User Tools

Site Tools


informatica:linux:apache2:certificados:comprobacion

Comprobar errores

# openssl s_client -connect lobo99.com:4443 -prexit
CONNECTED(00000003)
depth=0 /C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
verify return:1
---
Certificate chain
 0 s:/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
   i:/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICLzCCAZgCCQDNzGD1CybT2DANBgkqhkiG9w0BAQUFADBcMQswCQYDVQQGEwJF
UzESMBAGA1UECAwJQmFyY2Vsb25hMQ8wDQYDVQQHDAZNYXRhcm8xEzARBgNVBAoM
CmxvYm85OS5jb20xEzARBgNVBAMMCmxvYm85OS5jb20wHhcNMTMxMTE0MTQxMzQx
WhcNMTQxMTE0MTQxMzQxWjBcMQswCQYDVQQGEwJFUzESMBAGA1UECAwJQmFyY2Vs
b25hMQ8wDQYDVQQHDAZNYXRhcm8xEzARBgNVBAoMCmxvYm85OS5jb20xEzARBgNV
BAMMCmxvYm85OS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMXm6oQv
uvAYsDXII9E5U0pMZO+xmK+qfnM+Mtjx371BBmPOqsPvZV3V57ySFbl9li0jehbU
WLai3775RBtTj2rGZzMV8/0gkntjV5VE0Ouz6eHbN60YJm/co75w70mm4H/mXbA5
I0cNwpNAngGXjrisbXH3yvRJtt1akmu5wH2VAgMBAAEwDQYJKoZIhvcNAQEFBQAD
gYEAsJv09u9+25Dpkb564Wa5kGE4sJvtxD/Mc757imzLs01lkVW99EX82m4blmwK
1Mddr3pK1sdAyOON39/Jwg/TYO23McjonDlouYENvnk5VJuybHNnIrch+i+4VLOI
N7h7G234EEmvpKmalB/F/ZZwdWkR1EEgPC9IReO2Ttk/c0w=
-----END CERTIFICATE-----
subject=/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
issuer=/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
---
No client certificate CA names sent
---
SSL handshake has read 1134 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 259139CDC82A2074ABAF3B686B49A1514999E91C1ECEFFF67D4A0ED81D4EDEAF
    Session-ID-ctx: 
    Master-Key: 16080FCCE327191EEF97BF191992CD282FDD9685C40E7ADA15C7A3A3A844252195414690BA49C48D9EFCEB45D7AD8EA1
    Key-Arg   : None
    Start Time: 1384450622
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

Entonces hacemos la petición:

GET /cert 
depth=0 /C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
verify return:1
7445:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1108:SSL alert number 40
7445:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:1012:
---
Certificate chain
 0 s:/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
   i:/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICLzCCAZgCCQDNzGD1CybT2DANBgkqhkiG9w0BAQUFADBcMQswCQYDVQQGEwJF
UzESMBAGA1UECAwJQmFyY2Vsb25hMQ8wDQYDVQQHDAZNYXRhcm8xEzARBgNVBAoM
CmxvYm85OS5jb20xEzARBgNVBAMMCmxvYm85OS5jb20wHhcNMTMxMTE0MTQxMzQx
WhcNMTQxMTE0MTQxMzQxWjBcMQswCQYDVQQGEwJFUzESMBAGA1UECAwJQmFyY2Vs
b25hMQ8wDQYDVQQHDAZNYXRhcm8xEzARBgNVBAoMCmxvYm85OS5jb20xEzARBgNV
BAMMCmxvYm85OS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMXm6oQv
uvAYsDXII9E5U0pMZO+xmK+qfnM+Mtjx371BBmPOqsPvZV3V57ySFbl9li0jehbU
WLai3775RBtTj2rGZzMV8/0gkntjV5VE0Ouz6eHbN60YJm/co75w70mm4H/mXbA5
I0cNwpNAngGXjrisbXH3yvRJtt1akmu5wH2VAgMBAAEwDQYJKoZIhvcNAQEFBQAD
gYEAsJv09u9+25Dpkb564Wa5kGE4sJvtxD/Mc757imzLs01lkVW99EX82m4blmwK
1Mddr3pK1sdAyOON39/Jwg/TYO23McjonDlouYENvnk5VJuybHNnIrch+i+4VLOI
N7h7G234EEmvpKmalB/F/ZZwdWkR1EEgPC9IReO2Ttk/c0w=
-----END CERTIFICATE-----
subject=/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
issuer=/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
---
Acceptable client certificate CA names
/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
---
SSL handshake has read 2540 bytes and written 292 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: FE7F31365F592A612576D234792FBE3C2A80FBD17758069CE2E87A02B3A2CFFF
    Session-ID-ctx: 
    Master-Key: 17477130AB689266F3E38E052D295C6506043FADCFF9DFDB658F41B43A2FF094EB036B988FC8FFA5D3E450DF5C43D031
    Key-Arg   : None
    Start Time: 1384450654
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

