3

以下代码在 heroku 上给出了一个错误,但只是每隔一次。

host = "api.pagepeeker.com"
cert = "/usr/lib/ssl/certs/ca-certificates.crt"
(0..19).map do |i|
  ssl_context = OpenSSL::SSL::SSLContext.new
  ssl_context.set_params(ca_file: cert, verify_mode: 1)
  s = OpenSSL::SSL::SSLSocket.new(TCPSocket.open(host, 443, nil, nil), ssl_context)
  s.sync_close = true
  s.hostname = host
  begin
    s.connect
  rescue
    "error"
  else
    "ok"
  ensure
    s.close
  end
end.join(' ')

#=> ok error ok error ok error ok error ok error

错误是:OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

这对应于Net::HTTP.get(URI.parse("https://api.pagepeeker.com"))

我对交替的失败和成功感到困惑。将 OpenSSL 从 0.9.8k 升级到 1.0.1e 并没有帮助。

4

3 回答 3

1

这是 PagePeeker 负载平衡器之一的错误配置。在提到该问题时已修复。

于 2013-10-06T17:28:19.647 回答
1

对不起第二个答案。第一个太长了,无法解决,这是一个不同的发现。

问题的一部分似乎是 pagepeeker.com 没有发送验证链所需的所有证书。也就是说,它不发送所需的中间证书。

如果 pagepeeker.com 没有发送所有需要的证书,那么客户端会遇到“哪个目录”的问题。它在 PKI 中广为人知,这意味着客户端不知道应该查询哪个 X500 目录以查找丢失的中间证书。

现在,回到您的问题:您可能会看到一个间歇性问题,因为负载平衡环境中可能有一台配置错误的服务器。您的问题的部分解决方案可能是 pagekeeper.com 服务器发送所有必需的证书。

以下是 pagekeeper.com 发送的证书:

