Poco + OpenSSL + CA PEM:"Unacceptable certificate" 2 个相同站点中有 1 个出错

Poco + OpenSSL + CA PEM : "Unacceptable certificate" error for 1 out of 2 identical sites

我正在尝试与 www1.filemail.com 进行 SSL 握手。我正在使用 cURL 的 cacert.pem,但出现此错误:

Unacceptable certificate from 188.138.81.30: application verification failure

对任何其他 HTTPS 网站进行握手都有效 - 包括 www2.filemail.comwww1www2 应该配置相同 - 它们在所有浏览器中都可以正常工作。他们在这里也测试得很好(为两个站点发送了相同的证书和中间证书):

为什么我在 www1 使用 OpenSSL 和 cacert.pem 文件时遇到这个问题?

www1 和 www2 的证书设置一定有所不同。差异 - 但我总是在两个网站上得到完全相同的结果(除了 运行 我的代码)

我在这里错过了什么?这些站点之间有什么区别?

(应该注意的是,我们使用的是 RapidSSL 提供的相对便宜的通配符证书 - 所以我猜它与中间或交叉根证书有关 - 但在测试时一切似乎都是有序的使用上述工具。)


代码:

Poco::SharedPtr<Poco::Net::InvalidCertificateHandler> pCert = new Poco::Net::ConsoleCertificateHandler(false);
Poco::Net::Context::Ptr pContext = new Poco::Net::Context(Poco::Net::Context::CLIENT_USE, "", "", "C:\cacert.pem", Poco::Net::Context::VERIFY_RELAXED, 9, false, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
Poco::Net::SSLManager::instance().initializeClient(0, pCert, pContext);

URI uri("https://www1.filemail.com");
Poco::Net::SecureStreamSocket ss(Poco::Net::SocketAddress(uri.getHost().c_str(), uri.getPort()));
ss.completeHandshake();

www1 and www2 should be identically configured - and they both work fine in all browsers...

这是证书。差异显示它们是相同的终端实体(服务器)证书:

$ diff www1.txt www2.txt 
$

每个服务器都可以发送不同的链。使用 openssl s_clientopenssl x509-showcerts 来获得链。

www1

$ openssl s_client -connect www1.filemail.com:443 -tls1 -servername www1.filemail.com | openssl x509 -text -noout > www1.txt
depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3
verify error:num=20:unable to get local issuer certificate
^C
riemann:~$ cat www1.txt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15955 (0x3e53)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3
        Validity
            Not Before: Oct 14 20:14:57 2014 GMT
            Not After : Aug  4 13:09:28 2018 GMT
        Subject: OU = GT83551982, OU = See www.rapidssl.com/resources/cps (c)14, OU = Domain Control Validated - RapidSSL(R), CN = *.filemail.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c5:38:89:72:40:74:77:e2:76:f0:20:ae:d9:91:
                    26:ac:42:85:03:86:ff:2f:a1:94:b7:f3:86:4c:f7:
                    ce:63:46:47:e6:03:73:95:01:07:0b:e0:60:9a:93:
                    c3:b4:14:bc:4e:16:f2:50:12:89:11:42:f5:58:51:
                    74:15:81:d0:ce:6e:e2:85:e8:d2:3a:38:48:a3:02:
                    80:e0:a1:fa:ea:8f:ca:ee:bc:00:b3:b2:64:7f:9c:
                    da:ca:e8:3f:a7:48:af:5c:ed:8e:2f:27:95:19:52:
                    85:d1:15:9b:f5:4d:b7:21:44:89:05:6f:06:92:7b:
                    ab:9e:10:63:be:7e:ce:3b:58:10:68:ae:7a:52:6e:
                    e5:62:bf:ff:56:33:06:51:e5:61:a0:bd:6b:3c:c9:
                    f3:55:54:02:16:f2:56:27:81:be:83:82:53:25:1e:
                    c4:1c:1d:65:da:9f:2c:f7:97:49:3c:e1:03:35:1c:
                    da:c3:02:6d:93:1a:4a:89:53:4c:f5:3e:e7:f9:b9:
                    c0:10:e0:80:77:3a:d9:5d:ed:b1:46:9e:92:7e:86:
                    46:d7:be:fe:af:5a:af:02:b4:1b:d2:2b:08:1d:bc:
                    b5:93:8c:48:45:27:ba:26:69:a9:a8:9f:98:d3:de:
                    2d:f5:70:f5:39:6a:30:3b:8c:01:6c:85:19:a2:a6:
                    9a:65
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:C3:9C:F3:FC:D3:46:08:34:BB:CE:46:7F:A0:7C:5B:F3:E2:08:CB:59

