【发布时间】:2021-01-10 03:11:54
【问题描述】:
我正在使用 go http 客户端连接到具有自签名证书的物联网设备。我已经有了
TLSClientConfig: &tls.Config{
RootCAs: certPool,
Certificates: []tls.Certificate{tlsClientCert},
InsecureSkipVerify: true,
},
尽管InsecureSkipVerify=true go 仍然尝试验证证书:
x509: cannot validate certificate for <ip> because it doesn't contain any IP SANs
由于我无法更改设备上的证书 - 我可以修改 TLS 客户端配置的哪一部分以接受它?
更新
可以在设备上运行https://github.com/jbardin/gotlsscan/blob/master/main.go 重现 go 错误:
Testing TLS1.2
...
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA [NOT SUPPORTED]
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 [NOT SUPPORTED] x509: cannot validate certificate for 192.168.1.145 because it doesn't contain any IP SANs
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 [NOT SUPPORTED]
...
这是 openssl 在运行 openssl s_client -connect <ip:port> 时所说的:
CONNECTED(00000003)
depth=0 C = DE, O = Bebro, OU = ULK High GEN 1, CN = ICCPD...
verify error:num=18:self signed certificate
verify return:1
depth=0 C = DE, O = Bebro, OU = ULK High GEN 1, CN = ICCPD...
verify return:1
4460842604:error:1401E410:SSL routines:CONNECT_CR_FINISHED:sslv3 alert handshake failure:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.140.1/libressl-2.8/ssl/ssl_pkt.c:1200:SSL alert number 40
4460842604:error:1401E0E5:SSL routines:CONNECT_CR_FINISHED:ssl handshake failure:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.140.1/libressl-2.8/ssl/ssl_pkt.c:585:
---
Certificate chain
0 s:/C=DE/O=Bebro/OU=ULK High GEN 1/CN=ICCPD...
i:/C=DE/O=Bebro/OU=ULK High GEN 1/CN=ICCPD...
---
Server certificate
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
subject=/C=DE/O=Bebro/OU=ULK High GEN 1/CN=ICCPD...
issuer=/C=DE/O=Bebro/OU=ULK High GEN 1/CN=ICCPD...
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 969 bytes and written 178 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES128-SHA256
Session-ID: 9C7D...
Session-ID-ctx:
Master-Key: AC9E...
Start Time: 1600892515
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
更新我正在运行最新的 go 1.15.2
【问题讨论】:
-
您可以在证书的 SAN 中的请求中指定
Host。 -
我只有来自 DNS-SD 的设备名称。作为应用程序的一部分,我什至没有阅读它的证书/SAN,所以不确定我会怎么做。另外:错误消息包含远程 IP,因此本地 go 客户端抱怨。它甚至不应该在这里尝试验证证书?
-
@andig:设置
InsecureSkipVerify应该足够了,我怀疑问题出在其他地方。您能否发布一个演示问题的最小但完整的工作程序以及完整的错误消息? -
我已经更新了示例和 openssl 诊断。
-
@andig:感谢您提供。您使用的是哪个版本的 Go?一些尝试的建议: (1) 输出
insecure的值,以确保它真的被设置为true- 发生了奇怪的事情; (2) 您通常应该设置ServerName或InsecureSkipVerify,但不能同时设置,因此如果insecure是true,请尝试not 设置ServerName; (3) 在tls.Config传递给tls包函数后,您不应修改它,因此请尝试将其定义移动到内部循环中以每次创建新配置。