wget(1.11.4) --ca-certificate=$myhttpca https://nodejs.org/dist/v5.3.0/node-v5.3.0-linux-x64.tar.gz
其中 $myhttpca 文件来之 https://github.com/bagder/ca-bundle/blob/master/ca-bundle.crt 的至今最新版。
出现 一下错误
Resolving nodejs.org... 104.20.22.46, 104.20.23.46, 2400:cb00:2048:1::6814:162e, ...
Connecting to nodejs.org|104.20.22.46|:443... connected.
ERROR: certificate common name `*.nodejs.org' doesn't match requested host name `nodejs.org'.
To connect to nodejs.org insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
而但我转到另外一台比较新的服务器, wget 时(版本 1.12 ,不需要用 ca 文件),则没有出错。
已经纠结了一个下午,不太懂 SSL 认证的原理,感觉是 wget 版本的原因,在旧服务器(上面),上直接 wget --ca.... https://github.com/... 的文件是不会出错的。只要 https 服务端的 ip 有变化就会出问题了。望解释,太纠结了谢谢大家!
1
plqws 2015-12-29 18:22:51 +08:00
debian 7 和 8 的 tls 似乎都有 bug ,不知道楼主是什么发行版
|
2
zealot0630 2015-12-29 18:33:28 +08:00
看了一下 nodejs 服务器的证书,应该是你的服务器不支持 X509v3 Subject Alternative Name 引起的问题。
服务器证书有 X509v3 Subject Alternative Name: DNS:*.nodejs.org, DNS:nodejs.org 你的 wget 不认 引起了问题 |
3
zealot0630 2015-12-29 18:36:08 +08:00
|
4
znlab 2015-12-29 22:32:23 +08:00 1
|
5
ekeyme OP @plqws
发行版是 CentOS release 5.7 (Final) Linux version 2.6.18-274.7.1.el5 ([email protected]) (Red Hat 4.1.2-51)) #1 SMP Thu Oct 20 16:21:01 EDT 2011 |
6
ekeyme OP @zealot0630 Thx 。我用你给的命令查看了一下,但我不会看这个结果。但是我看到了 X509v3 Subject Alternative Name: 关键词输出,想必是服务器支持 SAN 的
``` depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root verify return:1 depth=2 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority verify return:1 depth=1 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA verify return:1 depth=0 /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.nodejs.org verify return:1 Certificate: Data: Version: 3 (0x2) Serial Number: 4d:46:ea:c0:d8:04:b6:90:07:55:7d:18:e0:27:ea:4d Signature Algorithm: sha256WithRSAEncryption Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA Validity Not Before: Nov 8 00:00:00 2015 GMT Not After : Aug 22 23:59:59 2017 GMT Subject: OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.nodejs.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (4096 bit) Modulus (4096 bit): 00:c4:88:d6:f5:ce:38:af:f6:3a:7b:73:ed:43:81: 4a:d2:01:8e:91:2b:f1:af:3d:f7:8f:83:42:a6:89: ed:4e:15:77:80:c1:9e:29:0b:ee:a2:38:80:ad:29: d1:66:c2:eb:74:bc:0f:40:ae:15:61:66:2b:b1:3a: 2f:05:2b:c2:19:eb:ab:2d:83:25:c9:1b:26:88:a2: be:4d:8e:eb:95:6f:bc:f1:57:ff:01:10:ab:6c:ca: f5:5f:07:92:f8:28:34:ef:9a:41:7b:ff:f9:d1:46: b1:e0:86:77:3d:63:2e:f1:db:03:de:19:a6:57:9e: 4d:fe:40:b5:a5:da:53:24:98:72:03:73:4b:89:96: 23:53:fd:33:f4:91:b2:11:ca:55:a7:a8:79:76:38: 9e:d4:23:b7:2a:11:7a:74:d2:18:1b:29:ca:ce:ec: 99:35:97:c3:83:24:2b:b5:1f:5d:4d:38:61:32:01: 5c:a4:f1:e1:32:35:51:91:3f:42:c9:87:00:de:b7: 94:1b:13:d0:de:44:46:f4:0b:cc:d9:3e:46:89:7f: 4a:bc:05:6d:f2:aa:72:ac:ee:ee:e0:aa:7d:41:09: e0:15:89:b2:69:d4:03:f2:d0:c7:8c:60:19:6a:25: 1b:b0:6a:65:20:5e:17:99:70:14:30:a9:2e:ed:41: 2f:7a:be:b9:e8:46:69:59:56:cc:b5:24:41:dd:3c: d8:70:dc:2b:7f:63:1c:be:71:19:03:e0:58:13:bb: ff:68:7c:0e:6a:d5:77:81:01:36:92:3d:1e:8d:cc: b7:1a:8d:72:d2:b6:3a:11:4b:4f:b7:fd:e1:59:40: ab:1e:7d:4b:89:3e:61:b1:35:f2:e3:59:31:e1:ec: 87:ba:d1:48:cf:0e:69:ed:38:d8:ba:fc:ec:32:44: d3:fc:da:8d:a9:7e:49:45:7a:77:b0:c2:19:ae:61: 5a:70:05:95:e7:69:21:af:20:ce:a3:8e:2a:18:57: 10:7e:ff:41:37:63:38:83:33:75:10:d7:c9:2b:a2: c2:91:18:cb:8b:91:0a:1d:cb:c1:86:31:fb:9a:20: b6:fc:2a:74:9e:e5:37:8d:fd:27:21:7a:bc:59:91: d2:6d:80:70:7e:6d:ce:3d:3b:c1:c5:98:73:ef:cb: 59:6e:b2:09:e1:ca:09:1b:29:2d:9f:2f:2d:37:10: 5d:b8:de:30:86:9f:81:76:64:ae:04:d6:e8:bc:85: d9:1a:e9:e7:26:b6:5a:25:04:0e:a9:56:68:d4:42: 57:60:93:92:77:8e:00:3c:28:35:ee:c9:c6:d6:4c: 3c:13:ff:3c:2c:46:20:7a:4e:42:e4:95:c1:43:e8: d8:3f:ad Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7 X509v3 Subject Key Identifier: 70:31:95:88:4E:E0:A4:68:5B:C2:18:1A:DC:D8:EB:A9:4B:85:2D:E0 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.6449.1.2.2.7 CPS: https://secure.comodo.com/CPS Policy: 2.23.140.1.2.1 X509v3 CRL Distribution Points: URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl Authority Information Access: CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt OCSP - URI:http://ocsp.comodoca.com X509v3 Subject Alternative Name: DNS:*.nodejs.org, DNS:nodejs.org Signature Algorithm: sha256WithRSAEncryption 59:ba:c0:76:35:ab:3e:3a:54:3b:28:94:98:f1:e9:48:26:85: 93:39:b3:74:4a:e4:e9:02:dd:42:cd:c7:5e:97:72:f5:64:0f: 1d:57:43:f5:f2:61:d6:fc:b0:49:ea:9e:a1:a8:8b:d7:41:de: 67:79:4c:9e:8f:42:ec:5d:15:d7:e7:32:40:4c:ae:68:88:1e: fd:37:70:65:07:86:fd:cb:ec:86:5a:55:58:f6:4a:ce:1a:64: ea:ed:1f:f1:68:f4:73:ee:83:5f:b1:7f:9f:40:a4:59:c1:48: db:6a:55:e4:6a:96:36:90:ea:ad:e8:f9:cd:37:d9:8e:26:fb: c9:e6:43:c7:fc:55:12:0b:87:e1:cd:7f:19:9e:7e:a2:0b:28: 7c:99:ab:a8:fc:0a:ba:cb:a8:79:90:b7:17:ca:8d:77:2e:10: 25:0e:86:46:c8:95:99:43:22:da:cb:2d:a6:3e:90:40:a6:a8: d3:40:67:2c:4b:5b:9b:f1:bb:df:c0:cd:d0:4f:90:f0:2e:83: 12:e6:65:d0:f8:87:1e:17:d9:6d:e8:b6:62:48:c7:6c:e7:e9: b3:ee:14:21:97:96:02:14:c3:58:bd:46:c5:9a:51:bc:e9:39: d7:21:e6:74:70:fd:c7:b3:fb:c2:f7:e6:52:ae:ef:76:2c:ab: eb:32:ea:21 ``` |
7
ekeyme OP @znlab ,非常好的提示,谢谢。
我的老服务器上的 wget ( open ssl 0.9.8e; SNI 是 0.9.8f 才支持)是不支持 SNI 的,本来还真以为我现在出现 wget 不了就是 SNI 这个原因。 后来在新服务器上 同样 wget https://sni.velox.ch/ ;结果都是不支持 SNI 的。从你给的 wiki 也可知 wget before 1.14 是不支持 SNI 的,因此 两个服务器上的 wget 都是不支持 SNI 的;但根据 openssl 的版本给的信息,新服务器上 OpenSSL 1.0.1e-fips 11 Feb 2013 支持 SNI ; 现在问题就是是不是由于 wget 支不支持 SNI 与 openssl 支不支持 SNI 之间的配合,而造成了我 题本 中出现的问题呢?又感觉好像不是 SNI 的问题,还有可能有其他的方向嘛?可否给点方向就好。非常感谢! |
8
zealot0630 2015-12-30 18:52:25 +08:00
|
9
zealot0630 2015-12-30 18:52:49 +08:00
也可能是 openssl 不支持 X509v3 Subject Alternative Name
|