Vemos que da el error:

7445:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1108:SSL alert number 40
7445:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:1012:

Es porque el certificado no está dentro de los aceptados:

Acceptable client certificate CA names
/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com

Ahora le pasamos el certificado personal. Clave pública: jose.crt

-----BEGIN CERTIFICATE-----
MIICVjCCAb8CCQCRKNttR9iJbjANBgkqhkiG9w0BAQUFADBcMQswCQYDVQQGEwJF
UzESMBAGA1UECAwJQmFyY2Vsb25hMQ8wDQYDVQQHDAZNYXRhcm8xEzARBgNVBAoM
CmxvYm85OS5jb20xEzARBgNVBAMMCmxvYm85OS5jb20wHhcNMTMxMTE0MTQxOTU3
WhcNMTQxMTE0MTQxOTU3WjCBgjELMAkGA1UEBhMCRVMxEjAQBgNVBAgMCUJhcmNl
bG9uYTEPMA0GA1UEBwwGTWF0YXJvMQ8wDQYDVQQKDAZsZWdpZG8xHTAbBgNVBAMM
FEpvc2UgTGVnaWRvIE1hcnRpbmV6MR4wHAYJKoZIhvcNAQkBFg9qb3NlQGxlZ2lk
by5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALk/zUfwu8XoVJ4eHR+C
N/F7W2AY/Sg1FCL+NpgplH0PU4A2QoVhAXDfV7zho4x+wv7Zbtf1Nx2Wyo5aVrkM
OuL1qrYNX4ecF661L/exg1eYJI5RWQ04jnmlQ7cf1nYqZncnocb87Zp/pO0Dnk3+
kLntqPPEqCDJGr8iLiNUB5QbAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAlfmKFp7+
B/Mr+F26Y3dLeBTgLczCUaSKO/bV9zE8TCj8fl7tNg+K1SUgsgrF/lYRUMn7mvnT
FcZtyaxNmOmdt7V/4U6UuJjsAJ5LPY7slfmmqE0CEzmJvmsmlW8R5Im39wiJ+Hhh
jUFeKpLUrUGPilVe/4QgREHOwUxmaNaFpJA=
-----END CERTIFICATE-----

Clave privada: jose.key

-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQC5P81H8LvF6FSeHh0fgjfxe1tgGP0oNRQi/jaYKZR9D1OANkKF
YQFw31e84aOMfsL+2W7X9TcdlsqOWla5DDri9aq2DV+HnBeutS/3sYNXmCSOUVkN
OI55pUO3H9Z2KmZ3J6HG/O2af6TtA55N/pC57ajzxKggyRq/Ii4jVAeUGwIDAQAB
AoGBAIzZ7BW0/rC9tAj9UJtygWLErndkyKfXo9XvgEc15kcobg7gMrgDR/swdh+R
WK8sessXO+ZL9noy+xQ9sA7HM8Wsh9vtxxzXaxBFcqHGnAHiPuFvw0wme2pXAXZ1
8/pxo1MkW77o8OpNpDd15XFDgwK1o7UhZKTmhDITcbcQXUvRAkEA8jUgYiZr0EMi
pM7oiU2eQ/0puDcP0SYK/hr/+y7H6RIa+RyRmZork5E5iHKXJHa6qfnmbIZpFCNI
e0dmLqU3hQJBAMPMWAVmnPMM2FesGd4RKca8bBh3XV96WPXdtgv47CyGI1zq2hoY
6+IRBiHTWAerYuWn3bGYwvEUZQhEhp3V3x8CQQDvyl8ULPuiRUUgK2SWwsyEfTh3
k7PKGcLaTfrOQENU4ULpDDqt+q9XunheOSyfwhgNvkY9fVi8wi25NzfXyGRNAkEA
kbqjwNFQ+62R0B8t2ZSYrWxMYCFng8rCL6zm9B4/Whw0cdHypv3pgwb8s2xj1sF/
CENaw/ZZEaoGUJMARrWKLQJAAylDInHteOqXRp8UP3uJsDZZ/nVGjuEcpZv6dvD8
jko1y3wSkyvm6Gzr6f4nQoZAOjuJ4hkemwKUkQr4fZYaCg==
-----END RSA PRIVATE KEY-----