$ echo "GET / HTTP\1.1" | openssl s_client -connect api.pagepeeker.com:443 -showcerts
CONNECTED(00000003)
depth=0 description = 8CTO6gSuxeRRsIXl, C = RO, CN = api.pagepeeker.com, emailAddress = alexandru.florescu@gmail.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 description = 8CTO6gSuxeRRsIXl, C = RO, CN = api.pagepeeker.com, emailAddress = alexandru.florescu@gmail.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 description = 8CTO6gSuxeRRsIXl, C = RO, CN = api.pagepeeker.com, emailAddress = alexandru.florescu@gmail.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/description=8CTO6gSuxeRRsIXl/C=RO/CN=api.pagepeeker.com/emailAddress=alexandru.florescu@gmail.com
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
-----BEGIN CERTIFICATE-----
MIIGZTCCBU2gAwIBAgIDCJkoMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTMwMTAzMDA0OTAx
WhcNMTQwMTA0MTIxOTIwWjByMRkwFwYDVQQNExA4Q1RPNmdTdXhlUlJzSVhsMQsw
CQYDVQQGEwJSTzEbMBkGA1UEAxMSYXBpLnBhZ2VwZWVrZXIuY29tMSswKQYJKoZI
hvcNAQkBFhxhbGV4YW5kcnUuZmxvcmVzY3VAZ21haWwuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2o4+19SXbidxdD02hFaBytgqz97/8Newj1lz
wOILWsTbc26/pTkDzN7IHphpPR8tJp3lH7OqV3cTshonu9ouTxxoqBAcVN+6ClSM
fH4IHFLmywcab6Rb7nhUUcFgwEWUfHbCH41fV+Yx7+tFpmzChwDMvp5m1cIVZWEb
kSk9tSTnOXT2PIAaFmVhqRJ9gFkOxrl5jNmVyo0RH3xdJ7M/pE8mK/oLcOXA9Oev
4p6d37OwbftoBOclmenDWo1fz7kgF3+BQCs5IAHQ1rnhI4v8+MelQpzUWUrxdvjX
z64KftQ9spVYl0XAMshHjncXenIO+owPGJ9NbTcE6W4GKYtCvwIDAQABo4IC5zCC
AuMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEw
HQYDVR0OBBYEFLU812MJONAqhRD11CpkAX0ZofLEMB8GA1UdIwQYMBaAFOtCNNCY
sKuf9BtrCPfMZC7vDixFMC0GA1UdEQQmMCSCEmFwaS5wYWdlcGVla2VyLmNvbYIO
cGFnZXBlZWtlci5jb20wggFWBgNVHSAEggFNMIIBSTAIBgZngQwBAgEwggE7Bgsr
BgEEAYG1NwECAzCCASowLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRzc2wu
Y29tL3BvbGljeS5wZGYwgfcGCCsGAQUFBwICMIHqMCcWIFN0YXJ0Q29tIENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MAMCAQEagb5UaGlzIGNlcnRpZmljYXRlIHdhcyBp
c3N1ZWQgYWNjb3JkaW5nIHRvIHRoZSBDbGFzcyAxIFZhbGlkYXRpb24gcmVxdWly
ZW1lbnRzIG9mIHRoZSBTdGFydENvbSBDQSBwb2xpY3ksIHJlbGlhbmNlIG9ubHkg
Zm9yIHRoZSBpbnRlbmRlZCBwdXJwb3NlIGluIGNvbXBsaWFuY2Ugb2YgdGhlIHJl
