert "certificate expired"

需要指出的是,有效的CRL撤销证书时,被告知为“证书撤销”。 当CRL到期时,错误消息将更改为“证书已过期”,这是非常容易误导的。

GnuTLS 在服务器日志:

  • 过期前或过期后:
  1. cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\
  2.       invalid peer certificate: The certificate is NOT trusted. The certificate chain is revoked.

mbed TLS (PolarSSL), in server log:

  • 过期前:
  1. cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\
  2.     invalid peer certificate: revoked
  • 过期后:
  1. cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\
  2.       invalid peer certificate: revoked, CRL expired