Ssl
為什麼 openssl s_client 和 gnutls-cli 提供不同的證書(自己的伺服器)
在我的伺服器上,我有多個帶有 apache2 的虛擬主機。一些域名為 *.example-one.org,一些域名為 *.example-two.org。每個域都有自己的萬用字元證書。
當我通過輸出獲取證書時
openssl s_client是這樣的:$ openssl s_client -connect sub.example-one.org:443 CONNECTED(00000003) [...] CN = *.example-two.org, emailAddress [...] verify error:num=18:self signed certificate verify return:1 [...] CN = *.example-two.org, emailAddress [...] verify return:1 --- [...] Verify return code: 18 (self signed certificate) ---與
gnutls-cli$ gnutls-cli -p 443 sub.example-one.org Processed 164 CA certificate(s). Resolving 'sub.example-one.org'... Connecting to '14x.xxx.xxx.xxx:443'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `[...]CN=*.example-one.org[...]', RSA key 2048 bits, signed using RSA-SHA1, activated `2013-07-11 12:30:31 UTC', expires `2015-07-11 12:30:31 UTC', SHA-1 fingerprint `94ddfd0d74e0352521af511c1d08c71e5314fae4' [...] - Status: The certificate is NOT trusted. The certificate issuer is unknown. *** Verifying server certificate failed... *** Fatal error: Error in the certificate. *** Handshake has failed GnuTLS error: Error in the certificate.(我已將輸出縮短為“
$$ … $$") Firefox 獲取(作為 gnutls)正確的證書……
為什麼會有差異?
如果您在同一 IP 地址後面使用多個證書,則必須使用 SNI(伺服器名稱指示)。雖然瀏覽器預設執行此操作,gnutls 也可能執行此操作,但 s_client 不執行此操作,您必須使用
openssl s_client -servername sub.example.org -connect ...