我已经创建了用于签署服务器证书(server.crt)和客户端证书(client.crt)的CA证书(ca.crt)。
我正在测试相互身份验证,但没有得到我期望的结果。
我正在使用以下服务器运行服务器
:$ openssl s_server -accept 9003 -CAfile ca.crt -cert server.crt -key server.key -Verify 10 -state -msg
和客户:
$ openssl s_client -connect localhost:9003 -key client.key -cert client.crt -CAfile ca.crt -state -tlsextdebug -verify 10
verify depth is 10
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 C = FR, ...
verify return:1
depth=0 C = FR, ...
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
通信已建立,我可以将文本发送到服务器。
但是,如果我使用未由已知CA签名的虚拟KO-client.crt / KO-client.key运行客户端,通信也可以...
$ openssl s_client -connect localhost:9003 -key KO-client.key -cert KO-client.crt -CAfile ca.crt -state -tlsextdebug -quiet -verify 10
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 C = FR, ...
verify return:1
depth=0 C = FR, ...
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
我无法弄清楚我在这里想念什么。