Heim > Fragen und Antworten > Hauptteil
$ openssl s_client -connect www.verisign.com:443
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=2158113/C=US/postalCode=94043/ST=California/L=Mountain View/street=350 Ellis Street/O=Symantec Corporation/OU=Infrastructure Operations /CN=www.verisign.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIG0jCCBbqgAwIBAgIQRHT74McgkNIJ4CcjNXxCZzANBgkqhkiG9w0BAQUFADCB
vjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE4MDYGA1UEAxMv
VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBTR0MgQ0Ew
HhcNMTQwMTE2MDAwMDAwWhcNMTYwMTE2MjM1OTU5WjCCASYxEzARBgsrBgEEAYI3
PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxHTAbBgNVBA8TFFBy
aXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQFEwcyMTU4MTEzMQswCQYDVQQGEwJV
UzEOMAwGA1UEERQFOTQwNDMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcU
DU1vdW50YWluIFZpZXcxGTAXBgNVBAkUEDM1MCBFbGxpcyBTdHJlZXQxHTAbBgNV
BAoUFFN5bWFudGVjIENvcnBvcmF0aW9uMSQwIgYDVQQLFBtJbmZyYXN0cnVjdHVy
ZSBPcGVyYXRpb25zICAxGTAXBgNVBAMUEHd3dy52ZXJpc2lnbi5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrG90iUEhTlnwtoAfqXUHUPBQo3JEK
BWEewf8/71RFR0O6J5mxF88ODxs/HRGK1wrd8WClqnhMBsvITNB9m+escDpBWpwG
NZp4TaYW9HxxtZ7heaeJjso8M/k3NHdXuFsuPw5L8xxOv9aI0H87LMmImenLxCRm
pJQNAKe+jfNTqpuK1tUEYdLzR0n4u76ZDcGSYSplbCjLcamLTHAhijQQWiUgWC0f
Unm4z2zyzT4QwzXIfuf7BCSLfCGY3/KuKO4vybtiUg6ALqMW3JjA149r6DHjIkib
wq2wJhFnspm74y0wJq3GE5avUyUrz8XoXexSJPTRuz6jyVayEXeDZvcJAgMBAAGj
ggJfMIICWzCB1QYDVR0RBIHNMIHKghB3d3cudmVyaXNpZ24uY29tggx2ZXJpc2ln
bi5jb22CEHd3dy52ZXJpc2lnbi5uZXSCDHZlcmlzaWduLm5ldIIRd3d3LnZlcmlz
aWduLm1vYmmCDXZlcmlzaWduLm1vYmmCD3d3dy52ZXJpc2lnbi5ldYILdmVyaXNp
Z24uZXWCFWZvcm1zLndzLnN5bWFudGVjLmNvbYINc3NscmV2aWV3LmNvbYIRd3d3
LnNzbHJldmlldy5jb22CD3d3dy5zeW1hdXRoLmNvbTAJBgNVHRMEAjAAMA4GA1Ud
DwEB/wQEAwIFoDAoBgNVHSUEITAfBggrBgEFBQcDAQYIKwYBBQUHAwIGCWCGSAGG
+EIEATBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcGMCowKAYIKwYBBQUHAgEWHGh0
dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9jcHMwHQYDVR0OBBYEFFhbQy8r9duhEyHt
180crp3UFY8gMB8GA1UdIwQYMBaAFE5DyB127zdTek/yWG+U8zji1b3fMD4GA1Ud
HwQ3MDUwM6AxoC+GLWh0dHA6Ly9FVkludGwtY3JsLnZlcmlzaWduLmNvbS9FVklu
dGwyMDA2LmNybDB2BggrBgEFBQcBAQRqMGgwKwYIKwYBBQUHMAGGH2h0dHA6Ly9F
VkludGwtb2NzcC52ZXJpc2lnbi5jb20wOQYIKwYBBQUHMAKGLWh0dHA6Ly9FVklu
dGwtYWlhLnZlcmlzaWduLmNvbS9FVkludGwyMDA2LmNlcjANBgkqhkiG9w0BAQUF
AAOCAQEAPSZt7qa0z7AbV78LQ20T2c587Pb389khyLLyxQSx/nKqtYIs0sH9qvsd
rqEk3ThUYbTfI4Owh0a87uCCpBTPf/1c1581waHoId7VibSq3IwR71RPhSJu9zmL
J/GSjs/NWcVgbpUI7JRQlyqffVmMn3w3La/NZBSXspFSMzmDG0G+hUZJJYPabrfi
nsedFav2e5BihDgGISbMhxeXGuSsQYLbOF8B9JPUwgBnDCO6IgKGeww+Zb3Uh1FB
