主页 / server / 问题 / 72580
Accepted
Etienne Dechamps
Asked: 2009-10-09 07:35:33 +0800 CST

OpenSSL:证书签名失败错误

  • 772

我正在尝试获取La Banque Postale 的网站

$ wget https://www.labanquepostale.fr/
--2009-10-08 17:25:03--  https://www.labanquepostale.fr/
Resolving www.labanquepostale.fr... 81.252.54.6
Connecting to www.labanquepostale.fr|81.252.54.6|:443... connected.
ERROR: cannot verify www.labanquepostale.fr's certificate, issued by `/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA':
  certificate signature failure
To connect to www.labanquepostale.fr insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.

我正在使用 Debian Sid。在另一台运行 Debian Sid 且软件版本相同的机器上,该命令运行良好。ca-certificates安装在两台机器上(我尝试删除它并重新安装它,以防证书以某种方式损坏,没有运气)。

在同一台机器上在 Iceweasel 中打开https://www.labanquepostale.fr/效果很好。

附加信息:

$ openssl s_client -CApath /etc/ssl/certs -connect www.labanquepostale.fr:443
CONNECTED(00000003)
depth=3 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
verify error:num=7:certificate signature failure
verify return:0
---
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=FR/2.5.4.15=V1.0, Clause 5.(b)/serialNumber=421100645/C=FR/postalCode=75006/ST=PARIS/L=PARIS/streetAddress=115 RUE DE SEVRES/O=LA BANQUE POSTALE/OU=DISF2/CN=www.labanquepostale.fr
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
<base64-encoded certificate removed for lisibility>
-----END CERTIFICATE-----
subject=/1.3.6.1.4.1.311.60.2.1.3=FR/2.5.4.15=V1.0, Clause 5.(b)/serialNumber=421100645    /C=FR/postalCode=75006/ST=PARIS/L=PARIS/streetAddress=115 RUE DE SEVRES/O=LA BANQUE POSTALE/OU=DISF2/CN=www.labanquepostale.fr
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
---
No client certificate CA names sent
---
SSL handshake has read 5101 bytes and written 300 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: 0009008CB3ADA9A37CE45B464E989C82AD0793D7585858584ACE056700035363
    Session-ID-ctx: 
    Master-Key: 1FB7DAD98B6738BEA7A3B8791B9645334F9C760837D95E3403C108058A3A477683AE74D603152F6E4BFEB6ACA48BC2C3
    Key-Arg   : None
    Start Time: 1255015783
    Timeout   : 300 (sec)
    Verify return code: 7 (certificate signature failure)
---

知道我为什么得到certificate signature failure吗?好像这还不够奇怪,复制粘贴输出中提到的“服务器证书”并openssl verify在其上运行返回OK......

ssl-certificate

3 个回答

  1. 确实很好奇。您的系统时间(1255015783)似乎是合理的......

    我碰巧有 OpenSSL 源代码树,所以我查找了返回代码“7”(#define 是X509_V_ERR_CERT_SIGNATURE_FAILURE),确切的原因并不能从代码中立即清楚,需要进一步跟踪。

    • 0
  2. Best Answer

    问题消失了。可能一些更新修复了它。

    • 0

  3. 很可能是文件权限问题。openssl s_server 和 s_client 工作正常,但 sendmail,例如生成:

    verifymsg=证书签名失败

    直到我 chmod 640 /etc/ssl/CA/*

    • 0

相关问题