thin rails server/eventmachine on windows 不适用于自定义证书
thin rails server/eventmachine on windows does not work with custom certificate
在 windows (Install OpenSSL with Ruby for eventmachine on Windows 7 x86) 上构建了我自己的支持 SSL 的 eventmachine/thin 之后,我遇到了另一个 SSL 证书问题:当我使用内置的自签名证书时很好,但它在使用公司证书时不响应任何请求
我的证书获取路径如下:
- 我用 puttygen (ssl-private.key) 生成了私钥
- 我使用以下命令生成了 CSR:
openssl req -out ssl.csr -key ssl-private.key -new
- 我向 CA 发送了 CSR 并收到了 P7B 文件
- 我使用以下命令转换了 P7B:
openssl pkcs7 -inform DER -outform PEM -in cert.p7b -print_certs > cert.crt
这里会出什么问题?
我检查了什么:
openssl rsa -in ssl-private.key -check
说 "RSA key ok"
openssl x509 -in cert.crt -text -noout
说
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
***
Signature Algorithm: sha1WithRSAEncryption
Issuer: ***
Validity
Not Before: Feb 16 08:47:25 2004 GMT
Not After : Feb 16 08:55:36 2024 GMT
Subject: ***
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
***
Exponent: 3 (0x3)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
***
1.3.6.1.4.1.311.21.1:
...
Signature Algorithm: sha1WithRSAEncryption
***
同时对使用
创建的自签名证书进行相同的检查
openssl genrsa -des3 -out server.orig.key 2048
openssl rsa -in server.orig.key -out server.key
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
说
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
***
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PL, ST=-, O=Internet Widgits Pty Ltd, CN=test.org
Validity
Not Before: Jun 24 14:42:07 2015 GMT
Not After : Jun 23 14:42:07 2016 GMT
Subject: C=PL, ST=-, O=Internet Widgits Pty Ltd, CN=test.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
***
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
***
确定一些更改:我更改了 crt 文件中的证书顺序,因此最终证书不是最后一个而是第一个,结果不同:chrome 丢弃 NET::ERR_CERT_INVALID 的错误,IE 类似和两者都没有进一步导航
openssl s_client 输出(看起来不错,*** Root CA 1 在 windows 中受信任):
Loading 'screen' into random state - done
CONNECTED(000001E8)
depth=1 DC = com, DC = ***, CN = *** Enterprise CA 1
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/C=***/ST=***/O=***/CN=***.com
i:/DC=com/DC=***/CN=*** Enterprise CA 1
1 s:/DC=com/DC=***/CN=*** Enterprise CA 1
i:/DC=com/DC=***/CN=*** Root CA 1
---
Server certificate
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
subject=/C=***/ST=***/O=***/CN=***.com
issuer=/DC=com/DC=***/CN=*** Enterprise CA 1
---
No client certificate CA names sent
---
SSL handshake has read 3404 bytes and written 665 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: ***
Session-ID-ctx:
Master-Key: ***
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket: ***
Start Time: 1435319943
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
read:errno=0
我做了一个简单的https服务器(lib/emtestssl):
require 'rubygems'
require 'bundler/setup'
Bundler.require
class ServerHandler < EM::Connection
def post_init
puts "post_init"
start_tls :private_key_file => 'private.key', :cert_chain_file => 'comb.crt', :verify_peer => false
end
def receive_data(data)
puts "Received data in server: #{data}"
send_data("HTTP/1.1 200 OK\n\nHello world!")
close_connection_after_writing
end
end
EventMachine.run do
puts 'Starting server...'