Vemos la info del certificado

# openssl x509 -in jose.crt  -noout -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            91:28:db:6d:47:d8:89:6e
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=ES, ST=Barcelona, L=Mataro, O=lobo99.com, CN=lobo99.com
        Validity
            Not Before: Nov 14 14:19:57 2013 GMT
            Not After : Nov 14 14:19:57 2014 GMT
        Subject: C=ES, ST=Barcelona, L=Mataro, O=legido, CN=Jose Legido Martinez/emailAddress=jose@legido.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:b9:3f:cd:47:f0:bb:c5:e8:54:9e:1e:1d:1f:82:
                    37:f1:7b:5b:60:18:fd:28:35:14:22:fe:36:98:29:
                    94:7d:0f:53:80:36:42:85:61:01:70:df:57:bc:e1:
                    a3:8c:7e:c2:fe:d9:6e:d7:f5:37:1d:96:ca:8e:5a:
                    56:b9:0c:3a:e2:f5:aa:b6:0d:5f:87:9c:17:ae:b5:
                    2f:f7:b1:83:57:98:24:8e:51:59:0d:38:8e:79:a5:
                    43:b7:1f:d6:76:2a:66:77:27:a1:c6:fc:ed:9a:7f:
                    a4:ed:03:9e:4d:fe:90:b9:ed:a8:f3:c4:a8:20:c9:
                    1a:bf:22:2e:23:54:07:94:1b
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        95:f9:8a:16:9e:fe:07:f3:2b:f8:5d:ba:63:77:4b:78:14:e0:
        2d:cc:c2:51:a4:8a:3b:f6:d5:f7:31:3c:4c:28:fc:7e:5e:ed:
        36:0f:8a:d5:25:20:b2:0a:c5:fe:56:11:50:c9:fb:9a:f9:d3:
        15:c6:6d:c9:ac:4d:98:e9:9d:b7:b5:7f:e1:4e:94:b8:98:ec:
        00:9e:4b:3d:8e:ec:95:f9:a6:a8:4d:02:13:39:89:be:6b:26:
        95:6f:11:e4:89:b7:f7:08:89:f8:78:61:8d:41:5e:2a:92:d4:
        ad:41:8f:8a:55:5e:ff:84:20:44:41:ce:c1:4c:66:68:d6:85:
        a4:90

El issuer está dentro de los certificados aceptados:

Issuer: C=ES, ST=Barcelona, L=Mataro, O=lobo99.com, CN=lobo99.com

Ahora hacemos la petición con el certificado y vemos como funciona OK. Primero conectamos:

# openssl s_client -key jose.key -cert jose.crt -connect lobo99.com:4443 -prexit
CONNECTED(00000003)
depth=0 /C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
verify return:1
---
Certificate chain
 0 s:/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
   i:/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICLzCCAZgCCQDNzGD1CybT2DANBgkqhkiG9w0BAQUFADBcMQswCQYDVQQGEwJF
UzESMBAGA1UECAwJQmFyY2Vsb25hMQ8wDQYDVQQHDAZNYXRhcm8xEzARBgNVBAoM
CmxvYm85OS5jb20xEzARBgNVBAMMCmxvYm85OS5jb20wHhcNMTMxMTE0MTQxMzQx
WhcNMTQxMTE0MTQxMzQxWjBcMQswCQYDVQQGEwJFUzESMBAGA1UECAwJQmFyY2Vs
b25hMQ8wDQYDVQQHDAZNYXRhcm8xEzARBgNVBAoMCmxvYm85OS5jb20xEzARBgNV
BAMMCmxvYm85OS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMXm6oQv
uvAYsDXII9E5U0pMZO+xmK+qfnM+Mtjx371BBmPOqsPvZV3V57ySFbl9li0jehbU
WLai3775RBtTj2rGZzMV8/0gkntjV5VE0Ouz6eHbN60YJm/co75w70mm4H/mXbA5
I0cNwpNAngGXjrisbXH3yvRJtt1akmu5wH2VAgMBAAEwDQYJKoZIhvcNAQEFBQAD
gYEAsJv09u9+25Dpkb564Wa5kGE4sJvtxD/Mc757imzLs01lkVW99EX82m4blmwK
1Mddr3pK1sdAyOON39/Jwg/TYO23McjonDlouYENvnk5VJuybHNnIrch+i+4VLOI
N7h7G234EEmvpKmalB/F/ZZwdWkR1EEgPC9IReO2Ttk/c0w=
-----END CERTIFICATE-----
subject=/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
issuer=/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
---
No client certificate CA names sent
---
SSL handshake has read 1134 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: B1CFF3FD9D0ED0E233823FF1161D7313C0759D32A88966B7F52A44B932494C29
    Session-ID-ctx: 
    Master-Key: 59C74C051414EEE68F4C06EEC2EBD4EA086848F5DD6A239AFB473C5D8ED9F1A2061FC6B47A960396EB283D53E9A1DF07
    Key-Arg   : None
    Start Time: 1384527110
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

Ahora hacemos la petición

# GET /cert/index.html
depth=0 /C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
verify return:1
read R BLOCK
Certificado personal Valido
closed
---
Certificate chain
 0 s:/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
   i:/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICLzCCAZgCCQDNzGD1CybT2DANBgkqhkiG9w0BAQUFADBcMQswCQYDVQQGEwJF
UzESMBAGA1UECAwJQmFyY2Vsb25hMQ8wDQYDVQQHDAZNYXRhcm8xEzARBgNVBAoM
CmxvYm85OS5jb20xEzARBgNVBAMMCmxvYm85OS5jb20wHhcNMTMxMTE0MTQxMzQx
WhcNMTQxMTE0MTQxMzQxWjBcMQswCQYDVQQGEwJFUzESMBAGA1UECAwJQmFyY2Vs
b25hMQ8wDQYDVQQHDAZNYXRhcm8xEzARBgNVBAoMCmxvYm85OS5jb20xEzARBgNV
BAMMCmxvYm85OS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMXm6oQv
uvAYsDXII9E5U0pMZO+xmK+qfnM+Mtjx371BBmPOqsPvZV3V57ySFbl9li0jehbU
WLai3775RBtTj2rGZzMV8/0gkntjV5VE0Ouz6eHbN60YJm/co75w70mm4H/mXbA5
I0cNwpNAngGXjrisbXH3yvRJtt1akmu5wH2VAgMBAAEwDQYJKoZIhvcNAQEFBQAD
gYEAsJv09u9+25Dpkb564Wa5kGE4sJvtxD/Mc757imzLs01lkVW99EX82m4blmwK
1Mddr3pK1sdAyOON39/Jwg/TYO23McjonDlouYENvnk5VJuybHNnIrch+i+4VLOI
N7h7G234EEmvpKmalB/F/ZZwdWkR1EEgPC9IReO2Ttk/c0w=
-----END CERTIFICATE-----
subject=/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
issuer=/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
---
Acceptable client certificate CA names
/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
---
SSL handshake has read 2699 bytes and written 1644 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 6F130D6FC788FB7A753469DF2A31DCBE4C8424F3F18B14334B20B1776BC5D3DA
    Session-ID-ctx: 
    Master-Key: 4839F14C631B20BCEC8E789FD06C007559E3135426DBE6EAB2C43A0BAC1CBD740E38B8E19D2251BB4E72FBD7CBF80231
    Key-Arg   : None
    Start Time: 1384527161
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
informatica/linux/apache2/certificados/comprobacion.txt · Last modified: 2015/04/13 20:19 by 127.0.0.1