bHlpbmcgcGFydHkgb2JsaWdhdGlvbnMuMDUGA1UdHwQuMCwwKqAooCaGJGh0dHA6
Ly9jcmwuc3RhcnRzc2wuY29tL2NydDEtY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEw
fzA5BggrBgEFBQcwAYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFz
czEvc2VydmVyL2NhMEIGCCsGAQUFBzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNv
bS9jZXJ0cy9zdWIuY2xhc3MxLnNlcnZlci5jYS5jcnQwIwYDVR0SBBwwGoYYaHR0
cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IBAQAxdu/aWSFN
iY1TkIxvA6w5XZPS93hIRoNOfs4xUkA7LGNAEnCt0WWe33lkyC9tHBbL3Li8pJib
bQZkgK7yX79KgwUlzHaAIlXcL4WYAhLroGbjvkzv5ldmt1hTcOCtFMVhPbBEGomB
U1XBQPaoba+D2ve7ZbUJihdMUSyIps8540fHC4G4CVpLxelc34OjdknyLTIsUpIF
ey2x9eazXnCKwjC5BgrEDIyE0ew8v5Xf/Gov4718ozc60CWLv4SNQzwMgrjNElEa
vOjjDljCFJ6xjJag00uf1xJjQ1C4g2mT6oQcZCMP4x6VlEXen9xZfI5RAfTw9ElL
5FJ1IIaJc7+5
-----END CERTIFICATE-----
---
Server certificate
subject=/description=8CTO6gSuxeRRsIXl/C=RO/CN=api.pagepeeker.com/emailAddress=alexandru.florescu@gmail.com
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 1957 bytes and written 648 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 92E4B4B744DDFE63EBD2EDC8D0D6065FF9D05589FD10A05E0C971F6CE0B2526D
    Session-ID-ctx: 
    Master-Key: CE01E4B9BFB3D0F3B95F81004013320DE44BFBE399AB84ABA047C0064DBDABC200CE5472F74EA5881BF99F66A58729F7
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket:
    0000 - 63 03 ce 7b 9b 75 3b 4d-7f 1c dd f0 6d 56 1c 32   c..{.u;M....mV.2
    0010 - c2 af 84 b2 1c c8 aa 18-6c 90 54 68 46 96 8f 5d   ........l.ThF..]
    0020 - 26 11 e7 37 89 e4 a4 29-ff 26 04 20 c8 08 f4 8a   &..7...).&. ....
    0030 - de cf 38 b1 57 83 ae 45-41 51 48 c1 7c b9 df 0f   ..8.W..EAQH.|...
    0040 - 6a e1 c7 75 93 b4 24 5c-5f 63 97 ce 2d b7 12 eb   j..u..$\_c..-...
    0050 - 05 a8 57 d3 4d af 31 5d-18 b3 f8 8e 02 70 6f 2f   ..W.M.1].....po/
    0060 - fe 33 18 c6 7d 83 58 76-37 5f 59 9a ed e5 28 ae   .3..}.Xv7_Y...(.
    0070 - d5 5a 9f a4 46 13 55 f3-14 aa 47 f5 b6 63 e8 76   .Z..F.U...G..c.v
    0080 - 82 bf 2c f9 35 9a 01 fc-3d e9 2e 8f 1f ca a5 67   ..,.5...=......g
    0090 - 3b 55 6f f4 4d c1 fa 79-40 20 6d 82 f7 49 58 7a   ;Uo.M..y@ m..IXz

