使用自签名证书
我只是想了解 SSL。
我已经在本地主机上设置了 Jetty 服务器,并使用 密钥工具。
现在,当我转到 https://localhost:8443/ 时,出现“无法信任此证书”错误。
我用
keytool -export -alias pongus -keystore keystore -file certfile.cer
创建证书,我认为这是客户端与服务器进行身份验证所需的证书。 (这就是我可能错的地方!)
我有以下 ruby 代码:
require 'net/https'
require 'openssl'
require 'open-uri'
puts 'yay' if File.exists?('certfile.cer')
uri = URI.parse("https://localhost:8443/")
http_session = Net::HTTP.new(uri.host, uri.port)
http_session.use_ssl = true
http_session.verify_mode = OpenSSL::SSL::VERIFY_PEER
http_session.ca_file = 'certfile.cer'
res = http_session.start do |http|
# do some requests here
http.get('/')
end
这确实打印“yay”,因此 certfile.cer 文件确实存在。
但我收到错误
/Applications/NetBeans/NetBeans 6.8.app/Contents/Resources/NetBeans/ruby2/jruby-1.4.0/lib/ruby/1.8/net/http.rb:586 warning: can't set verify locations
/Applications/NetBeans/NetBeans 6.8.app/Contents/Resources/NetBeans/ruby2/jruby-1.4.0/lib/ruby/1.8/net/http.rb:586:in `connect': certificate verify failed (OpenSSL::SSL::SSLError)
任何想法我做错了什么?
编辑
我想得到它,所以我保证我连接到正确的服务器,并且服务器可以保证是我连接到它,中间没有任何篡改。我正在开发服务器和客户端。
I am just trying to get my head around SSL.
I have set up a Jetty server on my localhost, and generated my own certificate using Keytool.
Now when I go to https://localhost:8443/ I get the can't trust this certificate error.
I use
keytool -export -alias pongus -keystore keystore -file certfile.cer
To create the certificate which I think is what the client needs to authenticate with the server. (This is where I could be very wrong!)
I have the following ruby code :
require 'net/https'
require 'openssl'
require 'open-uri'
puts 'yay' if File.exists?('certfile.cer')
uri = URI.parse("https://localhost:8443/")
http_session = Net::HTTP.new(uri.host, uri.port)
http_session.use_ssl = true
http_session.verify_mode = OpenSSL::SSL::VERIFY_PEER
http_session.ca_file = 'certfile.cer'
res = http_session.start do |http|
# do some requests here
http.get('/')
end
This does print 'yay', so the certfile.cer file does exist.
But I get the errors
/Applications/NetBeans/NetBeans 6.8.app/Contents/Resources/NetBeans/ruby2/jruby-1.4.0/lib/ruby/1.8/net/http.rb:586 warning: can't set verify locations
/Applications/NetBeans/NetBeans 6.8.app/Contents/Resources/NetBeans/ruby2/jruby-1.4.0/lib/ruby/1.8/net/http.rb:586:in `connect': certificate verify failed (OpenSSL::SSL::SSLError)
Any ideas what I am doing wrong?
EDIT
I want to get it so I guarantee that I am connecting to the right server, and the server can guarantee that it is me connecting to it, without any tampering in between. I am developing both the server and the client.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您不需要私钥来验证服务器证书。您所需要的只是包含公钥的证书本身。只有服务器拥有私钥。这里有很好的描述 http://www.helpbytes.co.uk/https.php 和这里 http://www.verisign.com/ssl /ssl-information-center/how-ssl-security-works/
我的建议很简单。检查您的证书是否正确。
此外,如果您有权访问服务器,您可以明确验证证书和密钥(在 httpd 配置中使用)是否正确(匹配): http://kb.wisc.edu/middleware/page.php?id=4064 请注意,这是在服务器上运行的显式检查。切勿泄露私钥。此检查只能由管理员完成,以验证 httpd 是否配置错误。
您还可以使用标准 openssl 命令调试 SSL 证书通信。发出此命令,然后等待几秒钟,然后键入 QUIT 并按 Enter 键。您将看到服务器发送的证书。
另外尝试将证书导入到浏览器中并访问 URL 资源。浏览器可以通过单击 https(Firefox 和 Chrome)来验证它。然后您将看到证书本身和有效性信息。
以上都是关于服务器证书的内容。这只是问题的一部分。 “我正在连接到正确的服务器,并且服务器可以保证是我连接到它”实际上,在上面的代码中,您只检查服务器证书。现在。如果您想要一个客户端证书(声明的第二部分),那么您在 Ruby 中需要这个:
这就是在 Ruby 中使用客户端证书的方式。如果您的私钥使用密码加密,只需在 RSA 构造函数的第二个参数中传递它而不是 nil 。
我强烈建议让服务器证书正常工作(您的代码),然后从客户端证书开始。请注意,您保留当前的代码(ca_cert,验证常量)并向其中添加上述四行。
希望这有帮助。
You dont need the private key for server certificate verification. All you need is the certificate itself which contains the public key. Only the server has the private key. Well described here http://www.helpbytes.co.uk/https.php and here http://www.verisign.com/ssl/ssl-information-center/how-ssl-security-works/
My recommendation is simple. Check your certificate is correct.
Also if you have access to the server you can explicitely validate if the certificate and key (used in httpd configuration) are correct (matches): http://kb.wisc.edu/middleware/page.php?id=4064 Please note this is explicit check ran on server. Never give out the private key. This check can be done only by the administrator to verify if the httpd was not misconfigured.
You can also debug the SSL certificate communication using standard openssl command. Issue this command then wait few seconds and then type QUIT and hit enter. You will see the certificate the server sends out.
Also try to import the certificate to your browser and access the URL resource. Browser is able to validate it by clicking on https (Firefox and Chrome). Then you will see the certificate itself and validity information.
All the above was all about the server certificate. This is only one part of the problem. "I am connecting to the right server, and the server can guarantee that it is me connecting to it" Actully in your code above you only check for the server cert. Now. If you want a client certificate (the second part of your statement) than you need this in Ruby:
This is how client cert should be used in Ruby. If your private key is encrypted with a password just pass it instead nil in the second argument of RSA constructor.
I highly recommend to get server certificate working (your code) and then start with client certificate. Please note you keep your current code (ca_cert, validation constant) and add the above four lines to it.
Hope this helps.
您的客户端需要访问其私钥。私钥不在证书中,证书只包含公钥。抱歉,我不了解 ruby,但一种常见的技术是将私钥和证书捆绑在单个 PKCS#12(又名 p12)文件中并将其提供给加密库。
Your client needs access to its private key. The private key is not in the certificate, the certificate only contains the public key. Sorry, I don't know ruby, but a common technique is to bundle the private key and certificate in a single PKCS#12, aka p12, file and supply this to the crypto library.
更改
为
执行此操作后,SSL 将正常工作。我在我的开发环境中多次使用过它,总是完美地工作。
Change
to
Once you do that, the SSL will work properly. I have used this multiple times in my development environments, always works flawlessly.