mCydpZlP4Qn8tkaegGMXtlv4rzdt7wtKpELSbhotQHlWr06hD9XUlh7UOBvShhM7
UDhMFUQ0HjLf/9A11pb71CRaoHfFbQ==
-----END CERTIFICATE-----
subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=2158113/C=US/postalCode=94043/ST=California/L=Mountain View/street=350 Ellis Street/O=Symantec Corporation/OU=Infrastructure Operations /CN=www.verisign.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
---
No client certificate CA names sent
---
SSL handshake has read 5430 bytes and written 518 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 2F34B55CEBC134802617285A5BB8119BD914D3180158DD9FB3FD6386C7AC1679
Session-ID-ctx:
Master-Key: A8CE8B9A45E6685ABFE144BF8A7DF285183EF4828F5E1231C452C0B895715D774CBF3733B7C3B9495060F6B034E84EF8
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
0000 - 63 33 8e 6a 7d 57 54 24-b9 18 f3 9c c3 91 70 40 c3.j}WT$......p@
0010 - 0f 9c ee e5 e5 09 58 8b-92 9e 1a 65 5b a3 09 50 ......X....e[..P
0020 - c1 d5 81 c3 27 38 87 1e-ce 2c 05 47 df d7 c1 e5 ....'8...,.G....
0030 - 43 cd f5 17 4f b2 60 d1-79 1f b3 8b 03 52 fe e4 C...O.`.y....R..
0040 - d5 cb 46 67 ba 61 b4 3f-70 9d 85 16 69 79 e8 b0 ..Fg.a.?p...iy..
0050 - 97 c7 e4 5d 17 5d ac 0f-6e f6 21 ea f5 c6 dc e7 ...].]..n.!.....
0060 - 79 88 36 88 a4 55 39 1a-3d 56 4c 7b 06 5c 5d c4 y.6..U9.=VL{.\].
0070 - 31 3a 13 89 11 b7 89 db-b5 56 43 ca a9 a4 1e df 1:.......VC.....
0080 - 7e ea f6 2a 25 f0 64 84-68 39 5c 3a 59 23 e3 69 ~..*%.d.h9\:Y#.i
0090 - b8 05 70 ec 57 cd aa 9a-89 b6 52 96 b9 a7 37 4c ..p.W.....R...7L
00a0 - b0 45 7e 1f f4 ec f9 43-6a a8 94 20 f8 b6 43 7b .E~....Cj.. ..C{
00b0 - ba 7b e6 38 4f d5 95 09-0b 2e 6d e8 bc 7f 02 28 .{.8O.....m....(
Start Time: 1392865536
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
怪我咯2017-05-16 17:05:54
把 Server certificate这一部分拷贝出来,就是
-----BEGIN CERTIFICATE-----
MIIG0jCCBbqgAwIBAgIQRHT74McgkNIJ4CcjNXxCZzANBgkqhkiG9w0BAQUFADCB
vjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE4MDYGA1UEAxMv
VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBTR0MgQ0Ew
HhcNMTQwMTE2MDAwMDAwWhcNMTYwMTE2MjM1OTU5WjCCASYxEzARBgsrBgEEAYI3
PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxHTAbBgNVBA8TFFBy
aXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQFEwcyMTU4MTEzMQswCQYDVQQGEwJV
UzEOMAwGA1UEERQFOTQwNDMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcU
DU1vdW50YWluIFZpZXcxGTAXBgNVBAkUEDM1MCBFbGxpcyBTdHJlZXQxHTAbBgNV
BAoUFFN5bWFudGVjIENvcnBvcmF0aW9uMSQwIgYDVQQLFBtJbmZyYXN0cnVjdHVy
ZSBPcGVyYXRpb25zICAxGTAXBgNVBAMUEHd3dy52ZXJpc2lnbi5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrG90iUEhTlnwtoAfqXUHUPBQo3JEK
