当前位置: 首页 > article >正文

使用openssl验证https配置的ssl证书是否可以正常访问

openssl可以用于和服务器端建立ssl连接,并且输出相关信息,通过相关信息,可以看出建立连接的过程是否正常。当使用应用系统的客户端通过https访问服务器的时候,总是出现报错,又找不到错误原因的时候,可以使用openssl模拟客户端请求,建立ssl连接并输出相关信息来查找失败原因。

1. ssl验证失败案例

openssl s_client -connect server:443

这里的server是指服务器的域名或者ip地址。

# openssl s_client -connect otp.com:443       
CONNECTED(00000003)
depth=0 CN = otp.com, subjectAltName = "DNS:otp.com,DNS:mail.otp.com,DNS:WIN-IRDSVJO3UTT.otp.com,DNS:autodiscover.otp.com"
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = otp.com, subjectAltName = "DNS:otp.com,DNS:mail.otp.com,DNS:WIN-IRDSVJO3UTT.otp.com,DNS:autodiscover.otp.com"
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = otp.com, subjectAltName = "DNS:otp.com,DNS:mail.otp.com,DNS:WIN-IRDSVJO3UTT.otp.com,DNS:autodiscover.otp.com"
verify return:1
---
Certificate chain
 0 s:CN = otp.com, subjectAltName = "DNS:otp.com,DNS:mail.otp.com,DNS:WIN-IRDSVJO3UTT.otp.com,DNS:autodiscover.otp.com"
   i:C = cn, ST = bj, L = bj, O = ft, CN = otp.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDgjCCAmqgAwIBAgIBATANBgkqhkiG9w0BAQsFADBGMQswCQYDVQQGEwJjbjEL
MAkGA1UECAwCYmoxCzAJBgNVBAcMAmJqMQswCQYDVQQKDAJmdDEQMA4GA1UEAwwH
b3RwLmNvbTAeFw0yNDA0MDgwNTU4MDZaFw0yNTA0MDgwNTU4MDZaMG4xEDAOBgNV
BAMMB290cC5jb20xWjBYBgNVHREMUUROUzpvdHAuY29tLEROUzptYWlsLm90cC5j
b20sRE5TOldJTi1JUkRTVkpPM1VUVC5vdHAuY29tLEROUzphdXRvZGlzY292ZXIu
b3RwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+NJ/ZSf4I9
Xy1jT9R6op5aBcqPI9Rf9vxP1H5AQ4cp5r88bmKk+pYk9q3bi5AWjofbap/695PC
NU8q0flzp1iwDRocYk5sGRO6VN0pRa0HmRa+1cflBakIDFu2vTpXT6ua4HziYHdL
0BuAREcrJlFnYQeFJk+lrtuPehV7NBmMOb/fe3LsKt+7K/M+S5f1eyt3oFQNyo9o
44s7qvJeCmA9BqLmVFLirWFUOCsEAhlFX8COPQ0+Ji14OJVIgTnxPxsqHBVMG3qZ
hwTpQzQVmXUSd1TdNgZsHvYX5qDnsklOuq/NNb11BIukmq+w5LexfzP6Tg/cc5K3
i5LYkEaIIdMCAwEAAaNTMFEwTwYDVR0RBEgwRoIHb3RwLmNvbYIMbWFpbC5vdHAu
Y29tghdXSU4tSVJEU1ZKTzNVVFQub3RwLmNvbYIUYXV0b2Rpc2NvdmVyLm90cC5j
b20wDQYJKoZIhvcNAQELBQADggEBAKedwFmmNNIMfEGQwX+LyqfYuKeJvzKU6jMl
n82uoEOjXkfLapq5oYu3L10tWT1XfT+Le70pcpxg7RbfPZ3HSPKIoMjhMIHwBtLG
oQPvUtH3R9h47DLV9B19TdWT2ZIYXxZK/bNfkgTOaUtqZXUtd5BHTlIYAQIxnVSq
SIZ+AHwV1NoHod8mCtE/Nvt577mxN91USs2SJzFRgVCKJEKXs2YBSZ4cqYUQHw3I
uGWa4+QfRpLB7W1RQAPEftq/xyIhWlqaxE27g0gXToEEfFjLsVJBNSRRmYnYlfN7
oXJPcg4uVx+UGLiFGEHvWRikYgcVZmVZcUUETqP9qsq3GaizOb4=
-----END CERTIFICATE-----
subject=CN = otp.com, subjectAltName = "DNS:otp.com,DNS:mail.otp.com,DNS:WIN-IRDSVJO3UTT.otp.com,DNS:autodiscover.otp.com"