            Authority Information Access: 
                OCSP - URI:http://gv.symcd.com
                CA Issuers - URI:http://gv.symcb.com/gv.crt

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DNS:*.filemail.com, DNS:filemail.com
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://gv.symcb.com/gv.crl

            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.113733.1.7.54
                  CPS: https://www.rapidssl.com/legal

    Signature Algorithm: sha256WithRSAEncryption
         77:7e:54:47:93:6c:b0:4e:9c:dc:01:47:1f:76:54:9d:f2:42:
         94:c1:94:f8:7b:b4:68:82:fe:6d:66:45:68:e1:bd:df:ba:6d:
         15:a1:6c:b0:79:9e:d7:99:d9:11:7e:84:e9:f1:63:7c:92:25:
         c3:fe:cc:02:1a:61:b9:a3:29:59:18:c2:f1:d2:d7:84:dc:8d:
         28:2e:b5:6e:91:d9:68:65:37:5a:b9:b3:d5:f4:d1:1f:b2:ec:
         2b:0f:e1:50:30:72:f7:04:70:68:26:b0:61:47:44:49:d0:62:
         31:81:53:fa:cc:3a:7b:a1:3b:74:da:c2:3b:7b:5d:9c:23:de:
         69:92:51:fc:ff:8d:7a:ea:fd:b2:68:5f:38:3d:22:f6:a6:4a:
         d7:a0:88:97:06:54:fd:ba:dc:b9:3a:69:25:89:99:0e:81:82:
         c8:63:5c:87:98:bf:70:08:0a:89:20:a1:17:63:31:26:7b:af:
         b3:83:f3:9c:b6:7e:64:52:08:bf:a3:74:d5:0c:26:f6:25:7c:
         b9:cb:27:57:88:7f:af:1c:b5:99:08:4a:fd:c2:b4:ec:7a:40:
         ea:80:ac:e8:88:84:33:53:ab:90:af:bc:bc:ea:6f:88:fe:a8:
         f9:c7:63:a3:74:2c:0b:37:5c:90:39:ad:85:82:6a:e9:ea:a7:
         e1:55:c2:dd

www2

$ openssl s_client -connect www2.filemail.com:443 -tls1 -servername www2.filemail.com | openssl x509 -text -noout > www2.txt
depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3
verify error:num=20:unable to get local issuer certificate
^C
riemann:~$ cat www2.txt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15955 (0x3e53)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3
        Validity
            Not Before: Oct 14 20:14:57 2014 GMT
            Not After : Aug  4 13:09:28 2018 GMT
        Subject: OU = GT83551982, OU = See www.rapidssl.com/resources/cps (c)14, OU = Domain Control Validated - RapidSSL(R), CN = *.filemail.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c5:38:89:72:40:74:77:e2:76:f0:20:ae:d9:91:
                    26:ac:42:85:03:86:ff:2f:a1:94:b7:f3:86:4c:f7:
                    ce:63:46:47:e6:03:73:95:01:07:0b:e0:60:9a:93:
                    c3:b4:14:bc:4e:16:f2:50:12:89:11:42:f5:58:51:
                    74:15:81:d0:ce:6e:e2:85:e8:d2:3a:38:48:a3:02:
                    80:e0:a1:fa:ea:8f:ca:ee:bc:00:b3:b2:64:7f:9c:
                    da:ca:e8:3f:a7:48:af:5c:ed:8e:2f:27:95:19:52:
                    85:d1:15:9b:f5:4d:b7:21:44:89:05:6f:06:92:7b:
                    ab:9e:10:63:be:7e:ce:3b:58:10:68:ae:7a:52:6e:
                    e5:62:bf:ff:56:33:06:51:e5:61:a0:bd:6b:3c:c9:
                    f3:55:54:02:16:f2:56:27:81:be:83:82:53:25:1e:
                    c4:1c:1d:65:da:9f:2c:f7:97:49:3c:e1:03:35:1c:
                    da:c3:02:6d:93:1a:4a:89:53:4c:f5:3e:e7:f9:b9:
                    c0:10:e0:80:77:3a:d9:5d:ed:b1:46:9e:92:7e:86:
                    46:d7:be:fe:af:5a:af:02:b4:1b:d2:2b:08:1d:bc:
                    b5:93:8c:48:45:27:ba:26:69:a9:a8:9f:98:d3:de:
                    2d:f5:70:f5:39:6a:30:3b:8c:01:6c:85:19:a2:a6:
                    9a:65
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:C3:9C:F3:FC:D3:46:08:34:BB:CE:46:7F:A0:7C:5B:F3:E2:08:CB:59