EventMachine.start_server('145.245.202.233', 443, ServerHandler)
end
没有 tls 也能正常工作,有 tls 的浏览器将不允许连接:(
根据 http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#verify 私钥和证书匹配
看起来(已修补)eventmachine 完全没问题:我从现有服务器获取了 key/cert 对并且(在浏览器发出 url 不匹配警告后)它工作正常
比较证书后,我的 CA 似乎失败了,并给我带来了一个属性错误的证书:工作的一个被描述为服务器身份验证 (1.3.6.1.5.5.7.3.1),而失败的一个是客户端身份验证 ( 1.3.6.1.5.5.7.3.2)
我将发布另一个 csr 并向他们收取损失的一天...:/
也许一个重要的发现是证书文件中的证书顺序:必须从最终证书到链末端的根证书
在 windows (Install OpenSSL with Ruby for eventmachine on Windows 7 x86) 上构建了我自己的支持 SSL 的 eventmachine/thin 之后,我遇到了另一个 SSL 证书问题:当我使用内置的自签名证书时很好,但它在使用公司证书时不响应任何请求
我的证书获取路径如下:
- 我用 puttygen (ssl-private.key) 生成了私钥
- 我使用以下命令生成了 CSR:
openssl req -out ssl.csr -key ssl-private.key -new
- 我向 CA 发送了 CSR 并收到了 P7B 文件
- 我使用以下命令转换了 P7B:
openssl pkcs7 -inform DER -outform PEM -in cert.p7b -print_certs > cert.crt
这里会出什么问题?
我检查了什么:
openssl rsa -in ssl-private.key -check
说 "RSA key ok"
openssl x509 -in cert.crt -text -noout
说
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
***
Signature Algorithm: sha1WithRSAEncryption
Issuer: ***
Validity
Not Before: Feb 16 08:47:25 2004 GMT
Not After : Feb 16 08:55:36 2024 GMT
Subject: ***
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
***
Exponent: 3 (0x3)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
***
1.3.6.1.4.1.311.21.1:
...
Signature Algorithm: sha1WithRSAEncryption
***
同时对使用
创建的自签名证书进行相同的检查openssl genrsa -des3 -out server.orig.key 2048
openssl rsa -in server.orig.key -out server.key
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
说
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
***
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PL, ST=-, O=Internet Widgits Pty Ltd, CN=test.org
Validity
Not Before: Jun 24 14:42:07 2015 GMT
Not After : Jun 23 14:42:07 2016 GMT
Subject: C=PL, ST=-, O=Internet Widgits Pty Ltd, CN=test.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
***
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
***
确定一些更改:我更改了 crt 文件中的证书顺序,因此最终证书不是最后一个而是第一个,结果不同:chrome 丢弃 NET::ERR_CERT_INVALID 的错误,IE 类似和两者都没有进一步导航
openssl s_client 输出(看起来不错,*** Root CA 1 在 windows 中受信任):
Loading 'screen' into random state - done
CONNECTED(000001E8)
depth=1 DC = com, DC = ***, CN = *** Enterprise CA 1
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/C=***/ST=***/O=***/CN=***.com
i:/DC=com/DC=***/CN=*** Enterprise CA 1
1 s:/DC=com/DC=***/CN=*** Enterprise CA 1
i:/DC=com/DC=***/CN=*** Root CA 1
---
Server certificate
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
subject=/C=***/ST=***/O=***/CN=***.com
issuer=/DC=com/DC=***/CN=*** Enterprise CA 1
---
No client certificate CA names sent
---
SSL handshake has read 3404 bytes and written 665 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: ***
Session-ID-ctx:
Master-Key: ***
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket: ***
Start Time: 1435319943
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
read:errno=0
我做了一个简单的https服务器(lib/emtestssl):
require 'rubygems'
require 'bundler/setup'
Bundler.require
class ServerHandler < EM::Connection
def post_init
puts "post_init"
start_tls :private_key_file => 'private.key', :cert_chain_file => 'comb.crt', :verify_peer => false
end
def receive_data(data)
puts "Received data in server: #{data}"
send_data("HTTP/1.1 200 OK\n\nHello world!")
close_connection_after_writing
end
end
EventMachine.run do
puts 'Starting server...'
EventMachine.start_server('145.245.202.233', 443, ServerHandler)
end
没有 tls 也能正常工作,有 tls 的浏览器将不允许连接:(
根据 http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#verify 私钥和证书匹配
看起来(已修补)eventmachine 完全没问题:我从现有服务器获取了 key/cert 对并且(在浏览器发出 url 不匹配警告后)它工作正常
比较证书后,我的 CA 似乎失败了,并给我带来了一个属性错误的证书:工作的一个被描述为服务器身份验证 (1.3.6.1.5.5.7.3.1),而失败的一个是客户端身份验证 ( 1.3.6.1.5.5.7.3.2)
我将发布另一个 csr 并向他们收取损失的一天...:/
也许一个重要的发现是证书文件中的证书顺序:必须从最终证书到链末端的根证书