我正在使用有效的证书,但我无法获得客户端证书。lighttpd 服务失败并出现错误:
(connections-glue.c.200) SSL: 1 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
我的配置是这样的:
$SERVER["socket"] == ":443" {
protocol = "https://"
ssl.engine = "enable"
ssl.disable-client-renegotiation = "enable"
#server.name = "mywebsite.com"
ssl.pemfile = "/etc/lighttpd/ssl/mywebsite.com.pem"
ssl.ca-file = "/etc/lighttpd/ssl/mywebsite.com.csr"
ssl.ec-curve = "secp384r1"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
# HSTS(15768000 seconds = 6 months)
#setenv.add-response-header = (
# "Strict-Transport-Security" => "max-age=15768000;"
#)
#ask for client cert
ssl.verifyclient.exportcert = "enable"
ssl.verifyclient.activate = "enable"
ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
ssl.verifyclient.enforce = "enable"
ssl.verifyclient.depth = 3
}
}
ssl.ca 文件读取内容,您可以在此处调用任何文件类型,即使是 .txt 文件,如果内容是证书或证书链,对于 lighttpd 都没关系。
当您启用 ssl.verifyclient.activate 时,lighttpd 将请求在 ca 文件中具有根 CA 证书的证书。
如果我想使用第 3 方证书,例如 ICP-Brazil,它是所有个人证书的根。该证书由该实体签署,证明您是真正的您,并且在您的法庭上具有法律效力。ICP-Brazil 目前有 5 个版本的根证书,因此如果系统应该支持旧证书(可能有效期为 6 年),这意味着您需要在 ssl.ca-file 中放置多个证书。如此处所述:https ://schnouki.net/posts/2014/08/12/lighttpd-and-ssl-client-certificates/
关于错误:
发生这种情况是因为一些原因:
所以我得出的结论是,这并不是真正需要纠正的错误,而是 ssl 握手技术的局限性。