issuer=C = cn, ST = bj, L = bj, O = ft, CN = otp.com

---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1592 bytes and written 431 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 4737CE4AD984C6F94284B5557098798759250FA2D54C736772134B26D87C2B53
    Session-ID-ctx: 
    Master-Key: 258A8B01F4ED39E3D482F000B1072697C4F35009AA01E6ADB3A69E2A606F1B5B3A073AB6FD87B86C488DC67D54955C14
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - f0 8f 20 e0 7d a8 39 b6-98 5c cf c6 47 68 52 5f   .. .}.9..\..GhR_
    0010 - 01 30 a5 8e 46 c2 ee b9-0b 75 65 b1 a3 d5 c4 cb   .0..F....ue.....
    0020 - cf 1f 5f a4 6f 33 1a f5-f6 f5 05 26 c1 3a 37 83   .._.o3.....&.:7.
    0030 - 7f e3 0a ec e7 46 10 4f-5c 87 43 c0 a8 fc a5 4c   .....F.O\.C....L
    0040 - 7e d3 31 fe e0 d2 52 bb-ce 13 a2 ed 64 f4 cc 04   ~.1...R.....d...
    0050 - 43 eb 91 1e d2 db bb 2b-e4 ec 83 5a 59 c8 d9 f4   C......+...ZY...
    0060 - c2 a4 44 d6 10 f9 e8 24-5c 7b 71 23 7a 31 d3 8e   ..D....$\{q#z1..
    0070 - 64 b0 35 52 e7 29 bc a7-42 d1 22 4f ee 5b 5b 77   d.5R.)..B."O.[[w
    0080 - c5 2b e4 cf 0f 7f 96 74-d6 5f d5 d0 3d 70 c8 76   .+.....t._..=p.v
    0090 - d5 00 c3 f4 2b 11 a0 66-83 36 54 94 fc 17 78 48   ....+..f.6T...xH
    00a0 - 54 fa 9c 86 7e 91 a7 aa-4a 7b df 56 f6 09 b3 78   T...~...J{.V...x
    00b0 - d6 2f 0f 1c 59 79 df 0c-c4 38 11 7e 77 e5 22 e3   ./..Yy...8.~w.".

    Start Time: 1730034073
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
---
closed

从输出信息,可以看到Verify return code: 21 (unable to verify the first certificate),标识客户端验证服务器端的证书时出错了。验证失败以后,客户端主动关闭了连接。

