Legido Wiki

User Tools

Site Tools

Trace:
informatica:linux:apache2:certificados

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
informatica:linux:apache2:certificados [2013/11/14 17:38] – created joseinformatica:linux:apache2:certificados [2015/04/13 20:19] (current) – external edit 127.0.0.1
Line 110: Line 110:
 </code> </code>
  
-Se puede ver los certificados aceptados:+Vemos que da el error: 
 +  7445:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1108:SSL alert number 40 
 +  7445:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:1012: 
 + 
 +Es porque el certificado no está dentro de los aceptados:
   Acceptable client certificate CA names   Acceptable client certificate CA names
 +  /C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
 +
 +Ahora le pasamos el certificado personal.
 +Clave pública: jose.crt
 +<code>
 +-----BEGIN CERTIFICATE-----
 +MIICVjCCAb8CCQCRKNttR9iJbjANBgkqhkiG9w0BAQUFADBcMQswCQYDVQQGEwJF
 +UzESMBAGA1UECAwJQmFyY2Vsb25hMQ8wDQYDVQQHDAZNYXRhcm8xEzARBgNVBAoM
 +CmxvYm85OS5jb20xEzARBgNVBAMMCmxvYm85OS5jb20wHhcNMTMxMTE0MTQxOTU3
 +WhcNMTQxMTE0MTQxOTU3WjCBgjELMAkGA1UEBhMCRVMxEjAQBgNVBAgMCUJhcmNl
 +bG9uYTEPMA0GA1UEBwwGTWF0YXJvMQ8wDQYDVQQKDAZsZWdpZG8xHTAbBgNVBAMM
 +FEpvc2UgTGVnaWRvIE1hcnRpbmV6MR4wHAYJKoZIhvcNAQkBFg9qb3NlQGxlZ2lk
 +by5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALk/zUfwu8XoVJ4eHR+C
 +N/F7W2AY/Sg1FCL+NpgplH0PU4A2QoVhAXDfV7zho4x+wv7Zbtf1Nx2Wyo5aVrkM
 +OuL1qrYNX4ecF661L/exg1eYJI5RWQ04jnmlQ7cf1nYqZncnocb87Zp/pO0Dnk3+
 +kLntqPPEqCDJGr8iLiNUB5QbAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAlfmKFp7+
 +B/Mr+F26Y3dLeBTgLczCUaSKO/bV9zE8TCj8fl7tNg+K1SUgsgrF/lYRUMn7mvnT
 +FcZtyaxNmOmdt7V/4U6UuJjsAJ5LPY7slfmmqE0CEzmJvmsmlW8R5Im39wiJ+Hhh
 +jUFeKpLUrUGPilVe/4QgREHOwUxmaNaFpJA=
 +-----END CERTIFICATE-----
 +</code>
 +
 +Clave privada: jose.key
 +<code>
 +-----BEGIN RSA PRIVATE KEY-----
 +MIICXgIBAAKBgQC5P81H8LvF6FSeHh0fgjfxe1tgGP0oNRQi/jaYKZR9D1OANkKF
 +YQFw31e84aOMfsL+2W7X9TcdlsqOWla5DDri9aq2DV+HnBeutS/3sYNXmCSOUVkN
 +OI55pUO3H9Z2KmZ3J6HG/O2af6TtA55N/pC57ajzxKggyRq/Ii4jVAeUGwIDAQAB
 +AoGBAIzZ7BW0/rC9tAj9UJtygWLErndkyKfXo9XvgEc15kcobg7gMrgDR/swdh+R
 +WK8sessXO+ZL9noy+xQ9sA7HM8Wsh9vtxxzXaxBFcqHGnAHiPuFvw0wme2pXAXZ1
 +8/pxo1MkW77o8OpNpDd15XFDgwK1o7UhZKTmhDITcbcQXUvRAkEA8jUgYiZr0EMi
 +pM7oiU2eQ/0puDcP0SYK/hr/+y7H6RIa+RyRmZork5E5iHKXJHa6qfnmbIZpFCNI
 +e0dmLqU3hQJBAMPMWAVmnPMM2FesGd4RKca8bBh3XV96WPXdtgv47CyGI1zq2hoY
 +6+IRBiHTWAerYuWn3bGYwvEUZQhEhp3V3x8CQQDvyl8ULPuiRUUgK2SWwsyEfTh3
 +k7PKGcLaTfrOQENU4ULpDDqt+q9XunheOSyfwhgNvkY9fVi8wi25NzfXyGRNAkEA
 +kbqjwNFQ+62R0B8t2ZSYrWxMYCFng8rCL6zm9B4/Whw0cdHypv3pgwb8s2xj1sF/
 +CENaw/ZZEaoGUJMARrWKLQJAAylDInHteOqXRp8UP3uJsDZZ/nVGjuEcpZv6dvD8
 +jko1y3wSkyvm6Gzr6f4nQoZAOjuJ4hkemwKUkQr4fZYaCg==
 +-----END RSA PRIVATE KEY-----
 +</code>
 +
 +Vemos la info del certificado
 +  # openssl x509 -in jose.crt  -noout -text
 +
 +<code>
 +Certificate:
 +    Data:
 +        Version: 1 (0x0)
 +        Serial Number:
 +            91:28:db:6d:47:d8:89:6e
 +        Signature Algorithm: sha1WithRSAEncryption
 +        Issuer: C=ES, ST=Barcelona, L=Mataro, O=lobo99.com, CN=lobo99.com
 +        Validity
 +            Not Before: Nov 14 14:19:57 2013 GMT
 +            Not After : Nov 14 14:19:57 2014 GMT
 +        Subject: C=ES, ST=Barcelona, L=Mataro, O=legido, CN=Jose Legido Martinez/emailAddress=jose@legido.com
 +        Subject Public Key Info:
 +            Public Key Algorithm: rsaEncryption
 +            RSA Public Key: (1024 bit)
 +                Modulus (1024 bit):
 +                    00:b9:3f:cd:47:f0:bb:c5:e8:54:9e:1e:1d:1f:82:
