当连接到gateway.sandbox.push.apple.com时,“verify error:num = 20”
我试图运行在iOS 6教程:1/2部分中的Apple推送通知服务中find的Ray Wenderlich教程。
我在本地目录中创build了AppID和SSL证书以及密钥和PEM文件。 之后,我开始testing证书是否正常工作,并从本地目录中调用以下命令:
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert PushChatCert.pem -key PushChatKey.pem 这产生了很多的输出。 在输出的中间是以下内容:
verify error:num=20:unable to get local issuer certificate verify return:0
这是一个错误,还是这是一个错误的testing? 如果出现错误,那么原因是什么?或者您会build议如何解决?
以下是完整的输出(less于证书数据):
Enter pass phrase for PushChatKey.pem: CONNECTED(00000003) depth=1 /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C 1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) --- Server certificate -----BEGIN CERTIFICATE----- <Long string of data removed> -----END CERTIFICATE----- subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C --- No client certificate CA names sent --- SSL handshake has read 2731 bytes and written 2215 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: Session-ID-ctx: Master-Key: <removed> Key-Arg : None Start Time: 1398633302 Timeout : 300 (sec) Verify return code: 0 (ok) ---
教程继续说:“如果连接成功,你应该能够input几个字符,当你按回车时,服务器应该断开连接。 我能够做到这一点,并断开服务器。
但教程继续说,你可能需要通过输出来查找错误。 因此,这个问题的原因。
This produced a lot of output. In the middle of the output was the following: verify error:num=20:unable to get local issuer certificate verify return:0
您缺less一个根证书,应该使用-CAfile或-CApath来指定它。
但是,修复根证书问题后,您可能会遇到握手警报。 我相信它是由我没有一个客户端证书问题(因此你可能没有经历)。 下面,0x14094410是OpenSSL错误,SSL错误(来自TLS协议)仅仅是SSL alert number 40 。 警报40是握手警报,没有附加信息。
第一
确定你需要的根:
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 CONNECTED(00000003) depth=1 C = US, O = "Entrust, Inc.", OU = www.entrust.net/rpa is incorporated by reference, OU = "(c) 2009 Entrust, Inc.", CN = Entrust Certification Authority - L1C verify error:num=20:unable to get local issuer certificate verify return:0 140067272132264:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40 140067272132264:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: --- Certificate chain 0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C 1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
所以你需要Entrust.netauthentication机构(2048) 。 您可以从Entrust根证书下载它。 它的名字是entrust_2048_ca.cer ,看起来是以PEM格式。
第二
现在,再次运行openssl s_client ,但是这次用-CAfile entrust_2048_ca.cer 。 注意它完成与Verify return code: 0 (ok) :
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -CAfile entrust_2048_ca.cer CONNECTED(00000003) depth=2 O = Entrust.net, OU = www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net Certification Authority (2048) verify return:1 depth=1 C = US, O = "Entrust, Inc.", OU = www.entrust.net/rpa is incorporated by reference, OU = "(c) 2009 Entrust, Inc.", CN = Entrust Certification Authority - L1C verify return:1 depth=0 C = US, ST = California, L = Cupertino, O = Apple Inc., OU = iTMS Engineering, CN = gateway.sandbox.push.apple.com verify return:1 140642906502824:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40 140642906502824:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: --- Certificate chain 0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C 1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) --- Server certificate -----BEGIN CERTIFICATE----- MIIFGzCCBAOgAwIBAgIETBz90jANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMC VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0 Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW KGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZp Y2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xMjA1MjUyMzM3NDZaFw0xNDA1MzEw NTA4NDhaMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAG A1UEBxMJQ3VwZXJ0aW5vMRMwEQYDVQQKEwpBcHBsZSBJbmMuMRkwFwYDVQQLExBp VE1TIEVuZ2luZWVyaW5nMScwJQYDVQQDEx5nYXRld2F5LnNhbmRib3gucHVzaC5h cHBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/r1z4BRFu DIU9/vOboVmd7OwaPPLRtcZiZLWxSyG/6KeRPpaeaC6DScvSDRoJuIeTDBup0bg4 08K0Gzh+lfKRlJOC2sma5Wgvk7oP4sty83My3YCZQv4QvgDhx+seONNs6XiA8Cl4 ingDymWGlzb0sTdfBIE/nWiEOtXQZcg6GKePOWXKSYgWyi/08538UihKK4JZIOL2 eIeBwjEwlaXFFpMlStc36uS/8oy+KMjwvuu3HazNMidvbGK2Z68rBnqnOAaDBtuT K7rwAa5+i8GYY+sJA0DywMViZxgG/xWWyr4DvhtpHfUjyQgg1ixM8q651LNgdRVf 4sB0PfANitq7AgMBAAGjggFZMIIBVTALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYI KwYBBQUHAwEGCCsGAQUFBwMCMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwu ZW50cnVzdC5uZXQvbGV2ZWwxYy5jcmwwZQYIKwYBBQUHAQEEWTBXMCMGCCsGAQUF BzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAwBggrBgEFBQcwAoYkaHR0cDov L2FpYS5lbnRydXN0Lm5ldC9sMWMtY2hhaW4uY2VyMEAGA1UdIAQ5MDcwNQYJKoZI hvZ9B0sCMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuZW50cnVzdC5uZXQvcnBh MB8GA1UdIwQYMBaAFB7xq4kG+EkPATN37hR67hl8kyhNMB0GA1UdDgQWBBSgNiNR qtTShi8PuJ7UNUEbeE71STAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUAA4IBAQAS EDkUyBHVdRJnCLHY8w9ec92NWqBYqKiSGP0uVCvgpsJIWDBkCGIw1Olks6mQuS9+ R7VRJJFg7EhtufmoRIvjgntKpTe49sB/lrmiZVQGnhjd6YdyYm9+OBUWRvwketLM v0S+nxZD0qLLJ9foVUB8zP8LtutqFJ5IZw1xb9eSNzhpKkQ9ylj8MCd4tpXZxICL Gt327poTXwmjQ+31fz7HCQCowMHccP8kiKM5SeYC9q+nkmdaozHVvw4e1RsP+EWO vPtcH1x1BCkTJajmrO7JuRPLuBEnZGSPUVFRKWP9jy0a28VnJek+oA7rRMRD8irU fMGbLqkGn8YogdPqe5T1 -----END CERTIFICATE----- subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C --- No client certificate CA names sent --- SSL handshake has read 2683 bytes and written 338 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: Session-ID-ctx: Master-Key: A2F375CC440179ADF831179C32A35AF4... Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1398721005 Timeout : 300 (sec) Verify return code: 0 (ok)
第三
当SSLv3还很stream行的时候,这是一种旧的做事方式。 也就是说, POODLE攻击是未知的:
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -CAfile entrust_2048_ca.cer
您应该切换到TLS 1.0或更高版本并使用服务器名称指示(SNI) 。 SNI是SSL中不存在的TLSfunction。 您可能需要在2016年强制使用TLS 1.2; 你可以用-tls1_2 。
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 \ -tls1 -servername gateway.sandbox.push.apple.com -CAfile entrust_2048_ca.cer
以下是来自其他评论和答案的信息。 我正在收集他们的方便。 你应该加注意见或适当的答案。
客户证书
Korbbit在下面提供了更多信息。 它解决了我所做的陈述, “提醒握手失败…我相信它是由我没有一个引起的客户端证书问题” 。 如果对您有帮助,您应该为Korbbit提供反馈:
如果你再看看教程,你打算打字…
-cert PushChatCert.pem -key PushChatKey.pem
通过Korbbit的反馈,答案变成:
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 \ -tls1 -servername gateway.sandbox.push.apple.com \ -cert PushChatCert.pem -key PushChatKey.pem -CAfile entrust_2048_ca.cer
CA证书包和-CApath
从Timur Bakeyev开始, Entrust.net是一个众所周知的根证书颁发机构,所以它的证书包含在通用的CA证书包(Debian中的ca-certificates )中。 通常将其安装到/etc/ssl/certs目录中,另外还可以使用-CApath /etc/ssl/certs/选项进行引用。
您可以使用-CApath代替-CAfile ,如下所示。
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -CApath /etc/ssl/certs/
我只是做了相同的教程,接受的答案可能不是你想要的。 如果您再次查看教程,则需要键入:
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert PushChatCert.pem -key PushChatKey.pem
不只是:
openssl s_client -connect gateway.sandbox.push.apple.com:2195
如果你把它作为一行input,它将起作用:
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert PushChatCert.pem -key PushChatKey.pem