    Start Time: 1380751071
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
DONE

如果您查看来自例如 Google 的内容,您会看到整个链都已发送:

$ echo "GET / HTTP\1.1" | openssl s_client -connect encrypted.google.com:443 -showcerts
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
-----BEGIN CERTIFICATE-----
MIIHIDCCBgigAwIBAgIIKTc2rLt+oBEwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTMwOTExMTA1MDIxWhcNMTQwOTExMTA1MDIx
WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5n
b29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq02vkZCV
ERg2AdnOE9/NLiCNJ/0oxe+7O7eAv3Oc2xTKCaT/fXrGjMnYP+g5povMi2peIPXY
eUCnONd3KGj1f4SaLPIzoIfErwsYEMq5GBWSEqXXvPSKbv/NIU6NT/FFd5GvQY3P
KtB4+DCLXWzLUBExqGYcw+F7bfut5l/RV/uFazi8nlROgXB59LRCjbo6fiI7+kjh
+CBteUXJuGd0gRYm08KVnLOM3qi0RzjYStqLxDTAbMgAVWFN5hKcNt0R0hYBGMMO
vyHIDXXAWVlgzKMHyrpvjSwcts4nML6xO7bKzKLZZbfQ5HRRlyj6eGI+aNopNl1b
Mbw3Qul5WA5s6wIDAQABo4ID7TCCA+kwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMIICwwYDVR0RBIICujCCAraCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lk
LmNvbYIWKi5hcHBlbmdpbmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29t
ghYqLmdvb2dsZS1hbmFseXRpY3MuY29tggsqLmdvb2dsZS5jYYILKi5nb29nbGUu
Y2yCDiouZ29vZ2xlLmNvLmlugg4qLmdvb2dsZS5jby5qcIIOKi5nb29nbGUuY28u
dWuCDyouZ29vZ2xlLmNvbS5hcoIPKi5nb29nbGUuY29tLmF1gg8qLmdvb2dsZS5j
b20uYnKCDyouZ29vZ2xlLmNvbS5jb4IPKi5nb29nbGUuY29tLm14gg8qLmdvb2ds
ZS5jb20udHKCDyouZ29vZ2xlLmNvbS52boILKi5nb29nbGUuZGWCCyouZ29vZ2xl
LmVzggsqLmdvb2dsZS5mcoILKi5nb29nbGUuaHWCCyouZ29vZ2xlLml0ggsqLmdv
b2dsZS5ubIILKi5nb29nbGUucGyCCyouZ29vZ2xlLnB0gg8qLmdvb2dsZWFwaXMu
Y26CFCouZ29vZ2xlY29tbWVyY2UuY29tgg0qLmdzdGF0aWMuY29tggwqLnVyY2hp
bi5jb22CECoudXJsLmdvb2dsZS5jb22CFioueW91dHViZS1ub2Nvb2tpZS5jb22C
DSoueW91dHViZS5jb22CFioueW91dHViZWVkdWNhdGlvbi5jb22CCyoueXRpbWcu
Y29tggthbmRyb2lkLmNvbYIEZy5jb4IGZ29vLmdsghRnb29nbGUtYW5hbHl0aWNz
LmNvbYIKZ29vZ2xlLmNvbYISZ29vZ2xlY29tbWVyY2UuY29tggp1cmNoaW4uY29t
ggh5b3V0dS5iZYILeW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29tMGgG
CCsGAQUFBwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29t
L0dJQUcyLmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5j
b20vb2NzcDAdBgNVHQ4EFgQUWdyXs0sRMgoX3k/dpzVLlcMD+l8wDAYDVR0TAQH/
BAIwADAfBgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAEEDAO
MAwGCisGAQQB1nkCBQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAHuO6zcxRTMJl60MP
jreD1J+5+nWy6IcpWlaAaLFclcVtz+FMNAi727OR3oX4JjlTbHNWZ94MCzPObxZN
8+OBrfWQ6GYIwgeTBoRH9Q4zp5HvxtsWGOkbJSU4DTXKm/oVXoOdb8O+3xLJKRBF
C3aH6tK31KR+strGrpX3nyGm8aFaLcFp9ChiWaBTKcCLF+hJAoAJ0+4LZAlZQODd
LhWbVVLPMKr0IDpaP/ElX9n3gVmYdExvtcYVdcgSEVf3axx44A4dXXTt3KBnrzAd
MvFpqRxHCU86WGw5cNq9pi62hh4D8sZAZf0vMshiOKCLtxeQa3IByJy23Kb0CDcQ
6R8Zww==
-----END CERTIFICATE-----
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG
EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g
K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI
KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n
ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB
BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY
/iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/
zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza
HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto
WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6
yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
-----END CERTIFICATE-----
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 4410 bytes and written 448 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: D87198A1294D6B41660C0DA153137348B6F65BBD2E6B7D410104964C21A33682
    Session-ID-ctx: 
    Master-Key: 2967DF01FECCBC2EF444C7723BD3CA105C522BFC613D568F8D65D3D28F2A8CD6EF031D9B6D3132DE3D8B3364ED061A41
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 8b 66 a6 c9 dd b3 2e c8-f6 2e 87 18 3c 90 8b 57   .f..........<..W
    0010 - 77 18 39 be 93 40 fe 20-6a 08 1d f3 54 3a f1 22   w.9..@. j...T:."
    0020 - d3 eb 51 8c 56 23 bc 87-51 0e 12 6b 23 57 ba 67   ..Q.V#..Q..k#W.g
    0030 - f2 5b c2 78 d7 8f 06 99-42 97 7c ce 7f 99 4a 74   .[.x....B.|...Jt
    0040 - ef ec 55 f2 77 64 f3 3e-c8 24 e7 45 92 1b 54 ef   ..U.wd.>.$.E..T.
    0050 - 79 f2 3b 0f 69 35 84 7d-cd 21 0a 45 b6 8a b9 e4   y.;.i5.}.!.E....
    0060 - 61 9a 8e 7b c5 e9 26 82-56 27 b4 f3 25 b8 82 5b   a..{..&.V'..%..[
    0070 - 19 8b ce b9 bf 61 e2 3e-1c 08 16 7e af 91 e9 44   .....a.>...~...D
    0080 - f9 53 75 cd 59 e0 80 50-03 09 07 67 e1 2d bf 6d   .Su.Y..P...g.-.m
    0090 - aa d4 b9 3a                                       ...:

