我创建了简单的 SSL 客户端服务器程序,在该程序中我使用的是自签名证书,该证书是根据https://help.ubuntu.com/community/OpenSSL上的帮助使用我自己的本地 CA 创建的
所以我有我的 CA 证书和私钥。由我的 CA 签名的服务器证书和服务私钥。由我的 CA 和客户端私钥签署的客户端证书。
下面是客户端服务器程序的代码部分,它显示了证书的加载和 SSL 握手。
服务器:
SSL_library_init();
ctx = InitServerCTX(); /* initialize SSL */
LoadCertificates(ctx, "server_crt.pem", "server_key.pem"); /* load certs */
SSL_CTX_load_verify_locations(ctx, "cacert.pem", NULL);
//SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, 0);
SSL_CTX_set_verify_depth(ctx, 1);
SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file("cacert.pem"));
server = OpenListener(atoi(portnum)); /* create server socket */
while (1)
{
struct sockaddr_in addr;
int len = sizeof(addr);
SSL *ssl;
int client = accept(server, (struct sockaddr*) &addr, &len); /* accept connection as usual */
printf("Connection: %s:%d\n", inet_ntoa(addr.sin_addr), ntohs(addr.sin_port));
ssl = SSL_new(ctx); /* get new SSL state with context */
SSL_set_fd(ssl, client); /* set connection socket to SSL state */
Servlet(ssl); /* service connection */
}
客户:
SSL_library_init();
ctx = InitCTX();
LoadCertificates(ctx, "client_crt.pem", "client_key.pem"); /* load certs */
SSL_CTX_load_verify_locations(ctx, "cacert.pem", NULL);
SSL_CTX_set_verify_depth(ctx, 1);
server = OpenConnection(hostname, atoi(portnum));
ssl = SSL_new(ctx); /* create new SSL connection state */
SSL_set_fd(ssl, server); /* attach the socket descriptor */
if (SSL_connect(ssl) != 1) /* perform the connection */
ERR_print_errors_fp(stderr);
else
{
char *msg = "This is Darshan";
printf("Connected with %s encryption\n", SSL_get_cipher(ssl));
ShowCerts(ssl); /* get any certs */
SSL_write(ssl, msg, strlen(msg)); /* encrypt & send message */
bytes = SSL_read(ssl, buf, sizeof(buf)); /* get reply & decrypt */
buf[bytes] = 0;
printf("Received: \"%s\"\n", buf);
SSL_free(ssl); /* release connection state */
}
现在,当我运行此程序时,我在客户端中收到如下错误:
3073476808:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate:s3_pkt.c:1248:SSL alert number 43
为什么我收到此错误?我的证书没问题,客户端和服务器证书都由我的 CA 签名。请帮我找出错误。
客户证明:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: md5WithRSAEncryption
Issuer: CN=My Root Certificate Authority, ST=somestate, C=IN/emailAddress=xyz@xyz.com, O=XYZ Ltd., OU=Department
Validity
Not Before: Jan 18 07:50:30 2013 GMT
Not After : Jan 17 07:50:30 2018 GMT
Subject: CN=localhost, ST=somestate, C=IN/emailAddress=abc@abc.com, O=ABC Ltd., OU=Software Department
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c1:1e:ea:56:d9:44:05:28:cb:4e:cd:85:88:9a:
8e:8d:77:d7:80:92:7c:b5:20:89:31:45:2a:73:72:
5d:d2:01:3c:1d:18:2e:c2:72:56:4d:84:f4:21:ae:
55:d6:b5:5c:58:9a:3b:48:2c:9e:05:a4:ee:af:b7:
f4:42:ef:54:9c:a1:bc:a9:b5:53:dc:69:90:d2:df:
