我们已将客户端的 openssl 从 升级OpenSSL 1.0.1e-fips到OpenSSL 1.1.1b. 服务器端正在运行Bouncy Castle 1.46。
在OpenSSL 1.0.1e-fips客户端,服务器发送一个如下所示的证书:
PEM
---
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1553073698333 (0x1699a67f61d)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, CN=10.12.204.189
Validity
Not Before: May 21 05:38:35 2019 GMT
Not After : May 20 21:00:00 2049 GMT
Subject:
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b7:7f:20:0c:21:a2:7a:79:4f:12:8b:cd:db:92:
b6:76:79:34:34:bc:6a:c0:c9:87:ab:1b:df:e9:a1:
ff:f0:de:6f:15:bd:5e:cb:f3:bf:fb:fd:06:9d:8b:
f1:62:28:48:e0:e1:bd:79:48:f8:53:a0:15:93:65:
c2:b6:b5:88:93:63:a7:47:44:7c:96:84:48:1d:ed:
49:09:0e:10:57:31:60:bb:7a:3b:8b:61:bd:47:3c:
8a:e6:0a:c1:86:f1:75:84:62:5a:05:6a:43:25:7d:
0b:40:33:68:ce:f8:07:71:52:8e:3d:d1:df:57:ee:
23:86:51:7f:d9:3e:0a:f8:19:b8:49:a5:2e:77:8a:
5c:8d:26:f9:3a:94:e0:dc:62:81:47:1b:e5:e4:da:
45:a4:2a:70:ed:61:50:68:b5:0f:b7:5f:d4:cd:36:
3f:85:6f:c8:cb:1b:7b:a0:ec:f1:3c:5e:d4:e0:08:
65:aa:4a:7e:88:05:cc:ac:45:4e:09:f2:36:d9:a9:
96:9f:05:9d:95:e6:37:f8:f7:3c:62:cb:0d:4a:1c:
4e:be:7e:15:d2:50:69:eb:65:16:11:f2:58:03:52:
6f:71:64:26:08:de:50:cc:52:c3:8a:b6:9a:9f:98:
56:6b:0d:85:4a:09:e2:e5:72:3b:cc:77:49:9c:90:
b5:f9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
..........0.. 0.."0
....... .!.zyO......vy44.j...........o..^.........b(H...yH.S...e.....c.GD|..H..I...W1`.z;.a.G<..
...u.bZ.jC%}.@3h...qR.=..W.#.Q..>
.J...r;.wI.........d&..P.R......Vk_..6?.o...{...<^...e.J~....EN..6........7..<b.
Signature Algorithm: sha1WithRSAEncryption
ab:b6:5d:1a:cb:9d:4c:44:6c:50:a5:fd:dc:b7:88:a3:37:51:
d1:aa:7b:a5:75:7b:8f:14:1e:fd:c1:72:c9:9c:a3:51:38:92:
6b:03:68:4d:52:41:df:21:b7:3f:b7:47:5b:36:df:19:5d:6f:
92:e0:b8:2b:8c:de:0c:b0:f1:7d:a5:cf:11:28:a0:a3:84:5f:
1c:e9:01:1b:c8:e6:be:06:81:22:85:c5:cf:de:e1:97:2f:ae:
92:ff:41:69:07:cc:fb:39:c9:5a:47:aa:32:01:8f:9f:9e:c3:
eb:c4:83:97:b1:a9:04:78:d1:a3:57:74:a9:63:96:07:b2:81:
ec:ec:8f:be:32:30:20:af:2d:45:3e:44:48:3c:ab:77:47:18:
0d:a8:0e:ca:60:cf:12:93:82:ea:13:20:82:25:aa:89:3e:15:
83:38:8e:84:47:e0:de:be:87:e3:bf:f2:b1:1c:06:75:9e:3e:
6d:eb:6e:6d:2c:36:76:fe:1a:05:84:8e:ce:1b:36:8b:02:41:
21:22:6e:80:a1:a1:60:d4:93:63:d3:cd:d1:f5:26:16:83:ed:
7b:3c:74:f1:54:2b:64:3f:ae:ee:8f:60:30:e0:1b:0b:38:27:
7a:b0:f8:d0:c2:08:f6:55:7e:a6:97:ee:4f:b6:b9:ca:f6:eb:
60:bc:64:4d
ANS.1
-----
0:d=0 hl=4 l= 990 cons: SEQUENCE
4:d=1 hl=4 l= 710 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 6 prim: INTEGER :01699A67F61D
21:d=2 hl=2 l= 13 cons: SEQUENCE
23:d=3 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
34:d=3 hl=2 l= 0 prim: NULL
36:d=2 hl=2 l= 37 cons: SEQUENCE
38:d=3 hl=2 l= 11 cons: SET
40:d=4 hl=2 l= 9 cons: SEQUENCE
42:d=5 hl=2 l= 3 prim: OBJECT :countryName
47:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US
51:d=3 hl=2 l= 22 cons: SET
53:d=4 hl=2 l= 20 cons: SEQUENCE
55:d=5 hl=2 l= 3 prim: OBJECT :commonName
60:d=5 hl=2 l= 13 prim: UTF8STRING :10.12.204.189
75:d=2 hl=2 l= 30 cons: SEQUENCE
77:d=3 hl=2 l= 13 prim: UTCTIME :190521053835Z
92:d=3 hl=2 l= 13 prim: UTCTIME :490520210000Z
107:d=2 hl=2 l= 0 cons: SEQUENCE
109:d=2 hl=4 l= 290 cons: SEQUENCE
113:d=3 hl=2 l= 13 cons: SEQUENCE
115:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
126:d=4 hl=2 l= 0 prim: NULL
128:d=3 hl=4 l= 271 prim: BIT STRING
403:d=2 hl=4 l= 311 cons: cont [ 3 ]
407:d=3 hl=4 l= 307 cons: SEQUENCE
411:d=4 hl=4 l= 303 cons: SEQUENCE
415:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
420:d=5 hl=4 l= 294 prim: OCTET STRING [HEX DUMP]:30820122300D06092A864886F70D01010105000382010F003082010A0282010100B77F200C21A27A794F128BCDDB92B676793434BC6AC0C987AB1BDFE9A1FFF0DE6F15BD5ECBF3BFFBFD069D8BF1622848E0E1BD7948F853A0159365C2B6B5889363A747447C9684481DED49090E10573160BB7A3B8B61BD473C8AE60AC186F17584625A056A43257D0B403368CEF80771528E3DD1DF57EE2386517FD93E0AF819B849A52E778A5C8D26F93A94E0DC6281471BE5E4DA45A42A70ED615068B50FB75FD4CD363F856FC8CB1B7BA0ECF13C5ED4E00865AA4A7E8805CCAC454E09F236D9A9969F059D95E637F8F73C62CB0D4A1C4EBE7E15D25069EB651611F25803526F71642608DE50CC52C38AB69A9F98566B0D854A09E2E5723BCC77499C90B5F90203010001
718:d=1 hl=2 l= 13 cons: SEQUENCE
720:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
731:d=2 hl=2 l= 0 prim: NULL
733:d=1 hl=4 l= 257 prim: BIT STRING
在OpenSSL 1.1.1b客户端,服务器发送一个如下所示的证书:
PEM
---
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1553073698340 (0x1699a67f624)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, CN=10.12.204.189
Validity
Not Before: May 21 07:05:20 2019 GMT
Not After : May 20 21:00:00 2049 GMT
Subject:
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a6:bc:b2:26:4e:76:9f:0d:40:25:2c:0a:aa:6a:
67:ba:31:fc:09:8b:7d:d1:de:13:73:11:8a:d6:9d:
68:55:b2:74:66:09:9c:b3:db:a0:ab:46:42:5d:ba:
6b:d6:97:3c:fd:88:cf:de:55:8d:bd:74:1c:6e:19:
13:fb:93:86:11:54:55:b6:f5:8d:2f:62:5e:2b:07:
b4:ac:d3:bb:30:51:17:61:56:35:19:5a:cc:f0:f3:
e7:1a:13:f2:5b:f8:45:c5:5b:4c:a9:3a:6a:4b:26:
25:fc:38:4e:be:b2:ac:41:31:52:ee:64:76:7b:fd:
6a:81:87:08:1c:8c:c8:f4:17:3e:58:08:45:90:db:
6e:11:05:8e:48:3a:8d:82:77:63:4e:23:a4:a4:d6:
94:a5:89:1a:91:41:71:c9:e3:76:b8:c3:71:b0:e7:
94:68:04:ee:1f:c9:e6:b1:67:d7:4c:b3:ee:b4:11:
22:f4:36:5f:54:4d:0d:d1:cf:72:d7:73:ed:80:49:
09:ff:a4:e9:93:f6:29:4b:96:b1:59:d2:3c:fe:04:
3a:16:dd:17:49:20:b9:dc:80:42:a4:b6:14:55:1e:
5c:bd:90:bb:fe:14:2a:6a:38:63:f3:09:b1:60:57:
85:f0:58:fe:b6:dd:da:17:4d:58:43:49:ee:49:63:
00:4f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
..........0.. 0.."0
@%,.....&Nv.
