使用VeriSign G5连接到SSL时出现问题

debugcn 发表于 Dev

亚历克斯

我已经为此苦苦挣扎了好几天，并且已经搜索了好几天。我正在尝试api-3t.sandbox.paypal.com:443从我的AWS EC2实例连接到。该实例是Windows Server 2012 R2。我已经安装了openssl来尝试和调试。在“受信任的根证书颁发机构”下，我可以VeriSign Class 3 Public Primary Certification Authority - G5 7/16/2036在其中看到。我的开发机器上也安装了openssl。

如果我openssl s_client -connect api-3t.sandbox.paypal.com:443在开发机上运行，则返回Verify return code: 0 (ok)。如果我在EC2实例中运行同一行，则会返回一个Verify return code: 20 (unable to get local issuer certificate)

然后，我下载了如下的G5证书：

----- BEGIN CERTIFICATE ----- MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0 aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1 nmAMqudLO07cfLw8RRy7K + d + KQL5VwijZIUVJ / XxrcgxiV0i6CqqpkKzj / i5Vbext0uz / O9 + B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6 / WhkcIz SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG BO + QueQA5N06tRn / Arr0PO7gi + S3I + z016zy9vA9r911kTMZHRxAy3QkGSGT2RT + rCpSx4 / VBEnkjWNHiDxpg8v + R70rfk / Fla4OndTRQ8Bnc + MUCH7lP59zuDMKz10 / NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH / BAUwAwEB / zAOBgNVHQ8BAf8E BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH BgUrDgMCGgQUj + XTGoasjY5rw8 + AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH / TZafC3ey78DAJ80M5 + GKV MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE p6B4Eq1iDkVwZMXnl2YtmAl + X6 / WzChl8gGqCBpH3vn5fJJaCGkgDdk + bW48DW7Y 5gaRQBi5 + MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK WE9gyn6CagsCqiUXObXbf + eEZSqVir2G3l6BFoMtEMze / aiCKm0oHw0LxOXnGiYZ 4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8NhnacRHr2lVz2XTIIM6RUthg / aFzyQkqFOFSDX9HoLPKsEdao7WNq -----结束证书-----

而就在EC2实例我遇到以下情况：openssl s_client -CAfile g5.cer -connect api-3t.sandbox.paypal.com:443和反应是Verify return code: 0 (ok)