2. ssl验证成功案例

openssl s_client -connect server:443

# openssl s_client -connect www.baidu.com:443 
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
verify return:1
depth=0 C = CN, ST = beijing, L = beijing, O = "Beijing Baidu Netcom Science Technology Co., Ltd", CN = baidu.com
verify return:1
---
Certificate chain
 0 s:C = CN, ST = beijing, L = beijing, O = "Beijing Baidu Netcom Science Technology Co., Ltd", CN = baidu.com
   i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
 1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
   i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
 2 s:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIJ7DCCCNSgAwIBAgIMTkADpl62gfh/S9jrMA0GCSqGSIb3DQEBCwUAMFAxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSYwJAYDVQQDEx1H
bG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODAeFw0yNDA3MDgwMTQxMDJaFw0y
NTA4MDkwMTQxMDFaMIGAMQswCQYDVQQGEwJDTjEQMA4GA1UECBMHYmVpamluZzEQ
MA4GA1UEBxMHYmVpamluZzE5MDcGA1UEChMwQmVpamluZyBCYWlkdSBOZXRjb20g
U2NpZW5jZSBUZWNobm9sb2d5IENvLiwgTHRkMRIwEAYDVQQDEwliYWlkdS5jb20w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1wFMskJ2dseOqoHptNwot
FOhdBERsZ4VQnRNKXEEXMQEfgbNtScQ+C/Z+IpRAt1EObhYlifn74kt2nTsCQLng
jfQkRVBuO/6PNGKdlCYGBeGqAL7xR+LOyHnpH9mwCBJc+WVt2zYM9I1clpXCJa+I
tsq6qpb1AGoQxRDZ2n4K8Gd61wgNCPHDHc/Lk9NPJoUBMvYWvEe5lKhHsJtWtHe4
QC3y58Vi+r5R0PWn2hyTBr9fCo58p/stDiRqp9Irtmi95YhwkNkmgwpMB8RhcGoN
h+Uw5TkPZVj4AVaoPT1ED/GMKZev0+ypmp0+nmjVg2x7yUfLUfp3X7oBdI4TS2hv
AgMBAAGjggaTMIIGjzAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADCBjgYI
KwYBBQUHAQEEgYEwfzBEBggrBgEFBQcwAoY4aHR0cDovL3NlY3VyZS5nbG9iYWxz
aWduLmNvbS9jYWNlcnQvZ3Nyc2FvdnNzbGNhMjAxOC5jcnQwNwYIKwYBBQUHMAGG
K2h0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL2dzcnNhb3Zzc2xjYTIwMTgwVgYD
VR0gBE8wTTBBBgkrBgEEAaAyARQwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cu
Z2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wCAYGZ4EMAQICMD8GA1UdHwQ4MDYw
NKAyoDCGLmh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3Nyc2FvdnNzbGNhMjAx
OC5jcmwwggNhBgNVHREEggNYMIIDVIIJYmFpZHUuY29tggxiYWlmdWJhby5jb22C
DHd3dy5iYWlkdS5jboIQd3d3LmJhaWR1LmNvbS5jboIPbWN0LnkubnVvbWkuY29t
ggthcG9sbG8uYXV0b4IGZHd6LmNuggsqLmJhaWR1LmNvbYIOKi5iYWlmdWJhby5j
b22CESouYmFpZHVzdGF0aWMuY29tgg4qLmJkc3RhdGljLmNvbYILKi5iZGltZy5j
b22CDCouaGFvMTIzLmNvbYILKi5udW9taS5jb22CDSouY2h1YW5rZS5jb22CDSou
dHJ1c3Rnby5jb22CDyouYmNlLmJhaWR1LmNvbYIQKi5leXVuLmJhaWR1LmNvbYIP
Ki5tYXAuYmFpZHUuY29tgg8qLm1iZC5iYWlkdS5jb22CESouZmFueWkuYmFpZHUu
Y29tgg4qLmJhaWR1YmNlLmNvbYIMKi5taXBjZG4uY29tghAqLm5ld3MuYmFpZHUu
Y29tgg4qLmJhaWR1cGNzLmNvbYIMKi5haXBhZ2UuY29tggsqLmFpcGFnZS5jboIN
Ki5iY2Vob3N0LmNvbYIQKi5zYWZlLmJhaWR1LmNvbYIOKi5pbS5iYWlkdS5jb22C
EiouYmFpZHVjb250ZW50LmNvbYILKi5kbG5lbC5jb22CCyouZGxuZWwub3JnghIq
LmR1ZXJvcy5iYWlkdS5jb22CDiouc3UuYmFpZHUuY29tgggqLjkxLmNvbYISKi5o
YW8xMjMuYmFpZHUuY29tgg0qLmFwb2xsby5hdXRvghIqLnh1ZXNodS5iYWlkdS5j
b22CESouYmouYmFpZHViY2UuY29tghEqLmd6LmJhaWR1YmNlLmNvbYIOKi5zbWFy
dGFwcHMuY26CDSouYmR0anJjdi5jb22CDCouaGFvMjIyLmNvbYIMKi5oYW9rYW4u
Y29tgg8qLnBhZS5iYWlkdS5jb22CESoudmQuYmRzdGF0aWMuY29tghEqLmNsb3Vk
LmJhaWR1LmNvbYISY2xpY2suaG0uYmFpZHUuY29tghBsb2cuaG0uYmFpZHUuY29t
ghBjbS5wb3MuYmFpZHUuY29tghB3bi5wb3MuYmFpZHUuY29tghR1cGRhdGUucGFu
LmJhaWR1LmNvbTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0j
BBgwFoAU+O9/8s14Z6jeb48kjYjxhwMCs+swHQYDVR0OBBYEFK3KAFTK2OWUto+D
2ieAKE5ZJDsYMIIBfwYKKwYBBAHWeQIEAgSCAW8EggFrAWkAdgCvGBoo1oyj4KmK
TJxnqwn4u7wiuq68sTijoZ3T+bYDDQAAAZCQAGzzAAAEAwBHMEUCIFwF5Jc+zyIF
Gnpxchz9fY1qzlqg/oVrs2nnuxcpBuuIAiEAu3scD6u51VOP/9aMSqR2yKHZLbHw
Fos9U7AzSdLIZa8AdgAS8U40vVNyTIQGGcOPP3oT+Oe1YoeInG0wBYTr5YYmOgAA
AZCQAG3iAAAEAwBHMEUCIBBYQ6NP7VUDgfktWRg5QxT23QAbTqYovtV2D9O8Qc0T
AiEA2P7+44EvQ5adwL1y56oyxv/m+Gujeia7wpo7+Xbhv6MAdwAN4fIwK9MNwUBi
EgnqVS78R3R8sdfpMO8OQh60fk6qNAAAAZCQAGy+AAAEAwBIMEYCIQDU7Hxtx4c9
p9Jd+cr+DCMtyRYSc0b8cktCcbMmtDE9ygIhAIpJd4yb7jtxnaEC8oLWDushbK1v
0BIuZu6YrQvsf1nQMA0GCSqGSIb3DQEBCwUAA4IBAQCh9DfewC012/+fHZpmSpCn
y+h3/+ClAZ8cJVO+LCmYz9r6bkyhcFquJ5qUpyoW8AYtU0oUFlqH6zLIyujW+7lq
wFxB6NsXKKdwBKmMbmnZr2Fca5f+TtwD/GDJgG/egr7fI1u8194j9KEl8cK8Fujm
+UsoWklEzd1It9xkLazJR/6SwbhSR4k610pvj8rQrS4wAewuYFDaDOfqsHtDIsx1
tZfIfoB/O1wGWZQJU2M9wC8uYq0jQ2Q0MQJXuyJz04MFiGrPAS1Uk8mWd8M+3p65
Xy4iAf8uWzs1M+fcwBE8BNBghkQgE+FSUsldm+5ZBCazU0joJswzldWisXMLTagI
-----END CERTIFICATE-----
subject=C = CN, ST = beijing, L = beijing, O = "Beijing Baidu Netcom Science Technology Co., Ltd", CN = baidu.com

issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5414 bytes and written 437 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 2D3AA0072F0C633703E65D8C3ADF644C41221A48B57289DBCE04191B000D5288
    Session-ID-ctx: 
    Master-Key: 086B2B73EA1187F084EFF300481A434532BC78FEEBE78DE7BB758EB7F1AC620A42444AE291A20D38E90C5F48C15DE16A
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket:
    0000 - a0 fc ac f0 86 15 45 eb-8d 92 e2 0f 16 42 c6 5e   ......E......B.^
    0010 - c1 db 6b 6a 9d dc 9b 91-12 31 a6 c3 4a e1 48 89   ..kj.....1..J.H.
    0020 - 36 60 d6 ff 39 25 07 6b-53 0f 09 66 0a 65 76 77   6`..9%.kS..f.evw
    0030 - 4b 2c 22 41 93 7a ed 32-ce d1 36 78 b9 3d ee c6   K,"A.z.2..6x.=..
    0040 - ee ee 96 94 5f 89 f5 bd-a0 1a 61 4b 67 ee 59 95   ...._.....aKg.Y.
    0050 - e1 33 d3 e3 b8 09 c4 0e-aa b9 79 23 0a c1 53 e3   .3........y#..S.
    0060 - 96 ed a4 00 44 ce 29 de-1f 3c 84 ce b1 7f 99 f4   ....D.)..<......
    0070 - 32 15 57 32 5e 72 64 e1-1f 3a fa dc a0 35 ec e7   2.W2^rd..:...5..
    0080 - 9f 83 39 58 ef 55 97 f2-b0 46 eb 97 6d 6e 71 b3   ..9X.U...F..mnq.
    0090 - 47 bb 34 27 37 30 3f 8a-28 11 9d 23 38 24 a9 24   G.4'70?.(..#8$.$