            Authority Information Access: 
                OCSP - URI:http://gv.symcd.com
                CA Issuers - URI:http://gv.symcb.com/gv.crt

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DNS:*.filemail.com, DNS:filemail.com
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://gv.symcb.com/gv.crl

            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.113733.1.7.54
                  CPS: https://www.rapidssl.com/legal

    Signature Algorithm: sha256WithRSAEncryption
         77:7e:54:47:93:6c:b0:4e:9c:dc:01:47:1f:76:54:9d:f2:42:
         94:c1:94:f8:7b:b4:68:82:fe:6d:66:45:68:e1:bd:df:ba:6d:
         15:a1:6c:b0:79:9e:d7:99:d9:11:7e:84:e9:f1:63:7c:92:25:
         c3:fe:cc:02:1a:61:b9:a3:29:59:18:c2:f1:d2:d7:84:dc:8d:
         28:2e:b5:6e:91:d9:68:65:37:5a:b9:b3:d5:f4:d1:1f:b2:ec:
         2b:0f:e1:50:30:72:f7:04:70:68:26:b0:61:47:44:49:d0:62:
         31:81:53:fa:cc:3a:7b:a1:3b:74:da:c2:3b:7b:5d:9c:23:de:
         69:92:51:fc:ff:8d:7a:ea:fd:b2:68:5f:38:3d:22:f6:a6:4a:
         d7:a0:88:97:06:54:fd:ba:dc:b9:3a:69:25:89:99:0e:81:82:
         c8:63:5c:87:98:bf:70:08:0a:89:20:a1:17:63:31:26:7b:af:
         b3:83:f3:9c:b6:7e:64:52:08:bf:a3:74:d5:0c:26:f6:25:7c:
         b9:cb:27:57:88:7f:af:1c:b5:99:08:4a:fd:c2:b4:ec:7a:40:
         ea:80:ac:e8:88:84:33:53:ab:90:af:bc:bc:ea:6f:88:fe:a8:
         f9:c7:63:a3:74:2c:0b:37:5c:90:39:ad:85:82:6a:e9:ea:a7:
         e1:55:c2:dd

I am trying to do a SSL handshake towards www1.filemail.com - but I am getting this error:

Unacceptable certificate from 188.138.81.30: application verification failure

RapidSSL SHA256 CA - G3是CA;它颁发 服务器的证书。服务器名为 subject。当您沿着一条链前进时, 发行者 成为当前 主题。链的顶部是自签名根。在根部,发行者==主题.

RapidSSL G3 CA 是 (1) 自签名的,因此它是根 CA;或 (2) 由链中更高层的另一个 CA 签名,因此它是从属 CA(即,它有一个 颁发者 )。在这种情况下,G3 CA 是从属的并且它有一个颁发者。

听起来好像一台服务器正在发送验证服务器证书所需的完整链;而另一台服务器不是。服务器应该发送完整的链以避免 PKI 中的 "which directory" problem"complete chain" 是每个证书 除了 自签名根(但许多人也发送根)。

客户端必须先验信任自签名根,以及它不应该被发送的原因(否则,一个坏这家伙可以换入他自己的链)。或者,不使用 cacert.pem:

Poco::Net::Context::CLIENT_USE, "", "", "C:\cacert.pem", ...