 +                    37:f1:7b:5b:60:18:fd:28:35:14:22:fe:36:98:29:
 +                    94:7d:0f:53:80:36:42:85:61:01:70:df:57:bc:e1:
 +                    a3:8c:7e:c2:fe:d9:6e:d7:f5:37:1d:96:ca:8e:5a:
 +                    56:b9:0c:3a:e2:f5:aa:b6:0d:5f:87:9c:17:ae:b5:
 +                    2f:f7:b1:83:57:98:24:8e:51:59:0d:38:8e:79:a5:
 +                    43:b7:1f:d6:76:2a:66:77:27:a1:c6:fc:ed:9a:7f:
 +                    a4:ed:03:9e:4d:fe:90:b9:ed:a8:f3:c4:a8:20:c9:
 +                    1a:bf:22:2e:23:54:07:94:1b
 +                Exponent: 65537 (0x10001)
 +    Signature Algorithm: sha1WithRSAEncryption
 +        95:f9:8a:16:9e:fe:07:f3:2b:f8:5d:ba:63:77:4b:78:14:e0:
 +        2d:cc:c2:51:a4:8a:3b:f6:d5:f7:31:3c:4c:28:fc:7e:5e:ed:
 +        36:0f:8a:d5:25:20:b2:0a:c5:fe:56:11:50:c9:fb:9a:f9:d3:
 +        15:c6:6d:c9:ac:4d:98:e9:9d:b7:b5:7f:e1:4e:94:b8:98:ec:
 +        00:9e:4b:3d:8e:ec:95:f9:a6:a8:4d:02:13:39:89:be:6b:26:
 +        95:6f:11:e4:89:b7:f7:08:89:f8:78:61:8d:41:5e:2a:92:d4:
 +        ad:41:8f:8a:55:5e:ff:84:20:44:41:ce:c1:4c:66:68:d6:85:
 +        a4:90
 +</code>
 +
 +El issuer está dentro de los certificados aceptados:
 +  Issuer: C=ES, ST=Barcelona, L=Mataro, O=lobo99.com, CN=lobo99.com
 +
 +Ahora hacemos la petición con el certificado y vemos como funciona OK. Primero conectamos:
 +
 +  # openssl s_client -key jose.key -cert jose.crt -connect lobo99.com:4443 -prexit
 +
 +<code>
 +CONNECTED(00000003)
 +depth=0 /C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
 +verify error:num=18:self signed certificate
 +verify return:1
 +depth=0 /C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
 +verify return:1
 +---
 +Certificate chain
 + 0 s:/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
 +   i:/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
 +---
 +Server certificate
 +-----BEGIN CERTIFICATE-----
 +MIICLzCCAZgCCQDNzGD1CybT2DANBgkqhkiG9w0BAQUFADBcMQswCQYDVQQGEwJF
 +UzESMBAGA1UECAwJQmFyY2Vsb25hMQ8wDQYDVQQHDAZNYXRhcm8xEzARBgNVBAoM
 +CmxvYm85OS5jb20xEzARBgNVBAMMCmxvYm85OS5jb20wHhcNMTMxMTE0MTQxMzQx
 +WhcNMTQxMTE0MTQxMzQxWjBcMQswCQYDVQQGEwJFUzESMBAGA1UECAwJQmFyY2Vs
 +b25hMQ8wDQYDVQQHDAZNYXRhcm8xEzARBgNVBAoMCmxvYm85OS5jb20xEzARBgNV
 +BAMMCmxvYm85OS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMXm6oQv
 +uvAYsDXII9E5U0pMZO+xmK+qfnM+Mtjx371BBmPOqsPvZV3V57ySFbl9li0jehbU
 +WLai3775RBtTj2rGZzMV8/0gkntjV5VE0Ouz6eHbN60YJm/co75w70mm4H/mXbA5
 +I0cNwpNAngGXjrisbXH3yvRJtt1akmu5wH2VAgMBAAEwDQYJKoZIhvcNAQEFBQAD
 +gYEAsJv09u9+25Dpkb564Wa5kGE4sJvtxD/Mc757imzLs01lkVW99EX82m4blmwK
 +1Mddr3pK1sdAyOON39/Jwg/TYO23McjonDlouYENvnk5VJuybHNnIrch+i+4VLOI
 +N7h7G234EEmvpKmalB/F/ZZwdWkR1EEgPC9IReO2Ttk/c0w=
 +-----END CERTIFICATE-----
 +subject=/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
 +issuer=/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
 +---
 +No client certificate CA names sent
 +---
 +SSL handshake has read 1134 bytes and written 319 bytes
 +---
 +New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
 +Server public key is 1024 bit
 +Secure Renegotiation IS supported
 +Compression: NONE
 +Expansion: NONE
 +SSL-Session:
 +    Protocol  : TLSv1
 +    Cipher    : DHE-RSA-AES256-SHA
 +    Session-ID: B1CFF3FD9D0ED0E233823FF1161D7313C0759D32A88966B7F52A44B932494C29
 +    Session-ID-ctx: 
 +    Master-Key: 59C74C051414EEE68F4C06EEC2EBD4EA086848F5DD6A239AFB473C5D8ED9F1A2061FC6B47A960396EB283D53E9A1DF07
 +    Key-Arg   : None
 +    Start Time: 1384527110
 +    Timeout   : 300 (sec)
 +    Verify return code: 18 (self signed certificate)
 +---
 +</code>
 +
 +Ahora hacemos la petición
 +  # GET /cert/index.html
 +
  