因此，当我将证书传递给openssl时，它可以正常工作。但是，当它尝试在密钥库中找到它时，它将失败。

我按照以下说明安装证书：http : //www.sqlservermart.com/HowTo/Windows_Import_Certificate.aspx

谁能提供帮助以引导我朝正确的方向发展？我需要对AWS做些特定的事情吗？

- - 编辑。这是尝试更改策略后的输出

C:\>openssl s_client -connect api-3t.sandbox.paypal.com:443
Loading 'screen' into random state - done
CONNECTED(0000013C)
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=PayPal Production/CN=api-3t.sandbox.paypal.com
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGiDCCBXCgAwIBAgIQSmPFPGKFy6vVcS32CMWsdDANBgkqhkiG9w0BAQsFADB+
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVj
IENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MB4XDTE2MDExNDAwMDAwMFoX
DTE4MDExNDIzNTk1OVowgYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9y
bmlhMREwDwYDVQQHDAhTYW4gSm9zZTEVMBMGA1UECgwMUGF5UGFsLCBJbmMuMRow
GAYDVQQLDBFQYXlQYWwgUHJvZHVjdGlvbjEiMCAGA1UEAwwZYXBpLTN0LnNhbmRi
b3gucGF5cGFsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANXB
QRl1wRXByqGLGt64dqkOJ8srJSPcqYwjA+KL3JuSmWKgvHUKg581H5p6/aX5BD92
ZmMLMrE3gtQnQU9cfatkw7+sFNtDDXh4gJhNAWz1Mw7VuDTRzk4N0YcO55Wy2WQ4
/Z2fYHfL6IoohXfqtYdFY1JzOXkqunPfhsSOKTb03Lf2k4hniwoMVsn8rOSBklNZ
6knC4iiaEOpo/EGtYylbpnoRg1aQP+1Oyc+bwG1LPT64XZA/4frcm1gKnFYBYtRM
RKBmQsF88SjSNUP9DiriHiD8tXryy2xAoQml+bfkslb5FJYLP7xmncQaXQRk/YUo
ehdW8Git3BQpwNZS9f0CAwEAAaOCAvEwggLtMCQGA1UdEQQdMBuCGWFwaS0zdC5z
YW5kYm94LnBheXBhbC5jb20wCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGEGA1UdIARaMFgwVgYGZ4EMAQIC
MEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUF
BwICMBkaF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBhMB8GA1UdIwQYMBaAFF9gz2GQ
Vd+EQxSKYCqy9Xr0QxjvMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9zcy5zeW1j
Yi5jb20vc3MuY3JsMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDov
L3NzLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL3NzLnN5bWNiLmNvbS9z
cy5jcnQwggF/BgorBgEEAdZ5AgQCBIIBbwSCAWsBaQB2AN3rHSt6DU+mIIuBrYFo
cH4ujp0B1VyIjT0RxM227L7MAAABUkI8Bj4AAAQDAEcwRQIhAIHuCBevjKTfgyu3
p69luk4DBTOJjBozTsnJIs+dVS7NAiASjAaBPD/bGWGXC8bayAREXvuPSr0W+xU0
l0T6Kaje9wB3AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABUkI8
Bn8AAAQDAEgwRgIhAPIWGT/KdSkWSlR3SzPA6O+sP16mpF9Mc/8BBKhAck0WAiEA
u/ie0GvZ8wctdK8OhOnOUUQvQ8njBqd7l5s2GfRWymMAdgBo9pj4H2SCvjqM7rko
HUz8cVFdZ5PURNEKZ6y7T0/7xAAAAVJCPAZmAAAEAwBHMEUCIHkB7wZfWQPm+ZCP
cUAOQwutIiMSXmKFUM9GiHzJ72VoAiEAh+44zz2mRc/NcwTvQsW1BQcjL12y8gji
UBJgtrlwZq4wDQYJKoZIhvcNAQELBQADggEBAEKkutMm4VqebHi49Zw35dFStnRb
RD9sUIpFvuvSCTnvM0uwFGHa01hoH6XCk0mQf7Hlv8eUjQCYEjq/yOy/qd1D/0FG
pG5QYXpiiB1rfJyGSTps6TMsSzhGJwZt6e7ZNJ29uGBvfaYi5S+qbxqUkEUIOoeE
+K77MUD5ouwN6mm3azvemVMoJEPwjbVUZZwfLlxBQbwX4C2Kdihrn/r+AkeYiLej
Q+1pdnXz9Hwj3SM+uZWpu8f7kbczSWsuQmSV4gparNkOTjk5TwJvyrS3z+DQW674
FdfkrYmxqiiaELhsMPhRyjKce5HA2ol1GsnJ0IJCPjJc2o40IiL1AL552eA=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=PayPal Production/CN=api-3t.sandbox.paypal.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
---
No client certificate CA names sent
---
SSL handshake has read 3524 bytes and written 423 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 9E01CD86FA9CB07DAD505F17E34C099B2E4C8B85126C68DCF2946F8859FF6435
    Session-ID-ctx:
    Master-Key: 4BF94BD3EBEE701226ABD3B2344F6B325F21218761D755B02EA6B00FE90866396A9A317A59729D166A1B970AD8D3903B
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1455312915
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

这是我的设置的屏幕截图：

pp_pduan

如果要使用OpenSSL lib开发应用程序，而不是使用Win Server OS内置的信任库（因为操作系统中的默认信任库可能并不总是最新的），则可以使用另一种方法来构建来自Curl项目HERE的信任存储（Curl提供来自Mozilla的隐私增强邮件（PEM）格式的定期更新的转换，您可以直接使用，并且还包含Verisign Root软件包，包括G5-G4-G3根证书），这个案例）

还有更多步骤来检查您的OpenSSL，

检查您的OpenSSL证书捆绑包的存储位置，运行openssl version -a ，它将报告使用的目录：

OpenSSL 1.0.2e 3 Dec 2015
built on: reproducible build, date unspecified
platform: Cygwin-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
...
OPENSSLDIR: "/usr/ssl"

检查目录OPENSSLDIR: "/usr/ssl"并certs在该目录下查找dir

您还可以在此处检查版本，以确保安装了1.0.1e或更高版本以支持TLSv1.2，这是PayPal API端点升级要求的另一部分

将其替换为tls-ca-bundle.pem您从Curl项目下载的内容（Mozilla证书捆绑包）

本文收集自互联网，转载请注明来源。

如有侵权，请联系[email protected] 删除。

编辑于2021-06-16

我来说两句

0条评论

登录后参与评论

来自分类Dev

Related 相关文章

文章