LINUX.ORG.RU

Разногласия между wget и openssl


0

1

Вопрос, возможно, нубский, но все же. Почему wget признает сертификат от сервера, а openssl verify нет? На

openssl verify google.pem
пишет
google-pem: C = US, ST = California, L = Mountain View, O = Google Inc, CN = *.google.com
error 20 at 0 depth lookup:unable to get local issuer certificate
Сертификат получал так:
openssl s_client -connect google.com:443 > google.
openssl x509 -in google. > google.pem

Пробовал также

openssl verify -CApath /etc/ssl google.pem

Ответ на: комментарий от sjinks
$ openssl s_client -showcerts -connect google.com:443 < /dev/null
CONNECTED(00000003)
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority
-----BEGIN CERTIFICATE-----
MIIGKjCCBZOgAwIBAgIKEiIxuQABAACSsTANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMzA3MzExMTQwMzRaFw0xMzEwMzEyMzU5NTla
MGYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRUwEwYDVQQDFAwqLmdv
b2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL+RiEjTLckQO7tb
T9lIFriDh3P+zkRJNWxZYuRnwKcJadgN9pMaf1taf2HkjrskArM1QIANnOPOByvA
Jp4HYr6NJLD2OPOvLvYv98qLdkKTKjt/b2H6axfGiJY6g9QfQtc81zc/tL51vknz
vSGaqOsAeJ0SO9SldqM7X/lDYkfTAgMBAAGjggP9MIID+TAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFD0slhILWX0Vi0EOxThOwOUUqKcJ
MB8GA1UdIwQYMBaAFL/AMOv1QxE+Z7qekfv8atrjaxIkMFsGA1UdHwRUMFIwUKBO
oEyGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29vZ2xlSW50ZXJuZXRBdXRob3Jp
dHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3JsMGYGCCsGAQUFBwEBBFowWDBW
BggrBgEFBQcwAoZKaHR0cDovL3d3dy5nc3RhdGljLmNvbS9Hb29nbGVJbnRlcm5l
dEF1dGhvcml0eS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS5jcnQwDAYDVR0TAQH/
BAIwADCCAsMGA1UdEQSCArowggK2ggwqLmdvb2dsZS5jb22CDSouYW5kcm9pZC5j
b22CFiouYXBwZW5naW5lLmdvb2dsZS5jb22CEiouY2xvdWQuZ29vZ2xlLmNvbYIW
Ki5nb29nbGUtYW5hbHl0aWNzLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNs
gg4qLmdvb2dsZS5jby5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVr
gg8qLmdvb2dsZS5jb20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29t
LmJygg8qLmdvb2dsZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUu
Y29tLnRygg8qLmdvb2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5l
c4ILKi5nb29nbGUuZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29n
bGUubmyCCyouZ29vZ2xlLnBsggsqLmdvb2dsZS5wdIIPKi5nb29nbGVhcGlzLmNu
ghQqLmdvb2dsZWNvbW1lcmNlLmNvbYINKi5nc3RhdGljLmNvbYIMKi51cmNoaW4u
Y29tghAqLnVybC5nb29nbGUuY29tghYqLnlvdXR1YmUtbm9jb29raWUuY29tgg0q
LnlvdXR1YmUuY29tghYqLnlvdXR1YmVlZHVjYXRpb24uY29tggsqLnl0aW1nLmNv
bYILYW5kcm9pZC5jb22CBGcuY2+CBmdvby5nbIIUZ29vZ2xlLWFuYWx5dGljcy5j
b22CCmdvb2dsZS5jb22CEmdvb2dsZWNvbW1lcmNlLmNvbYIKdXJjaGluLmNvbYII
eW91dHUuYmWCC3lvdXR1YmUuY29tghR5b3V0dWJlZWR1Y2F0aW9uLmNvbTANBgkq
hkiG9w0BAQUFAAOBgQClna2RVEEVPusOayhKQ0/JUSBkvL8TflvmgIL/L/4SXsPy
AxcOwHBv0vfyX8cos1thOkyuSHEbuKqANW9BESg9dmqYWIG6hSWcVkbsqiaDS1CI
kO1nUjlwRJ+udBYcQPy8yBgJhTQ/76rRYyXoiTHr5SoV25gQrSFcWUSEum9C5Q==
-----END CERTIFICATE-----
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIICsDCCAhmgAwIBAgIDFXfhMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIxMjEyMTU1ODUwWhcNMTMxMjMxMTU1ODUw
WjBGMQswCQYDVQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZ
R29vZ2xlIEludGVybmV0IEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAye23pIucV+eEPkB9hPSP0XFjU5nneXQUr0SZMyCSjXvlKAy6rWxJfoNf
NFlOCnowzdDXxFdF7dWq1nMmzq0yE7jXDx07393cCDaob1FEm8rWIFJztyaHNWrb
qeXUWaUr/GcZOfqTGBhs3t0lig4zFEfC7wFQeeT9adGnwKziV28CAwEAAaOBozCB
oDAfBgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUv8Aw
6/VDET5nup6R+/xq2uNrEiQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAQYwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20v
Y3Jscy9zZWN1cmVjYS5jcmwwDQYJKoZIhvcNAQEFBQADgYEAvprjecFG+iJsxzEF
ZUNgujFQodUovxOWZshcnDW7fZ7mTlk3zpeVJrGPZzhaDhvuJjIfKqHweFB7gwB+
ARlIjNvrPq86fpVg0NOTawALkSqOUMl3MynBQO+spR7EHcRbADQ/JemfTEh2Ycfl
vZqhEFBfurZkX0eTANq98ZvVfpg=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 2796 bytes and written 446 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: B366F09598CE29A88F749971658EEE624C1AB4E226D8BA196E84FBCBB5F2ACCC
    Session-ID-ctx: 
    Master-Key: 784351A68F3909B8A7A1A89BA3BA338D4E4760E6BBEDDD2870D1B4999B7E7A99241F1075BAB47CE35840A786AF1C6A32
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 68 59 9b 58 8d c7 49 d0-b6 b8 21 32 38 98 e0 9d   hY.X..I...!28...
    0010 - 76 49 90 4f c4 22 a3 62-6f c0 68 5e 3a ab 3c d0   vI.O.".bo.h^:.<.
    0020 - 14 e0 7e c1 d7 7e 55 db-a6 1c e0 7d 45 32 de 08   ..~..~U....}E2..
    0030 - 37 ab 6e 92 87 00 1e b3-df 0d bf a7 4a 90 d5 ad   7.n.........J...
    0040 - 41 41 ed eb 31 9c 16 e3-5d 06 40 cb 47 f6 b2 d6   AA..1...].@.G...
    0050 - 9b e0 ed 1b d6 bc f1 10-34 55 97 43 97 34 2a 8d   ........4U.C.4*.
    0060 - 45 7b 3c 79 86 94 6e b7-b2 4c 00 d4 c6 ff 18 77   E{<y..n..L.....w
    0070 - 39 ef 94 93 78 49 79 1e-c6 2f f9 19 d9 78 d4 b3   9...xIy../...x..
    0080 - 2d b0 c3 a6 3c da 6d 6a-4a 4a 43 04 97 a6 c3 d1   -...<.mjJJC.....
    0090 - e2 26 66 cb                                       .&f.