    Start Time: 1380750955
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
DONE
于 2013-10-02T22:05:08.860 回答
1

他们使用的主机证书不会链接回 [受信任的] 根证书。您可能应该更频繁地看到错误(每次?)。

您可能需要SSL_CTX_load_verify_locations使用包含所需 StartCom 根证书的文件进行调用。您可以从http://www.startssl.com/?app=26获取 StartCom 根目录。您想要包含“StartCom 证书颁发机构”的那个,我相信它在捆绑包http://www.startssl.com/certs/ca-bundle.pem中。该文件中有一些,但只要您愿意接受额外根的风险,OpenSSL 就可以很好地处理连接。

$ echo "GET / HTTP\1.1" | openssl s_client -connect api.pagepeeker.com:443
CONNECTED(00000003)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/description=8CTO6gSuxeRRsIXl/C=RO/CN=api.pagepeeker.com/emailAddress=alexandru.florescu@gmail.com
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGZTCCBU2gAwIBAgIDCJkoMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTMwMTAzMDA0OTAx
WhcNMTQwMTA0MTIxOTIwWjByMRkwFwYDVQQNExA4Q1RPNmdTdXhlUlJzSVhsMQsw
CQYDVQQGEwJSTzEbMBkGA1UEAxMSYXBpLnBhZ2VwZWVrZXIuY29tMSswKQYJKoZI
hvcNAQkBFhxhbGV4YW5kcnUuZmxvcmVzY3VAZ21haWwuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2o4+19SXbidxdD02hFaBytgqz97/8Newj1lz
wOILWsTbc26/pTkDzN7IHphpPR8tJp3lH7OqV3cTshonu9ouTxxoqBAcVN+6ClSM
fH4IHFLmywcab6Rb7nhUUcFgwEWUfHbCH41fV+Yx7+tFpmzChwDMvp5m1cIVZWEb
kSk9tSTnOXT2PIAaFmVhqRJ9gFkOxrl5jNmVyo0RH3xdJ7M/pE8mK/oLcOXA9Oev
4p6d37OwbftoBOclmenDWo1fz7kgF3+BQCs5IAHQ1rnhI4v8+MelQpzUWUrxdvjX
z64KftQ9spVYl0XAMshHjncXenIO+owPGJ9NbTcE6W4GKYtCvwIDAQABo4IC5zCC
AuMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEw
HQYDVR0OBBYEFLU812MJONAqhRD11CpkAX0ZofLEMB8GA1UdIwQYMBaAFOtCNNCY
sKuf9BtrCPfMZC7vDixFMC0GA1UdEQQmMCSCEmFwaS5wYWdlcGVla2VyLmNvbYIO
cGFnZXBlZWtlci5jb20wggFWBgNVHSAEggFNMIIBSTAIBgZngQwBAgEwggE7Bgsr
BgEEAYG1NwECAzCCASowLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRzc2wu
Y29tL3BvbGljeS5wZGYwgfcGCCsGAQUFBwICMIHqMCcWIFN0YXJ0Q29tIENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MAMCAQEagb5UaGlzIGNlcnRpZmljYXRlIHdhcyBp
c3N1ZWQgYWNjb3JkaW5nIHRvIHRoZSBDbGFzcyAxIFZhbGlkYXRpb24gcmVxdWly
ZW1lbnRzIG9mIHRoZSBTdGFydENvbSBDQSBwb2xpY3ksIHJlbGlhbmNlIG9ubHkg
Zm9yIHRoZSBpbnRlbmRlZCBwdXJwb3NlIGluIGNvbXBsaWFuY2Ugb2YgdGhlIHJl
