SSL协议确实有一个警报代码,用于通知CA未知的时间...您可以使用类似tshark的方法检测到它。
但更有用的是知道如何避免该问题。在Apache中,确保您具有以下三个指令:
SSLCertificateFile /etc/pki/tls/certs/myserver.cert
SSLCertificateKeyFile /etc/pki/tls/private/myserver.key
SSLCertificateChainFile /etc/pki/tls/certs/myserver.ca-bundle
给文件名的扩展名对Apache并不重要。在这种情况下,SSLCertificateFile将是带有服务器主题的单个X.509证书,而SSLCertificateChainFile将是中间和根CA证书的串联(从根开始)。
这是一个有用的脚本,可帮助您探索PEM编码中的证书链。
#!/bin/bash
#
# For an input of concatenated PEM ("rfc style") certificates, and a
# command-line consisting of a command to run, run the command over each PEM
# certificate in the file. Typically the command would be something like
# 'openssl x509 -subject -issuer'.
#
# Example:
#
# ssl-rfc-xargs openssl x509 -subject -issuer -validity -modulus -noout < mynewcert.pem
#
sed -e 's/^[ \t]*<ds:X509Certificate>\(.*\)$/-----BEGIN CERTIFICATE-----\n\1/' \
-e 's/^[ \t]*<\/ds:X509Certificate>[ \t]*$/-----END CERTIFICATE-----\n/' \
-e 's/^\(.*\)<\/ds:X509Certificate>[ \t]*$/\1\n-----END CERTIFICATE-----\n/' \
| gawk -vcommand="$*" '
/^-----BEGIN /,/^-----END / {
print |& command
}
/^-----END / {
while ((command |& getline results) > 0) {
print results
}
close(command)
}
'
(此特定脚本也用于特定的XML应用程序,这是开始处的sed位应支持的内容;有趣的位由gawk完成。)
这是如何使用它的示例(例如确定CA捆绑包中的证书顺序正确-有时很重要)
$ openssl s_client -connect google.com:443 -showcerts </dev/null 2>&1 | ssl-rfc-xargs openssl x509 -subject -issuer -noout
subject= /C=US/ST=California/L=Mountain View/O=Google Inc/CN=google.com
issuer= /C=US/O=Google Inc/CN=Google Internet Authority G2
subject= /C=US/O=Google Inc/CN=Google Internet Authority G2
issuer= /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
subject= /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
issuer= /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
请注意,一张证书的颁发者与父母的主题相邻[在下面]
这是如何使用该脚本检查本地文件的另一个示例。
$ < /etc/pki/tls/certs/example.ca-bundle ssl-rfc-xargs openssl x509 -subject -issuer -noout