我今天正在解决一个问题,即在尝试连接到站点时,Google Chrome 中向用户显示“无效的服务器证书”。我们验证了 SSL 链、证书、验证的连接性,似乎没有任何问题。openssl s_client connect 同样似乎没有问题。我们甚至运行了一个 tcpdump,虽然我对阅读它们不是特别熟悉,但我没有发现明显的错误。
最终,只是为了一笑,我在 Firefox 中打开了链接以验证我没有以某种方式获得缓存副本,并且我收到了一个新错误“证书类型未批准申请。”。那时,我们很快就看到我们的服务器证书被配置为客户端证书。问题解决了。
我的问题是,在过程中的哪个阶段验证了目的?我觉得我应该在 tcpdump,或者尤其是 openssl s_client connect 中看到了这个错误。我想知道是否直到稍后才检查证书目的。
如果有帮助,则请求将从 Netscaler 虚拟服务器发送到 WebSEAL 实例。
It's validated by the client, not the protocol. Part of the protocol is to transfer the public portion of the cert, which includes metadata like acceptable uses. It's then up to the client to decide if the certificate is valid for the use case the application is executing. The protocol has no way of knowing what the application type is, or what the full set of uses are (this was metadata that was added in later in the development of the standard).
This is why openssl doesn't care, but chrome / ff does.