我有一個非常古老的遺留專案,它的 Web API,我真的需要呼叫它(它托管在 Windows Server 2012 上)。此 API 要求在請求中包含.p12預制客戶端證書,我有一個。
它僅適用于 https 并且具有奇怪的證書。
如果我在 Windows 10 上除錯我的.net 6專案(使用 呼叫RestSharp)- 沒關系,但是Ubuntu 22.04 LTS我有問題。
添加TLSv1.0或TLSv1.1或TLSv1.2支持/etc/ssl/openssl.cnf不起作用。
Curl -k 或 --insecure 不起作用。
root@nginx:/home/xxx# curl -vvv https://192.168.201.111:44301/api/
* Trying 192.168.201.111:44301...
* Connected to 192.168.201.111 (192.168.201.111) port 44301 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, protocol version (582):
* error:0A000102:SSL routines::unsupported protocol
* Closing connection 0
curl: (35) error:0A000102:SSL routines::unsupported protocol
還有:
root@nginx:/home/xxx# openssl s_client -connect 192.168.201.111:44301
CONNECTED(00000003)
40A77EF2787F0000:error:0A000102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1952:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 58 bytes and written 300 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
請幫我禁用此證書驗證。
UPD
在 C# 中,我做這樣的事情來配置 RestClient (在 Windows 上它作業正常,但在 ubuntu 上它失敗):
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
ServicePointManager.ServerCertificateValidationCallback = (s, ce, ca, p) => true;
FileInfo certFile = new (certFileName);
if (certFile.Exists is false) throw new FileNotFoundException("Certificate file not found");
X509Certificate2Collection certificates = new X509Certificate2Collection();
certificates.Import(certFile.FullName, certPassword, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);
ServicePointManager.ServerCertificateValidationCallback = (_, _, _, _) => true;
var options = new RestClientOptions(baseUrl)
{
FollowRedirects = true,
ClientCertificates = certificates,
RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true
};
Client = new RestClient(options);
UPD2
root@nginx:/home/xxx# openssl s_client -tls1 -cipher 'DEFAULT:@SECLEVEL=1' -connect 192.168.201.111:44301
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 CN = ORGANIZATION
verify error:num=19:self-signed certificate in certificate chain
verify return:1
depth=1 CN = ORGANIZATION
verify return:1
depth=0 CN = OFFICE1
verify return:1
405744F5247F0000:error:0A0C0103:SSL routines:tls_process_key_exchange:internal error:../ssl/statem/statem_clnt.c:2248:
---
Certificate chain
0 s:CN = OFFICE1
i:CN = ORGANIZATION
a:PKEY: rsaEncryption, 1024 (bit); sigalg: RSA-SHA512
v:NotBefore: Sep 26 12:10:32 2018 GMT; NotAfter: Sep 23 12:10:32 2028 GMT
1 s:CN = ORGANIZATION
i:CN = ORGANIZATION
a:PKEY: rsaEncryption, 1024 (bit); sigalg: RSA-SHA1
v:NotBefore: Sep 26 12:10:29 2018 GMT; NotAfter: Sep 23 12:10:29 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
(i replace cert with *)
*************************************************
*************************************************
*************************************************
*************************************************
*************************************************
*************************************************
*************************************************
*************************************************
-----END CERTIFICATE-----
subject=CN = OFFICE1
issuer=CN = ORGANIZATION
---
No client certificate CA names sent
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 1657 bytes and written 111 bytes
Verification error: self-signed certificate in certificate chain
---
New, (NONE), Cipher is (NONE)
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1654443076
Timeout : 7200 (sec)
Verify return code: 19 (self-signed certificate in certificate chain)
Extended master secret: no
---
uj5u.com熱心網友回復:
... routines:ssl_choose_client_version:unsupported protocol: ... ...請幫我禁用此證書驗證。
該錯誤與證書驗證無關,但與 TLS 協議版本有關。可以通過以下方式強制實施 TLS 1.0
openssl s_client -tls1 -cipher 'DEFAULT:@SECLEVEL=1' ...
此 API 要求在請求中包含 .p12 預制客戶端證書,我有一個。
您還需要添加客戶端證書:
openssl s_client -cert cert.p12 -inform p12 ...
verify error:num=19:self-signed certificate in certificate chain
您需要添加 CA
openssl s_client -CAfile ca.pem ...
CA 不是由服務器發送的,因此您必須詢問負責人才能獲得 CA。
轉載請註明出處,本文鏈接:https://www.uj5u.com/houduan/487024.html