    Start Time: 1730034479
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

可以看出,验证结果为:Verify return code: 0 (ok),表示验证成功。

可以看出成功建立起了ssl连接。

3. 输出证书链

openssl s_client -connect www.baidu.com:443 -showcerts

# openssl s_client -connect www.baidu.com:443 -showcerts
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
verify return:1
depth=0 C = CN, ST = beijing, L = beijing, O = "Beijing Baidu Netcom Science Technology Co., Ltd", CN = baidu.com
verify return:1
---
Certificate chain
 0 s:C = CN, ST = beijing, L = beijing, O = "Beijing Baidu Netcom Science Technology Co., Ltd", CN = baidu.com
   i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
-----BEGIN CERTIFICATE-----
MIIJ7DCCCNSgAwIBAgIMTkADpl62gfh/S9jrMA0GCSqGSIb3DQEBCwUAMFAxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSYwJAYDVQQDEx1H
bG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODAeFw0yNDA3MDgwMTQxMDJaFw0y
NTA4MDkwMTQxMDFaMIGAMQswCQYDVQQGEwJDTjEQMA4GA1UECBMHYmVpamluZzEQ
MA4GA1UEBxMHYmVpamluZzE5MDcGA1UEChMwQmVpamluZyBCYWlkdSBOZXRjb20g
U2NpZW5jZSBUZWNobm9sb2d5IENvLiwgTHRkMRIwEAYDVQQDEwliYWlkdS5jb20w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1wFMskJ2dseOqoHptNwot
FOhdBERsZ4VQnRNKXEEXMQEfgbNtScQ+C/Z+IpRAt1EObhYlifn74kt2nTsCQLng
jfQkRVBuO/6PNGKdlCYGBeGqAL7xR+LOyHnpH9mwCBJc+WVt2zYM9I1clpXCJa+I
tsq6qpb1AGoQxRDZ2n4K8Gd61wgNCPHDHc/Lk9NPJoUBMvYWvEe5lKhHsJtWtHe4
QC3y58Vi+r5R0PWn2hyTBr9fCo58p/stDiRqp9Irtmi95YhwkNkmgwpMB8RhcGoN
h+Uw5TkPZVj4AVaoPT1ED/GMKZev0+ypmp0+nmjVg2x7yUfLUfp3X7oBdI4TS2hv
AgMBAAGjggaTMIIGjzAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADCBjgYI
KwYBBQUHAQEEgYEwfzBEBggrBgEFBQcwAoY4aHR0cDovL3NlY3VyZS5nbG9iYWxz
aWduLmNvbS9jYWNlcnQvZ3Nyc2FvdnNzbGNhMjAxOC5jcnQwNwYIKwYBBQUHMAGG
K2h0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL2dzcnNhb3Zzc2xjYTIwMTgwVgYD
VR0gBE8wTTBBBgkrBgEEAaAyARQwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cu
Z2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wCAYGZ4EMAQICMD8GA1UdHwQ4MDYw
NKAyoDCGLmh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3Nyc2FvdnNzbGNhMjAx
OC5jcmwwggNhBgNVHREEggNYMIIDVIIJYmFpZHUuY29tggxiYWlmdWJhby5jb22C
DHd3dy5iYWlkdS5jboIQd3d3LmJhaWR1LmNvbS5jboIPbWN0LnkubnVvbWkuY29t
ggthcG9sbG8uYXV0b4IGZHd6LmNuggsqLmJhaWR1LmNvbYIOKi5iYWlmdWJhby5j
b22CESouYmFpZHVzdGF0aWMuY29tgg4qLmJkc3RhdGljLmNvbYILKi5iZGltZy5j
b22CDCouaGFvMTIzLmNvbYILKi5udW9taS5jb22CDSouY2h1YW5rZS5jb22CDSou
dHJ1c3Rnby5jb22CDyouYmNlLmJhaWR1LmNvbYIQKi5leXVuLmJhaWR1LmNvbYIP
Ki5tYXAuYmFpZHUuY29tgg8qLm1iZC5iYWlkdS5jb22CESouZmFueWkuYmFpZHUu
Y29tgg4qLmJhaWR1YmNlLmNvbYIMKi5taXBjZG4uY29tghAqLm5ld3MuYmFpZHUu
Y29tgg4qLmJhaWR1cGNzLmNvbYIMKi5haXBhZ2UuY29tggsqLmFpcGFnZS5jboIN
Ki5iY2Vob3N0LmNvbYIQKi5zYWZlLmJhaWR1LmNvbYIOKi5pbS5iYWlkdS5jb22C
EiouYmFpZHVjb250ZW50LmNvbYILKi5kbG5lbC5jb22CCyouZGxuZWwub3JnghIq
LmR1ZXJvcy5iYWlkdS5jb22CDiouc3UuYmFpZHUuY29tgggqLjkxLmNvbYISKi5o
YW8xMjMuYmFpZHUuY29tgg0qLmFwb2xsby5hdXRvghIqLnh1ZXNodS5iYWlkdS5j
b22CESouYmouYmFpZHViY2UuY29tghEqLmd6LmJhaWR1YmNlLmNvbYIOKi5zbWFy
dGFwcHMuY26CDSouYmR0anJjdi5jb22CDCouaGFvMjIyLmNvbYIMKi5oYW9rYW4u
Y29tgg8qLnBhZS5iYWlkdS5jb22CESoudmQuYmRzdGF0aWMuY29tghEqLmNsb3Vk
LmJhaWR1LmNvbYISY2xpY2suaG0uYmFpZHUuY29tghBsb2cuaG0uYmFpZHUuY29t
ghBjbS5wb3MuYmFpZHUuY29tghB3bi5wb3MuYmFpZHUuY29tghR1cGRhdGUucGFu
LmJhaWR1LmNvbTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0j
BBgwFoAU+O9/8s14Z6jeb48kjYjxhwMCs+swHQYDVR0OBBYEFK3KAFTK2OWUto+D
2ieAKE5ZJDsYMIIBfwYKKwYBBAHWeQIEAgSCAW8EggFrAWkAdgCvGBoo1oyj4KmK
TJxnqwn4u7wiuq68sTijoZ3T+bYDDQAAAZCQAGzzAAAEAwBHMEUCIFwF5Jc+zyIF
Gnpxchz9fY1qzlqg/oVrs2nnuxcpBuuIAiEAu3scD6u51VOP/9aMSqR2yKHZLbHw
Fos9U7AzSdLIZa8AdgAS8U40vVNyTIQGGcOPP3oT+Oe1YoeInG0wBYTr5YYmOgAA
AZCQAG3iAAAEAwBHMEUCIBBYQ6NP7VUDgfktWRg5QxT23QAbTqYovtV2D9O8Qc0T
AiEA2P7+44EvQ5adwL1y56oyxv/m+Gujeia7wpo7+Xbhv6MAdwAN4fIwK9MNwUBi
EgnqVS78R3R8sdfpMO8OQh60fk6qNAAAAZCQAGy+AAAEAwBIMEYCIQDU7Hxtx4c9
p9Jd+cr+DCMtyRYSc0b8cktCcbMmtDE9ygIhAIpJd4yb7jtxnaEC8oLWDushbK1v
0BIuZu6YrQvsf1nQMA0GCSqGSIb3DQEBCwUAA4IBAQCh9DfewC012/+fHZpmSpCn
