S_client in the SSL handshake protocol application in connection SSL server is the most common problem is the client authentication server-side authentication fails, there are several reasons for these failures, the following lists the common mistakes and resolve how to use s_client is confirmed.
● Server certificate during the transfer process manipulation 1. extraction server certificate: Linux platform to create the script and stored in the manifest retrieve-cert.sh 2. The script output is server-side x 509 certificates after Base64 encoded content, execute scripts and script output into a file server.pem. In Listing 2. Extract certificate # ## usage: retrieve-cert.sh remote.host.name [port] SSLHOST = $ 1 SSLPORT = $ {2:-443} echo | openssl s_client-connect/$ {SSLHOST}: $ {SSLPORT} 2 > & 1 | \sed-ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p ' 1. Verify that gets certificate command line execution "openss verify server.pem". If the certificate contents altered, then the execution result as shown in Listing 4: list 4. Certificate verify failed [root @ wks547385wss openssl] # openssl verify server.pemunable to load certificate 19280: error: 0D0680A8: asn1 encoding routines: ASN1_CHECK_TLEN: wrong tag: tasn_dec.c: 947: 19280: error: 0D07803A: asn1 encoding routines: ASN1_ITEM_EX_D2I: nested asn1 error: tasn_dec.c: 304: Type = X509 19280: error: 0906700D: PEM ASN1 routines: PEM_ASN1_read_bio: lib: pem_oth.c: 82: otherwise, we will be able to obtain certification through the results are as follows: in Listing 5. Certificate validation succeeded [root @ wks547385wss openssl] # openssl verify server.pemserver.pem: OK ● client does not have to save the authentication server-side certificate root certificate; 1. Use the parameter-state check is in the handshake protocol certificate authentication fails in Listing 6. Display the SSL handshake protocol status [root @ wks547385wss openssl] # openssl s_client-connect www6.software ibm.com: 443-state CONNECTED (00000003) SSL_connect: before/connect initialization SSL_connect: SSLv2/v3 write A client hello SSL_connect: SSLv3 read server hello A depth = 1/C = US/O = Equifax/OU = Equifax Secure Certificate Authority verify error: num = 19: self signed certificate in certificate chain verify return: 0 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A
No comments:
Post a Comment