bHlpbmcgcGFydHkgb2JsaWdhdGlvbnMuMDUGA1UdHwQuMCwwKqAooCaGJGh0dHA6
Ly9jcmwuc3RhcnRzc2wuY29tL2NydDEtY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEw
fzA5BggrBgEFBQcwAYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFz
czEvc2VydmVyL2NhMEIGCCsGAQUFBzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNv
bS9jZXJ0cy9zdWIuY2xhc3MxLnNlcnZlci5jYS5jcnQwIwYDVR0SBBwwGoYYaHR0
cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IBAQAxdu/aWSFN
iY1TkIxvA6w5XZPS93hIRoNOfs4xUkA7LGNAEnCt0WWe33lkyC9tHBbL3Li8pJib
bQZkgK7yX79KgwUlzHaAIlXcL4WYAhLroGbjvkzv5ldmt1hTcOCtFMVhPbBEGomB
U1XBQPaoba+D2ve7ZbUJihdMUSyIps8540fHC4G4CVpLxelc34OjdknyLTIsUpIF
ey2x9eazXnCKwjC5BgrEDIyE0ew8v5Xf/Gov4718ozc60CWLv4SNQzwMgrjNElEa
vOjjDljCFJ6xjJag00uf1xJjQ1C4g2mT6oQcZCMP4x6VlEXen9xZfI5RAfTw9ElL
5FJ1IIaJc7+5
-----END CERTIFICATE-----
subject=/description=8CTO6gSuxeRRsIXl/C=RO/CN=api.pagepeeker.com/emailAddress=alexandru.florescu@gmail.com
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 5552 bytes and written 648 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: D761D5D91D9BD18933CD68A37A9E65CC9CF6D0A0F28A8CB1D07C34C0E7B98253
    Session-ID-ctx: 
    Master-Key: 43E285E1113C70B0767EE4B62B042166D1BFC86B62BAFE0F3338DB2771479EE51C99C19DC6E09E98E44FB79130206B9F
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket:
    0000 - c7 19 e2 ed e1 7b a1 84-40 84 3a 0d f0 73 e2 4c   .....{..@.:..s.L
    0010 - 2b 79 a1 3e 22 24 9a a8-d3 3a 4a 51 8d 6f 54 a5   +y.>"$...:JQ.oT.
    0020 - ea 64 e4 68 3c 2b dd f2-e8 80 b8 e0 be 52 c1 ad   .d.h<+.......R..
    0030 - ae 44 19 76 7d a2 64 19-e1 6d bb c1 8a 80 a0 d9   .D.v}.d..m......
    0040 - 42 29 99 99 16 47 34 1e-44 11 10 be 9a 6a 95 6b   B)...G4.D....j.k
    0050 - 09 55 ef 28 8f 44 8f 04-1d bd aa 79 b8 07 59 5f   .U.(.D.....y..Y_
    0060 - 1f 4e bd 00 ef e3 31 3d-6e 1f e8 79 6b bb fa 4a   .N....1=n..yk..J
    0070 - b9 8a cb 3a 4e 7e 8e bb-7a e7 81 b7 1f af d0 50   ...:N~..z......P
    0080 - 84 70 99 77 b3 81 1d 0e-7f 04 4e 52 7e 95 fa 05   .p.w......NR~...
    0090 - 19 be 78 e8 e6 bb cd 3c-08 49 dd 77 64 92 f7 eb   ..x....<.I.wd...