您可以加​​载 RapidSSL SHA256 CA - G3 并将其用作信任的根。您将避免 cacert.pem 不需要 验证服务器链的其他 300 个左右的 CA。它的安全工程很好。

您可以从位于 Intermediate CA Certificate: RapidSSL with SHA-2 (under SHA-1 Root).

的 rapidSSL 站点获取 RapidSSL SHA256 CA - G3

更新使用 RapidSSL SHA256 CA - G3:

这是签名者的证书:

$ cat rapidssl.pem 
-----BEGIN CERTIFICATE-----
MIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTQwODI5MjEzOTMyWhcNMjIwNTIwMjEzOTMyWjBHMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXUmFwaWRTU0wg
U0hBMjU2IENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv
VJvZWF0eLFbG1eh/9H0WA//Qi1rkjqfdVC7UBMBdmJyNkA+8EGVf2prWRHzAn7Xp
SowLBkMEu/SW4ib2YQGRZjEiwzQ0Xz8/kS9EX9zHFLYDn4ZLDqP/oIACg8PTH2lS
1p1kD8mD5xvEcKyU58Okaiy9uJ5p2L4KjxZjWmhxgHsw3hUEv8zTvz5IBVV6s9cQ
DAP8m/0Ip4yM26eO8R5j3LMBL3+vV8M8SKeDaCGnL+enP/C1DPz1hNFTvA5yT2AM
QriYrRmIV9cE7Ie/fodOoyH5U/02mEiN1vi7SPIpyGTRzFRIU4uvt2UevykzKdkp
YEj4/5G8V1jlNS67abZZAgMBAAGjggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kwEgYD
VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig
JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF
BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARF
MEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3Ry
dXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBCwUAA4IBAQCjWB7GQzKs
rC+TeLfqrlRARy1+eI1Q9vhmrNZPc9ZE768LzFvB9E+aj0l+YK/CJ8cW8fuTgZCp
fO9vfm5FlBaEvexJ8cQO9K8EWYOHDyw7l8NaEpt7BDV7o5UzCHuTcSJCs6nZb0+B
kvwHtnm8hEqddwnxxYny8LScVKoSew26T++TGezvfU5ho452nFnPjJSxhJf3GrkH
uLLGTxN5279PURt/aQ1RKsHWFf83UTRlUfQevjhq7A6rvz17OQV79PP7GqHQyH5O
ZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWmMy66S6VdU5oNMOGNX2Esr8zvsJmh
gP8L8mJMcCaY
-----END CERTIFICATE-----

注意 OpenSSL 已完成 验证 return 代码:2(无法获得颁发者证书)。这很好,因为您不关心发行人。您已将信任根植于 GeoTrust Inc., CN = RapidSSL SHA256 CA - G3RapidSSL SHA256 CA - G3 certified/signed 服务器的证书。