y+h3/+ClAZ8cJVO+LCmYz9r6bkyhcFquJ5qUpyoW8AYtU0oUFlqH6zLIyujW+7lq
wFxB6NsXKKdwBKmMbmnZr2Fca5f+TtwD/GDJgG/egr7fI1u8194j9KEl8cK8Fujm
+UsoWklEzd1It9xkLazJR/6SwbhSR4k610pvj8rQrS4wAewuYFDaDOfqsHtDIsx1
tZfIfoB/O1wGWZQJU2M9wC8uYq0jQ2Q0MQJXuyJz04MFiGrPAS1Uk8mWd8M+3p65
Xy4iAf8uWzs1M+fcwBE8BNBghkQgE+FSUsldm+5ZBCazU0joJswzldWisXMLTagI
-----END CERTIFICATE-----
 1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
   i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
-----BEGIN CERTIFICATE-----
MIIETjCCAzagAwIBAgINAe5fIh38YjvUMzqFVzANBgkqhkiG9w0BAQsFADBMMSAw
HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFs
U2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xODExMjEwMDAwMDBaFw0yODEx
MjEwMDAwMDBaMFAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52
LXNhMSYwJAYDVQQDEx1HbG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKdaydUMGCEAI9WXD+uu3Vxoa2uP
UGATeoHLl+6OimGUSyZ59gSnKvuk2la77qCk8HuKf1UfR5NhDW5xUTolJAgvjOH3
idaSz6+zpz8w7bXfIa7+9UQX/dhj2S/TgVprX9NHsKzyqzskeU8fxy7quRU6fBhM
abO1IFkJXinDY+YuRluqlJBJDrnw9UqhCS98NE3QvADFBlV5Bs6i0BDxSEPouVq1
lVW9MdIbPYa+oewNEtssmSStR8JvA+Z6cLVwzM0nLKWMjsIYPJLJLnNvBhBWk0Cq
o8VS++XFBdZpaFwGue5RieGKDkFNm5KQConpFmvv73W+eka440eKHRwup08CAwEA
AaOCASkwggElMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G
A1UdDgQWBBT473/yzXhnqN5vjySNiPGHAwKz6zAfBgNVHSMEGDAWgBSP8Et/qC5F
JK5NUPpjmove4t0bvDA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6
Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9yb290cjMwNgYDVR0fBC8wLTAroCmgJ4Yl
aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LXIzLmNybDBHBgNVHSAEQDA+
MDwGBFUdIAAwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5j
b20vcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAJmQyC1fQorUC2bbmANz
EdSIhlIoU4r7rd/9c446ZwTbw1MUcBQJfMPg+NccmBqixD7b6QDjynCy8SIwIVbb
0615XoFYC20UgDX1b10d65pHBf9ZjQCxQNqQmJYaumxtf4z1s4DfjGRzNpZ5eWl0
6r/4ngGPoJVpjemEuunl1Ig423g7mNA2eymw0lIYkN5SQwCuaifIFJ6GlazhgDEw
fpolu4usBCOmmQDo8dIm7A9+O4orkjgTHY+GzYZSR+Y0fFukAj6KYXwidlNalFMz
hriSqHKvoflShx8xpfywgVcvzfTO3PYkz6fiNJBonf6q8amaEsybwMbDqKWwIX7e
SPY=
-----END CERTIFICATE-----
 2 s:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
-----BEGIN CERTIFICATE-----
MIIETjCCAzagAwIBAgINAe5fFp3/lzUrZGXWajANBgkqhkiG9w0BAQsFADBXMQsw
CQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UECxMH
Um9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTE4MDkxOTAw
MDAwMFoXDTI4MDEyODEyMDAwMFowTDEgMB4GA1UECxMXR2xvYmFsU2lnbiBSb290
IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNp
Z24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMJXaQeQZ4Ihb1wIO2
hMoonv0FdhHFrYhy/EYCQ8eyip0EXyTLLkvhYIJG4VKrDIFHcGzdZNHr9SyjD4I9
DCuul9e2FIYQebs7E4B3jAjhSdJqYi8fXvqWaN+JJ5U4nwbXPsnLJlkNc96wyOkm
DoMVxu9bi9IEYMpJpij2aTv2y8gokeWdimFXN6x0FNx04Druci8unPvQu7/1PQDh
BjPogiuuU6Y6FnOM3UEOIDrAtKeh6bJPkC4yYOlXy7kEkmho5TgmYHWyn3f/kRTv
riBJ/K1AFUjRAjFhGV64l++td7dkmnq/X8ET75ti+w1s4FRpFqkD2m7pg5NxdsZp
hYIXAgMBAAGjggEiMIIBHjAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB
/zAdBgNVHQ4EFgQUj/BLf6guRSSuTVD6Y5qL3uLdG7wwHwYDVR0jBBgwFoAUYHtm
GkUNl8qJUC99BM00qP/8/UswPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFo
dHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9yb290cjEwMwYDVR0fBCwwKjAooCag
JIYiaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LmNybDBHBgNVHSAEQDA+
MDwGBFUdIAAwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5j
b20vcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBACNw6c/ivvVZrpRCb8RD
M6rNPzq5ZBfyYgZLSPFAiAYXof6r0V88xjPy847dHx0+zBpgmYILrMf8fpqHKqV9
D6ZX7qw7aoXW3r1AY/itpsiIsBL89kHfDwmXHjjqU5++BfQ+6tOfUBJ2vgmLwgtI
fR4uUfaNU9OrH0Abio7tfftPeVZwXwzTjhuzp3ANNyuXlava4BJrHEDOxcd+7cJi
WOx37XMiwor1hkOIreoTbv3Y/kIvuX1erRjvlJDKPSerJpSZdcfL03v3ykzTr1Eh
kluEfSufFT90y1HonoMOFm8b50bOI7355KKL0jlrqnkckSziYSQtjipIcJDEHsXo
4HA=
-----END CERTIFICATE-----
---
Server certificate
subject=C = CN, ST = beijing, L = beijing, O = "Beijing Baidu Netcom Science Technology Co., Ltd", CN = baidu.com

issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5414 bytes and written 437 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 6512422ADBC7929E785329587F0103448F6FCB6F382ADAE88C8F69DB795EEE77
    Session-ID-ctx: 
    Master-Key: D22D231213A576E6AA1B9C407A1E29851844E20D30D2146D48108959B8D8AF8140D632844B12D2B0631766201C25D97F
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket:
    0000 - a0 fc ac f0 86 15 45 eb-8d 92 e2 0f 16 42 c6 5e   ......E......B.^
    0010 - d8 7f 05 25 be 66 44 ce-c4 1b e5 e2 6c f9 a3 3a   ...%.fD.....l..:
    0020 - 07 f0 8b c0 69 0f c7 93-b4 6b c1 ef 7a 3e a1 3c   ....i....k..z>.<
    0030 - 7d d7 2f 68 2a 3d 20 ac-85 02 53 c7 d5 a3 c4 da   }./h*= ...S.....
    0040 - a2 0a 50 cb b7 73 89 10-3b 7e 44 ed 0d 79 52 1d   ..P..s..;~D..yR.
    0050 - d7 43 5f f2 c6 e4 33 74-d9 ae b6 88 cf d2 1d 7d   .C_...3t.......}
    0060 - 93 d3 d4 c9 2b 06 85 20-7e 22 9e 21 d6 b0 7d 7e   ....+.. ~".!..}~
    0070 - 80 18 4d 5f bc d3 f6 a4-7a b0 bb ff 56 da 6d 0d   ..M_....z...V.m.
    0080 - 15 cc 29 d0 79 86 e7 e9-2a 11 ed a6 91 60 ac 88   ..).y...*....`..
    0090 - 9d 88 80 60 1b 0b b8 fb-16 04 68 34 c9 6a 89 c3   ...`......h4.j..