BWEewf8/71RFR0O6J5mxF88ODxs/HRGK1wrd8WClqnhMBsvITNB9m+escDpBWpwG
NZp4TaYW9HxxtZ7heaeJjso8M/k3NHdXuFsuPw5L8xxOv9aI0H87LMmImenLxCRm
pJQNAKe+jfNTqpuK1tUEYdLzR0n4u76ZDcGSYSplbCjLcamLTHAhijQQWiUgWC0f
Unm4z2zyzT4QwzXIfuf7BCSLfCGY3/KuKO4vybtiUg6ALqMW3JjA149r6DHjIkib
wq2wJhFnspm74y0wJq3GE5avUyUrz8XoXexSJPTRuz6jyVayEXeDZvcJAgMBAAGj
ggJfMIICWzCB1QYDVR0RBIHNMIHKghB3d3cudmVyaXNpZ24uY29tggx2ZXJpc2ln
bi5jb22CEHd3dy52ZXJpc2lnbi5uZXSCDHZlcmlzaWduLm5ldIIRd3d3LnZlcmlz
aWduLm1vYmmCDXZlcmlzaWduLm1vYmmCD3d3dy52ZXJpc2lnbi5ldYILdmVyaXNp
Z24uZXWCFWZvcm1zLndzLnN5bWFudGVjLmNvbYINc3NscmV2aWV3LmNvbYIRd3d3
LnNzbHJldmlldy5jb22CD3d3dy5zeW1hdXRoLmNvbTAJBgNVHRMEAjAAMA4GA1Ud
DwEB/wQEAwIFoDAoBgNVHSUEITAfBggrBgEFBQcDAQYIKwYBBQUHAwIGCWCGSAGG
+EIEATBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcGMCowKAYIKwYBBQUHAgEWHGh0
dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9jcHMwHQYDVR0OBBYEFFhbQy8r9duhEyHt
180crp3UFY8gMB8GA1UdIwQYMBaAFE5DyB127zdTek/yWG+U8zji1b3fMD4GA1Ud
HwQ3MDUwM6AxoC+GLWh0dHA6Ly9FVkludGwtY3JsLnZlcmlzaWduLmNvbS9FVklu
dGwyMDA2LmNybDB2BggrBgEFBQcBAQRqMGgwKwYIKwYBBQUHMAGGH2h0dHA6Ly9F
VkludGwtb2NzcC52ZXJpc2lnbi5jb20wOQYIKwYBBQUHMAKGLWh0dHA6Ly9FVklu
dGwtYWlhLnZlcmlzaWduLmNvbS9FVkludGwyMDA2LmNlcjANBgkqhkiG9w0BAQUF
AAOCAQEAPSZt7qa0z7AbV78LQ20T2c587Pb389khyLLyxQSx/nKqtYIs0sH9qvsd
rqEk3ThUYbTfI4Owh0a87uCCpBTPf/1c1581waHoId7VibSq3IwR71RPhSJu9zmL
J/GSjs/NWcVgbpUI7JRQlyqffVmMn3w3La/NZBSXspFSMzmDG0G+hUZJJYPabrfi
nsedFav2e5BihDgGISbMhxeXGuSsQYLbOF8B9JPUwgBnDCO6IgKGeww+Zb3Uh1FB
mCydpZlP4Qn8tkaegGMXtlv4rzdt7wtKpELSbhotQHlWr06hD9XUlh7UOBvShhM7
UDhMFUQ0HjLf/9A11pb71CRaoHfFbQ==
-----END CERTIFICATE-----
存成CA.cert
openssl s_client -CAfile CA.cert -connect www.verisign.com:443
伊谢尔伦2017-05-16 17:05:54
<VirtualHost _default_:443>
SSLProxyEngine on
SSLEngine on
#SSLSessionCacheTimeout 2100
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/httpd/common/server.crt
SSLCertificateKeyFile /etc/httpd/common/server.key
SSLCertificateChainFile /etc/httpd/common/server_intermediate.pem
Include conf/conf/xxx.conf
</VirtualHost>
这是我在apache上面的配置文件, 浏览器已经认可了证书, 但是用openssl验证的时候
CONNECTED(00000003)
depth=0 ....................
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 ........................
verify error:num=27:certificate not trusted
verify return:1
depth=0 ....................
verify error:num=21:unable to verify the first certificate
verify return:1
Verify return code: 21 (unable to verify the first certificate)
漂亮男人2017-05-16 17:05:54
openssl s_client -connect www.verisign.com:443 -CApath /etc/ca-certificates
先弄明白 SSL/TLS 的具体过程,再看 man s_client
。