 +<code>
 +depth=0 /C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
 +verify error:num=18:self signed certificate
 +verify return:1
 +depth=0 /C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
 +verify return:1
 +read R BLOCK
 +Certificado personal Valido
 +closed
 +---
 +Certificate chain
 + 0 s:/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
 +   i:/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
 +---
 +Server certificate
 +-----BEGIN CERTIFICATE-----
 +MIICLzCCAZgCCQDNzGD1CybT2DANBgkqhkiG9w0BAQUFADBcMQswCQYDVQQGEwJF
 +UzESMBAGA1UECAwJQmFyY2Vsb25hMQ8wDQYDVQQHDAZNYXRhcm8xEzARBgNVBAoM
 +CmxvYm85OS5jb20xEzARBgNVBAMMCmxvYm85OS5jb20wHhcNMTMxMTE0MTQxMzQx
 +WhcNMTQxMTE0MTQxMzQxWjBcMQswCQYDVQQGEwJFUzESMBAGA1UECAwJQmFyY2Vs
 +b25hMQ8wDQYDVQQHDAZNYXRhcm8xEzARBgNVBAoMCmxvYm85OS5jb20xEzARBgNV
 +BAMMCmxvYm85OS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMXm6oQv
 +uvAYsDXII9E5U0pMZO+xmK+qfnM+Mtjx371BBmPOqsPvZV3V57ySFbl9li0jehbU
 +WLai3775RBtTj2rGZzMV8/0gkntjV5VE0Ouz6eHbN60YJm/co75w70mm4H/mXbA5
 +I0cNwpNAngGXjrisbXH3yvRJtt1akmu5wH2VAgMBAAEwDQYJKoZIhvcNAQEFBQAD
 +gYEAsJv09u9+25Dpkb564Wa5kGE4sJvtxD/Mc757imzLs01lkVW99EX82m4blmwK
 +1Mddr3pK1sdAyOON39/Jwg/TYO23McjonDlouYENvnk5VJuybHNnIrch+i+4VLOI
 +N7h7G234EEmvpKmalB/F/ZZwdWkR1EEgPC9IReO2Ttk/c0w=
 +-----END CERTIFICATE-----
 +subject=/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
 +issuer=/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
 +---
 +Acceptable client certificate CA names
 +/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
 +---
 +SSL handshake has read 2699 bytes and written 1644 bytes
 +---
 +New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
 +Server public key is 1024 bit
 +Secure Renegotiation IS supported
 +Compression: NONE
 +Expansion: NONE
 +SSL-Session:
 +    Protocol  : TLSv1
 +    Cipher    : DHE-RSA-AES256-SHA
 +    Session-ID: 6F130D6FC788FB7A753469DF2A31DCBE4C8424F3F18B14334B20B1776BC5D3DA
 +    Session-ID-ctx: 
 +    Master-Key: 4839F14C631B20BCEC8E789FD06C007559E3135426DBE6EAB2C43A0BAC1CBD740E38B8E19D2251BB4E72FBD7CBF80231
 +    Key-Arg   : None
 +    Start Time: 1384527161
 +    Timeout   : 300 (sec)
 +    Verify return code: 18 (self signed certificate)
 +---
 +</code>
informatica/linux/apache2/certificados.1384450707.txt.gz · Last modified: 2015/04/13 20:19 (external edit)