    Start Time: 1730034644
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

4. nginx证书链配置

在nginx中,你需要配置ssl_certificatessl_certificate_key,并包含中间证书:

server {
    listen 443 ssl;
    server_name your.exchange.server;

    ssl_certificate /path/to/fullchain.pem; # 包含服务器证书和所有中间证书
    ssl_certificate_key /path/to/privatekey.pem;

    # 其他配置项
}

其中,fullchain.pem应包含完整的证书链,即服务器证书加上所有中间证书。

5. Verify return code: 21的常见原因

Verify return code: 21 (unable to verify the first certificate)

缺少中间证书:服务器未提供完整的证书链,只提供了服务器证书而没有包含必要的中间证书。客户端因此无法验证服务器证书的完整性。

自签名证书:服务器使用了自签名证书,而客户端没有信任该自签名证书。

证书未被信任的证书颁发机构(CA)签发:服务器证书是由一个不被客户端信任的CA签发的。

证书到期或无效:服务器证书已经过期或者在验证过程中被认为无效。

客户端缺少根证书:客户端系统中缺少相应的根证书,无法验证服务器证书链的有效性。


http://www.kler.cn/a/372600.html

相关文章:

  • 电子信息-毕业设计选题推荐
  • 一七一、React性能优化方式
  • Java接入Hive
  • (蓝桥杯C/C++)——常用库函数
  • LabVIEW汽车状态监测系统
  • 名词(术语)了解--SSR/CSR
  • CentOS 9 Stream 上安装 Git
  • 分类预测 | GCN图卷积神经网络多特征分类预测(MATLAB)
  • AutoDIR: Automatic All-in-One Image Restoration with Latent Diffusion论文阅读笔记
  • Efficient Cascaded Multiscale Adaptive Network for Image Restoration 论文阅读笔记
  • pip install -e .将正在开发的python包安装到虚拟环境中,以便测试和调试。 如果该包有依赖项,pip会自动安装依赖项
  • Mongodb使用视图连接两个集合
  • BackTrader -Indicators 03
  • electron+vite+ts+vue3
  • P8775 [蓝桥杯 2022 省 A] 青蛙过河
  • CUDA环境安装终极指南——Linux(其它系统也一样)
  • 订购 Claude AI 的第二天 它独自完成 文字转语音 flask应用
  • C++ | Leetcode C++题解之第519题随机翻转矩阵
  • 轻型民用无人驾驶航空器安全操控理论培训知识总结-多旋翼部分
  • Redis 下载安装(Windows11)
  • 算法刷题基础知识总结
  • 逆变器前级倍压方案【工作日志】
  • 未来生活中的AI电脑是怎样的
  • 2023 春季测试 题解
  • 论坛系统测试报告
  • Postgresql源码(137)执行器参数传递与使用