$ openssl s_client -connect www1.filemail.com:443 -tls1 -servername www1.filemail.com -CAfile rapidssl.pem 
CONNECTED(00000003)
depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3
verify error:num=2:unable to get issuer certificate
issuer= C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
Server did acknowledge servername extension.
---
Certificate chain
 0 s:/OU=GT83551982/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=*.filemail.com
   i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
 1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEsDCCA5igAwIBAgICPlMwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UEBhMCVVMx
FjAUBgNVBAoTDUdlb1RydXN0IEluYy4xIDAeBgNVBAMTF1JhcGlkU1NMIFNIQTI1
NiBDQSAtIEczMB4XDTE0MTAxNDIwMTQ1N1oXDTE4MDgwNDEzMDkyOFowgZIxEzAR
BgNVBAsTCkdUODM1NTE5ODIxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29t
L3Jlc291cmNlcy9jcHMgKGMpMTQxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZh
bGlkYXRlZCAtIFJhcGlkU1NMKFIpMRcwFQYDVQQDDA4qLmZpbGVtYWlsLmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMU4iXJAdHfidvAgrtmRJqxC
hQOG/y+hlLfzhkz3zmNGR+YDc5UBBwvgYJqTw7QUvE4W8lASiRFC9VhRdBWB0M5u
4oXo0jo4SKMCgOCh+uqPyu68ALOyZH+c2sroP6dIr1ztji8nlRlShdEVm/VNtyFE
iQVvBpJ7q54QY75+zjtYEGiuelJu5WK//1YzBlHlYaC9azzJ81VUAhbyVieBvoOC
UyUexBwdZdqfLPeXSTzhAzUc2sMCbZMaSolTTPU+5/m5wBDggHc62V3tsUaekn6G
Rte+/q9arwK0G9IrCB28tZOMSEUnuiZpqaifmNPeLfVw9TlqMDuMAWyFGaKmmmUC
AwEAAaOCAVgwggFUMB8GA1UdIwQYMBaAFMOc8/zTRgg0u85Gf6B8W/PiCMtZMFcG
CCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL2d2LnN5bWNkLmNvbTAm
BggrBgEFBQcwAoYaaHR0cDovL2d2LnN5bWNiLmNvbS9ndi5jcnQwDgYDVR0PAQH/
BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAnBgNVHREEIDAe
gg4qLmZpbGVtYWlsLmNvbYIMZmlsZW1haWwuY29tMCsGA1UdHwQkMCIwIKAeoByG
Gmh0dHA6Ly9ndi5zeW1jYi5jb20vZ3YuY3JsMAwGA1UdEwEB/wQCMAAwRQYDVR0g
BD4wPDA6BgpghkgBhvhFAQc2MCwwKgYIKwYBBQUHAgEWHmh0dHBzOi8vd3d3LnJh
cGlkc3NsLmNvbS9sZWdhbDANBgkqhkiG9w0BAQsFAAOCAQEAd35UR5NssE6c3AFH
H3ZUnfJClMGU+Hu0aIL+bWZFaOG937ptFaFssHme15nZEX6E6fFjfJIlw/7MAhph
uaMpWRjC8dLXhNyNKC61bpHZaGU3Wrmz1fTRH7LsKw/hUDBy9wRwaCawYUdESdBi
MYFT+sw6e6E7dNrCO3tdnCPeaZJR/P+Neur9smhfOD0i9qZK16CIlwZU/brcuTpp
JYmZDoGCyGNch5i/cAgKiSChF2MxJnuvs4PznLZ+ZFIIv6N01Qwm9iV8ucsnV4h/
rxy1mQhK/cK07HpA6oCs6IiEM1OrkK+8vOpviP6o+cdjo3QsCzdckDmthYJq6eqn
4VXC3Q==
-----END CERTIFICATE-----
subject=/OU=GT83551982/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=*.filemail.com
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
---
No client certificate CA names sent
Server Temp Key: ECDH, P-521, 521 bits
---
SSL handshake has read 2834 bytes and written 338 bytes
Verification error: unable to get issuer certificate
---
New, SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 27390000AF3638FDEA75DDF52B9D937F290593304123134062F049306BBDE87F
    Session-ID-ctx: 
    Master-Key: E8E2613F6267C705CA82EEE4C8A992880A2ABDA9E8D477A10C952764B1F4DD3D39244D3F0AD915B8FEB7E5FA1E8D55FD
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1473889933
    Timeout   : 7200 (sec)
    Verify return code: 2 (unable to get issuer certificate)
    Extended master secret: yes
----

Günter Obiltschnig 通过 POCO@Github 帮我解决了问题,并通过替换

使其正常工作
Poco::Net::SecureStreamSocket ss(Poco::Net::SocketAddress(uri.getHost().c_str(), uri.getPort()));

Poco::Net::SecureStreamSocket ss(Poco::Net::SocketAddress(uri.getHost().c_str(), uri.getPort()), uri.getHost());

(在SecureStreamSocket的构造函数中包含主机名-用于证书验证)

来自 POCO 文档:

SecureStreamSocket(
    const SocketAddress & address,
    const std::string & hostName
);

//Creates a secure stream socket using the default client SSL context and connects it to the socket specified by address.
//The given host name is used for certificate verification <=======

我仍然不知道 www1 和 www2 在配置上的确切区别,如果有人能告诉我这个我会很高兴。