c0:e0:09:d5:e4:d4:08:a8:f2:76:1b:c5:0d:c9:13:
eb:ba:76:09:a2:67:38:cc:d8:6d:44:51:78:39:03:
b4:a4:a1:73:ec:d4:7d:c3:06:4b:64:6b:f7:14:d3:
1c:c9:e4:db:cc:82:5c:94:fb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:www.example.com
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Signature Algorithm: md5WithRSAEncryption
ba:76:2c:2a:15:f3:98:32:86:60:dc:2a:a9:a6:a8:ca:e6:a7:
74:d8:8f:0e:b2:ad:00:ef:fc:13:74:26:75:12:fa:af:4f:55:
61:75:34:77:8c:37:b9:58:ab:ee:71:9b:6d:3c:10:ab:f0:20:
73:89:7c:5c:e2:df:82:21:96:b4:91:5a:9b:f8:10:6a:4b:01:
06:7e:b6:26:bc:c1:80:21:85:d9:7f:0b:56:a3:89:5e:e1:f4:
31:d1:c9:be:a3:39:d5:51:0a:3e:b9:27:fb:82:5f:d1:24:40:
f0:84:a4:f9:bc:23:11:fb:65:ad:d5:bc:2e:23:a0:5c:0f:58:
a5:8b:38:f6:0c:52:65:f1:84:29:be:dd:77:73:2b:3c:b6:4c:
4e:87:3f:38:45:48:b2:50:24:7a:06:fe:ac:79:bf:04:88:d6:
5d:4b:38:f9:25:90:c9:e4:d6:7d:6b:1c:9a:78:10:5a:42:43:
8d:26:08:6e:f9:34:e1:8f:2f:bb:33:d5:96:b6:2a:35:75:c1:
e5:f2:b9:3d:8a:0d:49:e8:00:3c:08:03:5a:97:e2:79:4b:1a:
9c:98:5c:ba:8b:5b:44:5c:a3:0e:6f:d5:af:5a:9e:88:4e:2e:
fe:91:ae:95:83:75:68:71:04:e5:99:1b:3e:bc:a6:cf:84:2f:
98:78:25:33
- - -开始CERTIFICATE ----- MIIDiDCCAnCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBtzEsMCoGA1UEAxMjSW52 aXhpdW0gUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxEDAOBgNVBAgTB0d1amFy YXQxCzAJBgNVBAYTAklOMSYwJAYJKoZIhvcNAQkBFhdkcHJhamFwYXRpQGludml4 aXVtLmNvbTEiMCAGA1UEChMZSW52aXhpdW0gQWNjZXNzIFB2dC4gTHRkLjEcMBoG A1UECxMTRW1iZWRkZWQgRGVwYXJ0bWVudDAeFw0xMzAxMTgwNzUwMzBaFw0xODAx MTcwNzUwMzBaMIGbMRAwDgYDVQQDEwdpeG0ud2ViMRAwDgYDVQQIEwdHdWphcmF0 MQswCQYDVQQGEwJJTjEmMCQGCSqGSIb3DQEJARYXZHByYWphcGF0aUBpbnZpeGl1 bS5jb20xIjAgBgNVBAoTGUludml4aXVtIEFjY2VzcyBQdnQuIEx0ZC4xHDAaBgNV BAsTE1NvZnR3YXJlIERlcGFydG1lbnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ AoGBAMEe6lbZRAUoy07NhYiajo1314CSfLUgiTFFKnNyXdIBPB0YLsJyVk2E9CGu Vda1XFiaO0gsngWk7q + 39ELvVJyhvKm1U9xpkNLfwOAJ1eTUCKjydhvFDckT67p2 CaJnOMzYbURReDkDtKShc + zUfcMGS2Rr9xTTHMnk28yCXJT7AgMBAAGjPTA7MBsG A1UdEQQUMBKCEHd3dy5pbnZpeGl1bS5jb20wCQYDVR0TBAIwADARBglghkgBhvhÇAQEEBAMCBkAwDQYJKoZIhvcNAQEEBQADggEBALp2LCoV85gyhmDcKqmmqMrmp3TY jw6yrQDv / BN0JnUS + q9PVWF1NHeMN7lYq + 5xm208EKvwIHOJfFzi34IhlrSRWpv4 EGpLAQZ + tia8wYAhhdl / C1ajiV7h9DHRyb6jOdVRCj65J / uCX9EkQPCEpPm8IxH7 Za3VvC4joFwPWKWLOPYMUmXxhCm + 3XdzKzy2TE6HPzhFSLJQJHoG / qx5vwSI1l1L OPklkMnk1n1rHJp4EFpCQ40mCG75NOGPL7sz1Za2KjV1weXyuT2KDUnoADwIA1qX 4nlLGpyYXLqLW0Rcow5v1a9anohOLv6RrpWDdWhxBOWZGz68ps + EL5h4JTM = ----- END CERTIFICATE -----
客户端配置文件:
#
例子.cnf
#
[ req ] 提示 = no distinct_name = server_distinguished_name
[ server_distinguished_name ] commonName = abc.com stateOrProvinceName = NC countryName = US emailAddress = root@abc.com organizationName = 我的组织名称 organizationsUnitName = 我的大型组织的子单位