不带-CApath的OpenSSL用于APN_Openssl_Apn

不带-CApath的OpenSSL用于APN

openssl

不带-CApath的OpenSSL用于APN,openssl,apn,Openssl,Apn,我正在尝试验证我的.pem证书，并连接到苹果的APN网关，看看它是否工作正常。然而，当我跑的时候 $ openssl s_client -connect gateway.push.apple.com:2195 -cert data/certs/production.pem -debug -showcerts 我得到一个类似这样的错误： error 20 at 0 depth lookup:unable to get local issuer certificate 我的OpenSSL目录位于

我正在尝试验证我的.pem证书，并连接到苹果的APN网关，看看它是否工作正常。然而，当我跑的时候

$ openssl s_client -connect gateway.push.apple.com:2195 -cert data/certs/production.pem -debug -showcerts

我得到一个类似这样的错误：

error 20 at 0 depth lookup:unable to get local issuer certificate

我的OpenSSL目录位于此处：

$ openssl version -d
OPENSSLDIR: "/usr/lib/ssl"

因此，当我在命令行（-CApath）中显式地指向目录时，它似乎突然开始工作：

$ openssl s_client -connect gateway.push.apple.com:2195 -cert data/certs/production.pem -debug -showcerts -CApath /usr/lib/ssl/certs/
Verify return code: 0 (ok)

我试过运行

c\u rehash/usr/lib/ssl/certs

，但没有改变任何东西。我做错了什么？我希望每次运行时都不要指向-CApath，因为我怀疑这就是为什么推送通知没有被发送的原因

您缺少根证书，可以使用

-CAfile

指定它。指定

CAfile

后，链将进行验证

但是，在修复根证书问题后，您将遇到握手警报。我相信这是由于我没有客户证书而导致的。下面，0x14094410是OpenSSL错误，SSL错误（来自TLS协议）只是

SSL警报编号40

。警报40是握手警报，没有其他信息

首先

确定所需的根目录：

$ openssl s_client -connect gateway.push.apple.com:2195
CONNECTED(00000003)
depth=1 C = US, O = "Entrust, Inc.", OU = www.entrust.net/rpa is incorporated by reference, OU = "(c) 2009 Entrust, Inc.", CN = Entrust Certification Authority - L1C
verify error:num=20:unable to get local issuer certificate
verify return:0
140633516213928:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
140633516213928:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
 0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.push.apple.com
   i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
 1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
   i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)

因此，您需要委托.net证书颁发机构（2048）。你可以从下载。它被命名为

Truste\u 2048\u ca.cer

，似乎是PEM格式

秒

现在，再次运行

oepnssl s_客户端

，但这次使用

-CAfile-trust\u 2048\u ca.cer

。请注意，它以一个

验证返回代码0（确定）

完成：

$ openssl s_client -connect gateway.push.apple.com:2195
CONNECTED(00000003)
depth=1 C = US, O = "Entrust, Inc.", OU = www.entrust.net/rpa is incorporated by reference, OU = "(c) 2009 Entrust, Inc.", CN = Entrust Certification Authority - L1C
verify error:num=20:unable to get local issuer certificate
verify return:0
140633516213928:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
140633516213928:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
 0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.push.apple.com
   i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
 1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
   i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)

$ openssl s_client -tls1 -connect gateway.push.apple.com:2195 -CAfile entrust_2048_ca.cer
CONNECTED(00000003)
depth=2 O = Entrust.net, OU = www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net Certification Authority (2048)
verify return:1
depth=1 C = US, O = "Entrust, Inc.", OU = www.entrust.net/rpa is incorporated by reference, OU = "(c) 2009 Entrust, Inc.", CN = Entrust Certification Authority - L1C
verify return:1
depth=0 C = US, ST = California, L = Cupertino, O = Apple Inc., OU = iTMS Engineering, CN = gateway.push.apple.com
verify return:1
139719745095336:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
139719745095336:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
Certificate chain
 0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.push.apple.com
   i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
 1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
   i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFEzCCA/ugAwIBAgIETBzSBzANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
KGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZp
Y2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xMjA1MDMxODIyMjhaFw0xNDA1MzEw
OTI5MDZaMIGHMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAG
A1UEBxMJQ3VwZXJ0aW5vMRMwEQYDVQQKEwpBcHBsZSBJbmMuMRkwFwYDVQQLExBp
VE1TIEVuZ2luZWVyaW5nMR8wHQYDVQQDExZnYXRld2F5LnB1c2guYXBwbGUuY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt4u3gyk9GeQGIH7pmYSA
604LxMLvaUZkgeXOLRzH/48LZgPD5megHhsvjj6du2xzOQKb7iCVYF4HnHf3k00R
3iXtvEmqRU87uw8K2LPu9ZfoNcJpu2e45eF27dXjvjCmvlMDsPxFBer9nAex3P4o
mGCld73SfcZuIB3bQ6BFTIM6je+0nNwP9yuSF4XjOrOx+1+ifgGwyl9T/qa1TYWW
K/LmObAmpbBYwklu33NVOR4BBrZ+GAdj1irdZqh3s3R+b/ANaAAbx2YYrScnIP15
OG7oYNKO3zzIQ0KaBjJjv30j5dXFQaIiphUWhuhQ3rRMmG7xV5UWVqHMriMLD4bS
PQIDAQABo4IBWTCCAVUwCwYDVR0PBAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmVudHJ1c3Qu
bmV0L2xldmVsMWMuY3JsMGUGCCsGAQUFBwEBBFkwVzAjBggrBgEFBQcwAYYXaHR0
cDovL29jc3AuZW50cnVzdC5uZXQwMAYIKwYBBQUHMAKGJGh0dHA6Ly9haWEuZW50
cnVzdC5uZXQvbDFjLWNoYWluLmNlcjBABgNVHSAEOTA3MDUGCSqGSIb2fQdLAjAo
MCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L3JwYTAfBgNVHSME
GDAWgBQe8auJBvhJDwEzd+4Ueu4ZfJMoTTAdBgNVHQ4EFgQULkkf+RyRucrBgaw2
Iu+V+aUctU4wCQYDVR0TBAIwADANBgkqhkiG9w0BAQUFAAOCAQEAPSQnfPByAF+Y
ML2kwujhbKMZw81oF3HGkdSG756Jt5cqiBJB+KS+4ZThpTgAr9EytfHtl4NPoBwZ
I0a2gLvmO2HNe5OqVSdOqyPCCFN0aBZTYwLVHM3HmoUbPn+Zh19g7Me4AC69IR9i
RoJmzSkagR+Z7z7veiSzfeUHaGa0YUsyc7iMerF1rFfYJvXFVp4D1gA672nTzctZ
0e0yItFXJrN6FL/K+NKCk/O3HCn95oVEPtnEWF2Qm91AZKoCYV1u3VzWtlZsyjQL
wqfQNpr+VUe1SQ1DInr2enCQrCBnH7R3JVscj91cfEiH1SydpRrNFICT40nphEWK
higEADTWUQ==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.push.apple.com
issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
---
No client certificate CA names sent
---
SSL handshake has read 2675 bytes and written 338 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 53E341FB8A63D8F2BDB1DA4B750116C6...
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1398721822
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)