    Start Time: 1380706251
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
DONE

当我使用 Startcom CA 捆绑包和-CAfile选项时,我无法重现失败,即使是连续运行:

$ echo "GET / HTTP\1.1" | openssl s_client -connect api.pagepeeker.com:443 -CAfile startcom-ca-bundle.pem 
CONNECTED(00000003)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
verify return:1
depth=0 description = 8CTO6gSuxeRRsIXl, C = RO, CN = api.pagepeeker.com, emailAddress = alexandru.florescu@gmail.com
verify return:1
---
Certificate chain
 0 s:/description=8CTO6gSuxeRRsIXl/C=RO/CN=api.pagepeeker.com/emailAddress=alexandru.florescu@gmail.com
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGZTCCBU2gAwIBAgIDCJkoMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTMwMTAzMDA0OTAx
WhcNMTQwMTA0MTIxOTIwWjByMRkwFwYDVQQNExA4Q1RPNmdTdXhlUlJzSVhsMQsw
CQYDVQQGEwJSTzEbMBkGA1UEAxMSYXBpLnBhZ2VwZWVrZXIuY29tMSswKQYJKoZI
hvcNAQkBFhxhbGV4YW5kcnUuZmxvcmVzY3VAZ21haWwuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2o4+19SXbidxdD02hFaBytgqz97/8Newj1lz
wOILWsTbc26/pTkDzN7IHphpPR8tJp3lH7OqV3cTshonu9ouTxxoqBAcVN+6ClSM
fH4IHFLmywcab6Rb7nhUUcFgwEWUfHbCH41fV+Yx7+tFpmzChwDMvp5m1cIVZWEb
kSk9tSTnOXT2PIAaFmVhqRJ9gFkOxrl5jNmVyo0RH3xdJ7M/pE8mK/oLcOXA9Oev
4p6d37OwbftoBOclmenDWo1fz7kgF3+BQCs5IAHQ1rnhI4v8+MelQpzUWUrxdvjX
z64KftQ9spVYl0XAMshHjncXenIO+owPGJ9NbTcE6W4GKYtCvwIDAQABo4IC5zCC
AuMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEw
HQYDVR0OBBYEFLU812MJONAqhRD11CpkAX0ZofLEMB8GA1UdIwQYMBaAFOtCNNCY
sKuf9BtrCPfMZC7vDixFMC0GA1UdEQQmMCSCEmFwaS5wYWdlcGVla2VyLmNvbYIO
cGFnZXBlZWtlci5jb20wggFWBgNVHSAEggFNMIIBSTAIBgZngQwBAgEwggE7Bgsr
BgEEAYG1NwECAzCCASowLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRzc2wu
Y29tL3BvbGljeS5wZGYwgfcGCCsGAQUFBwICMIHqMCcWIFN0YXJ0Q29tIENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MAMCAQEagb5UaGlzIGNlcnRpZmljYXRlIHdhcyBp
c3N1ZWQgYWNjb3JkaW5nIHRvIHRoZSBDbGFzcyAxIFZhbGlkYXRpb24gcmVxdWly
ZW1lbnRzIG9mIHRoZSBTdGFydENvbSBDQSBwb2xpY3ksIHJlbGlhbmNlIG9ubHkg
Zm9yIHRoZSBpbnRlbmRlZCBwdXJwb3NlIGluIGNvbXBsaWFuY2Ugb2YgdGhlIHJl
bHlpbmcgcGFydHkgb2JsaWdhdGlvbnMuMDUGA1UdHwQuMCwwKqAooCaGJGh0dHA6
Ly9jcmwuc3RhcnRzc2wuY29tL2NydDEtY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEw
fzA5BggrBgEFBQcwAYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFz
czEvc2VydmVyL2NhMEIGCCsGAQUFBzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNv
bS9jZXJ0cy9zdWIuY2xhc3MxLnNlcnZlci5jYS5jcnQwIwYDVR0SBBwwGoYYaHR0
cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IBAQAxdu/aWSFN
iY1TkIxvA6w5XZPS93hIRoNOfs4xUkA7LGNAEnCt0WWe33lkyC9tHBbL3Li8pJib
bQZkgK7yX79KgwUlzHaAIlXcL4WYAhLroGbjvkzv5ldmt1hTcOCtFMVhPbBEGomB
U1XBQPaoba+D2ve7ZbUJihdMUSyIps8540fHC4G4CVpLxelc34OjdknyLTIsUpIF
ey2x9eazXnCKwjC5BgrEDIyE0ew8v5Xf/Gov4718ozc60CWLv4SNQzwMgrjNElEa
vOjjDljCFJ6xjJag00uf1xJjQ1C4g2mT6oQcZCMP4x6VlEXen9xZfI5RAfTw9ElL
5FJ1IIaJc7+5
-----END CERTIFICATE-----
subject=/description=8CTO6gSuxeRRsIXl/C=RO/CN=api.pagepeeker.com/emailAddress=alexandru.florescu@gmail.com
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 5552 bytes and written 648 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 9A0E34E509AA7C2EED12E58D0D80B078B39D4A5A5C981E510D9D190E5F76B911
    Session-ID-ctx: 
    Master-Key: 2F447B622ACBB0006DC121FA43FB562ACE2BDEAF73D3EC887AF7BC22548392AB42E3625530874EA541C569DB7543E273
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket:
    0000 - c7 19 e2 ed e1 7b a1 84-40 84 3a 0d f0 73 e2 4c   .....{..@.:..s.L
    0010 - 46 cf b7 fd 33 95 88 14-fb da 08 4b 0a 58 e0 55   F...3......K.X.U
    0020 - 31 ff 2a cf ff fb 65 a3-b4 db 8f 5f 65 6c 72 15   1.*...e...._elr.
    0030 - ba ce c3 84 4f 83 9f 01-3d d4 87 f8 a1 eb bb b5   ....O...=.......
    0040 - 1b a2 9a de 94 55 86 ad-d7 e7 29 ed f0 98 a4 5f   .....U....)...._
    0050 - 4d 93 f6 a7 db 15 7f d3-b3 ca 63 2c a9 8d 69 b2   M.........c,..i.
    0060 - 77 3e a6 28 76 ba d3 a7-f7 5c 20 88 75 23 71 7d   w>.(v....\ .u#q}
    0070 - 99 62 b4 fd b9 09 1c ec-90 2d a0 c1 27 d0 23 61   .b.......-..'.#a
    0080 - 18 da 47 17 06 3c 29 34-05 3e f3 d2 22 29 09 cc   ..G..<)4.>..")..
    0090 - d2 41 b7 8d 29 14 c2 88-3b ad 67 2a 88 25 e1 9b   .A..)...;.g*.%..

    Start Time: 1380708844
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE
于 2013-10-02T09:41:29.427 回答