..r.s..I......)K..Y.<..:...I ...B...U.\.....*j8c...`W..X.....MXCI.Ic.O...........[.E.[L.:jK&%.8N...A1R.dv{.j........>X.E..n...H:..wcN#........Aq..v..q...h......g.L....".6_TM
Signature Algorithm: sha1WithRSAEncryption
6d:7a:aa:de:d5:cf:74:6d:3e:b4:04:5f:27:0d:17:cf:2e:eb:
43:f6:a2:5e:9f:c8:f5:2d:10:ec:4b:c2:04:6f:47:f7:3c:30:
3f:46:89:3d:91:a9:fe:60:f5:a6:b7:40:31:59:ec:f1:f8:e1:
ab:36:7b:ce:10:6e:cb:94:05:d6:c9:c2:27:9c:3f:d6:d7:49:
48:4e:83:d1:fc:06:4d:9d:19:11:2a:f9:7c:8b:0f:7e:da:21:
91:de:93:95:16:e0:96:a2:e3:a5:27:bf:dd:ae:ec:1a:25:e2:
59:2c:4f:2c:b6:91:34:4e:46:6b:bc:75:c7:39:58:f4:b4:1a:
c7:d2:cc:ae:59:2c:fd:6f:d7:30:98:ba:f5:8f:eb:f8:dc:62:
f0:48:35:d3:0b:da:ee:b9:6e:20:b8:87:a9:ed:a7:db:38:eb:
86:ed:1d:8d:00:fd:25:7f:fd:37:c7:4a:f3:46:95:94:1c:6f:
46:8e:46:3e:5c:97:1f:11:d3:7e:d4:70:2c:92:e6:4e:6a:40:
d0:bf:0d:48:19:c8:f7:ba:35:b1:62:d4:58:17:fa:7d:e5:12:
af:fe:eb:ac:e6:f4:5e:91:9d:58:c9:1f:1c:a2:32:ff:06:a1:
82:bf:3b:39:e9:27:a7:bc:2b:7c:ab:4d:b2:5c:82:77:2c:c7:
d8:76:10:a4
ASN.1
-----
0:d=0 hl=4 l= 990 cons: SEQUENCE
4:d=1 hl=4 l= 710 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 6 prim: INTEGER :01699A67F624
21:d=2 hl=2 l= 13 cons: SEQUENCE
23:d=3 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
34:d=3 hl=2 l= 0 prim: NULL
36:d=2 hl=2 l= 37 cons: SEQUENCE
38:d=3 hl=2 l= 11 cons: SET
40:d=4 hl=2 l= 9 cons: SEQUENCE
42:d=5 hl=2 l= 3 prim: OBJECT :countryName
47:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US
51:d=3 hl=2 l= 22 cons: SET
53:d=4 hl=2 l= 20 cons: SEQUENCE
55:d=5 hl=2 l= 3 prim: OBJECT :commonName
60:d=5 hl=2 l= 13 prim: UTF8STRING :10.12.204.189
75:d=2 hl=2 l= 30 cons: SEQUENCE
77:d=3 hl=2 l= 13 prim: UTCTIME :190521070520Z
92:d=3 hl=2 l= 13 prim: UTCTIME :490520210000Z
107:d=2 hl=2 l= 0 cons: SEQUENCE
109:d=2 hl=4 l= 290 cons: SEQUENCE
113:d=3 hl=2 l= 13 cons: SEQUENCE
115:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
126:d=4 hl=2 l= 0 prim: NULL
128:d=3 hl=4 l= 271 prim: BIT STRING
403:d=2 hl=4 l= 311 cons: cont [ 3 ]
407:d=3 hl=4 l= 307 cons: SEQUENCE
411:d=4 hl=4 l= 303 cons: SEQUENCE
415:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
420:d=5 hl=4 l= 294 prim: OCTET STRING [HEX DUMP]:30820122300D06092A864886F70D01010105000382010F003082010A0282010100A6BCB2264E769F0D40252C0AAA6A67BA31FC098B7DD1DE1373118AD69D6855B27466099CB3DBA0AB46425DBA6BD6973CFD88CFDE558DBD741C6E1913FB9386115455B6F58D2F625E2B07B4ACD3BB305117615635195ACCF0F3E71A13F25BF845C55B4CA93A6A4B2625FC384EBEB2AC413152EE64767BFD6A8187081C8CC8F4173E58084590DB6E11058E483A8D8277634E23A4A4D694A5891A914171C9E376B8C371B0E7946804EE1FC9E6B167D74CB3EEB41122F4365F544D0DD1CF72D773ED804909FFA4E993F6294B96B159D23CFE043A16DD174920B9DC8042A4B614551E5CBD90BBFE142A6A3863F309B1605785F058FEB6DDDA174D584349EE4963004F0203010001
718:d=1 hl=2 l= 13 cons: SEQUENCE
720:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
731:d=2 hl=2 l= 0 prim: NULL
733:d=1 hl=4 l= 257 prim: BIT STRING
如果您问我,它们非常相似,但我们现有的未更改流程在调用时失败:
SSL_CTX_use_certificate_chain_file(ssl_ctx, "certificate.crt");
来自 openssl 的错误消息是:
error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
我们是否应该以不同的方式签署证书?或者改变一些其他领域?
哪个标签出错了?
编辑添加了证书的 PEM 格式。服务器根本不使用openssl,它在java中使用Bouncy Castle 1.46
非常感谢!