    Start Time: 1377078623
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
DONE
DinoAsm ()

Может, проблема в том, что сертификаты 1024-битные, и поэтому их не включили в пакет дистрибутива?

DinoAsm ()
Ответ на: комментарий от DinoAsm

Ндам, глупость сморозил, но все же, возможно, openssl не верит 1024-битным сертификатам.

DinoAsm ()
Ответ на: комментарий от DinoAsm
$ openssl s_client -CApath /etc/ssl/certs/ -showcerts -connect google.com:443 < /dev/null
CONNECTED(00000003)
depth=2 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = *.google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority
-----BEGIN CERTIFICATE-----
MIIGKjCCBZOgAwIBAgIKEiIxuQABAACSsTANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMzA3MzExMTQwMzRaFw0xMzEwMzEyMzU5NTla
MGYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRUwEwYDVQQDFAwqLmdv
b2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL+RiEjTLckQO7tb
T9lIFriDh3P+zkRJNWxZYuRnwKcJadgN9pMaf1taf2HkjrskArM1QIANnOPOByvA
Jp4HYr6NJLD2OPOvLvYv98qLdkKTKjt/b2H6axfGiJY6g9QfQtc81zc/tL51vknz
vSGaqOsAeJ0SO9SldqM7X/lDYkfTAgMBAAGjggP9MIID+TAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFD0slhILWX0Vi0EOxThOwOUUqKcJ
MB8GA1UdIwQYMBaAFL/AMOv1QxE+Z7qekfv8atrjaxIkMFsGA1UdHwRUMFIwUKBO
oEyGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29vZ2xlSW50ZXJuZXRBdXRob3Jp
dHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3JsMGYGCCsGAQUFBwEBBFowWDBW
BggrBgEFBQcwAoZKaHR0cDovL3d3dy5nc3RhdGljLmNvbS9Hb29nbGVJbnRlcm5l
dEF1dGhvcml0eS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS5jcnQwDAYDVR0TAQH/
BAIwADCCAsMGA1UdEQSCArowggK2ggwqLmdvb2dsZS5jb22CDSouYW5kcm9pZC5j
b22CFiouYXBwZW5naW5lLmdvb2dsZS5jb22CEiouY2xvdWQuZ29vZ2xlLmNvbYIW
Ki5nb29nbGUtYW5hbHl0aWNzLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNs
gg4qLmdvb2dsZS5jby5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVr
gg8qLmdvb2dsZS5jb20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29t
LmJygg8qLmdvb2dsZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUu
Y29tLnRygg8qLmdvb2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5l
c4ILKi5nb29nbGUuZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29n
bGUubmyCCyouZ29vZ2xlLnBsggsqLmdvb2dsZS5wdIIPKi5nb29nbGVhcGlzLmNu
ghQqLmdvb2dsZWNvbW1lcmNlLmNvbYINKi5nc3RhdGljLmNvbYIMKi51cmNoaW4u
Y29tghAqLnVybC5nb29nbGUuY29tghYqLnlvdXR1YmUtbm9jb29raWUuY29tgg0q
LnlvdXR1YmUuY29tghYqLnlvdXR1YmVlZHVjYXRpb24uY29tggsqLnl0aW1nLmNv
bYILYW5kcm9pZC5jb22CBGcuY2+CBmdvby5nbIIUZ29vZ2xlLWFuYWx5dGljcy5j
b22CCmdvb2dsZS5jb22CEmdvb2dsZWNvbW1lcmNlLmNvbYIKdXJjaGluLmNvbYII
eW91dHUuYmWCC3lvdXR1YmUuY29tghR5b3V0dWJlZWR1Y2F0aW9uLmNvbTANBgkq
hkiG9w0BAQUFAAOBgQClna2RVEEVPusOayhKQ0/JUSBkvL8TflvmgIL/L/4SXsPy
AxcOwHBv0vfyX8cos1thOkyuSHEbuKqANW9BESg9dmqYWIG6hSWcVkbsqiaDS1CI
kO1nUjlwRJ+udBYcQPy8yBgJhTQ/76rRYyXoiTHr5SoV25gQrSFcWUSEum9C5Q==
-----END CERTIFICATE-----
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIICsDCCAhmgAwIBAgIDFXfhMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIxMjEyMTU1ODUwWhcNMTMxMjMxMTU1ODUw
WjBGMQswCQYDVQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZ
R29vZ2xlIEludGVybmV0IEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAye23pIucV+eEPkB9hPSP0XFjU5nneXQUr0SZMyCSjXvlKAy6rWxJfoNf
NFlOCnowzdDXxFdF7dWq1nMmzq0yE7jXDx07393cCDaob1FEm8rWIFJztyaHNWrb
qeXUWaUr/GcZOfqTGBhs3t0lig4zFEfC7wFQeeT9adGnwKziV28CAwEAAaOBozCB
oDAfBgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUv8Aw
6/VDET5nup6R+/xq2uNrEiQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAQYwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20v
Y3Jscy9zZWN1cmVjYS5jcmwwDQYJKoZIhvcNAQEFBQADgYEAvprjecFG+iJsxzEF
ZUNgujFQodUovxOWZshcnDW7fZ7mTlk3zpeVJrGPZzhaDhvuJjIfKqHweFB7gwB+
ARlIjNvrPq86fpVg0NOTawALkSqOUMl3MynBQO+spR7EHcRbADQ/JemfTEh2Ycfl
vZqhEFBfurZkX0eTANq98ZvVfpg=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 2790 bytes and written 347 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-RC4-SHA
    Session-ID: 8AEFA28DE81CC0117A7A91315C4BA132E088A8D210AA2B6E4007A17CE142BD31
    Session-ID-ctx: 
    Master-Key: C90AEECB4A3C7C12EE56DB895454909FF19F1100B6B091207E6A03CC8FCC84D873020567EBA31628176A6D0D8CECB25A
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 68 59 9b 58 8d c7 49 d0-b6 b8 21 32 38 98 e0 9d   hY.X..I...!28...
    0010 - bd 5d 3f b1 ad 46 12 ac-b7 16 ca a3 e0 be b2 40   .]?..F.........@
    0020 - ca c2 95 e2 ee f6 f1 07-38 b2 71 3b 78 ab 39 1b   ........8.q;x.9.
    0030 - fb ae 83 f3 d7 20 b8 ca-b6 ec de 00 ee ee 08 ad   ..... ..........
    0040 - 66 cf 6a b2 4c eb f8 a7-3a ae 1f 4d 0a ec 7a 08   f.j.L...:..M..z.
    0050 - cd 2b 57 6a ed 02 d7 06-40 4e 5b 9d 58 4e d8 92   .+Wj....@N[.XN..
    0060 - 40 60 a1 d9 59 8b 32 9e-4b f5 51 8b 7e 32 40 4f   @`..Y.2.K.Q.~2@O
    0070 - 9e 96 b9 12 f6 a4 31 ff-aa c3 6e bc c1 10 aa 66   ......1...n....f
    0080 - 00 16 9e fe e3 40 71 c3-ab a8 f0 bd b2 a9 69 d7   .....@q.......i.
    0090 - d1 98 b3 d4                                       ....

    Start Time: 1377084915
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE
sjinks ★★★ ()
Ответ на: комментарий от sjinks
$ mkdir /tmp/certs
$ openssl s_client -CApath /tmp/certs/ -showcerts -connect google.com:443 < /dev/null

...

    Start Time: 1377085994
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE

Странно.

DinoAsm ()
Ответ на: комментарий от DinoAsm

Немного странно, но вроде как и нормально. Если не указывать -CApath, то openssl считает, что его нет. А если указывать CApath, то openssl считает, что вы решили использовать CApath, но, поскольку, ваш путь - фейковый, то он берет дефолтный CApath. И валидация проходит.

Тут это пытались оформить как баг: https://bugs.launchpad.net/ubuntu/ source/openssl/ bug/396818

Chumka ★★★ ()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.