Openssl SSL错误证书使用者名称与github.com的目标主机不匹配
我正在尝试使用git fetch访问github的存储库,但出现以下错误:Openssl SSL错误证书使用者名称与github.com的目标主机不匹配,openssl,Openssl,我正在尝试使用git fetch访问github的存储库,但出现以下错误: error: SSL: certificate subject name (*.opendns.com) does not match target host name 'github.com' while accessing https://github.com/<repo name> 任何帮助都将不胜感激 更新日期:2014年5月1日: 最后更新Ubuntu来解决这个问题。从某个地方读到,这是最安全的解
error: SSL: certificate subject name (*.opendns.com) does not match target host name 'github.com' while accessing https://github.com/<repo name>
任何帮助都将不胜感激
更新日期:2014年5月1日:
最后更新Ubuntu来解决这个问题。从某个地方读到,这是最安全的解决方案,因为我的本地计算机和Github的服务器将尽可能相互更新。这可能更像是一个注释,但它不适合注释块。要测试SSL/TLS连接,请执行以下操作:
openssl s_client -connect github.com:443 -tls1 -servername github.com
-CAfile DigiCert-CA.pem -ign_eof
首先,转到并下载“DigiCert SHA2扩展验证服务器CA”。文件名为DigiCertSHA2ExtendedValidationServerCA.crt
其次,将DER转换为PEM:
$ openssl x509 -inform DER -in DigiCertSHA2ExtendedValidationServerCA.crt
-outform PEM -out DigiCert-CA.pem
第三,使用OpenSSL的s_客户端
验证连接:
openssl s_client -connect github.com:443 -tls1 -servername github.com
-CAfile DigiCert-CA.pem -ign_eof
需要注意的是最后的验证结果:
Verify return code: 0 (ok)
我接到一个坏请求。我怀疑这是因为我需要根文档。你应该插入你的具体细节
最后,验证主机名。1.0.2之前的OpenSSL不执行主机名验证,因此您可以跳过额外的障碍:
$ openssl s_client -connect github.com:443 -tls1 -servername github.com
-CAfile DigiCert-CA.pem | openssl x509 -noout -text | grep "DNS:"
...
DNS:github.com, DNS:www.github.com
据我所知,从我的世界观来看,SSL/TLS部分没有问题。问题似乎出在git
上
您可以使用nslookup
检查DNS,但我不确定您是否会发现任何有用的内容:
$ nslookup
> set q=a
> github.com
Server: 172.16.1.10
Address: 172.16.1.10#53
Non-authoritative answer:
Name: github.com
Address: 192.30.252.129
$echo“GET/HTTP/1.0\r\n”| openssl s_客户端-connect github.com:443-tls1-servername github.com-CAfile DigiCert-CA.pem-ign_eof 已连接(00000003) 深度=2 C=US,O=DigiCert Inc,OU=www.DigiCert.com,CN=DigiCert高保证EV根CA 验证返回:1 深度=1 C=US,O=DigiCert Inc,OU=www.DigiCert.com,CN=DigiCert SHA2扩展验证服务器CA 验证返回:1 深度= 0商业类别=私人组织,1.3.61.4.1.31.60.2.1.3=美国,1.3.61.4.1.31.60.0.1.2 1.2=特拉华,序列号=5157550,街道=548,第四街,邮编=94107,C=美国,ST=加利福尼亚,L=旧金山,O=“GITHUB,Inc.”,CN=GITHUB.com。 验证返回:1 --- 证书链 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub,Inc./CN=GitHub.com i:/C=US/O=DigiCert Inc/OU=www.DigiCert.com/CN=DigiCert SHA2扩展验证服务器CA 1 s:/C=US/O=DigiCert Inc/OU=www.DigiCert.com/CN=DigiCert SHA2扩展验证服务器CA i:/C=US/O=DigiCert Inc/OU=www.DigiCert.com/CN=DigiCert高保证EV根CA --- 服务器证书 -----开始证书----- MIIF4DCBMIGGAWIBAGIQDACTENIG2+M3VTWAEY3chzANBgkqhkiG9w0BAQsFADB1 MQSWCQYDVQGEWJVUZEVMBMGA1ECHMMRGLNAUNLCNQGSW5JMRKWFWYDVQLEXB3 D3CUZGLNAWNLCNQUY29TMTQMGYDVQDEYTEAWPQ2VYDCBTSEYIEV4DGVUZGVK IFZHBGLKYXRPB24GU2VYDMVYIENB4XDTE0MDQWODAWMDAWMFOXDTE2MDQXMJEY MDAWMFOWGFAXHTABBGNVBA8MFBYAXZHDGUGT3JNYW5PEMF0AW9UMRMWEQYLKWYB BAGCNZWCAQMTALVTMRKWFWYLKWYBBAGCNZWCAQITCERLBF3YXJLMRAWDGYDVQQF EWC1MTU3NTUWMRCWFQYDVQJEW41NDGGNHROIFN0CMVLDDEOMAWGA1UERMFOTQX MDCxCzajbgNVBaytalVTMRMweqydvqqqewpdywxPzm9YBMlHmrywfaydvqhew1T YW4GRNJHBMNPC2NVMRUWEWYDVQKEWXHAXRIDWISIELUY4XZEZARBGNVBAMTCMDP DGH1YI5JB20WGGEIMA0GCSQGSIB3DQEBAQAA4IBDWAWGGEKAOIBAQCX1NW8R/3z Tu3BZ63myyLot+KRKPL33GJWCNEMR9YWAIGWNKXDTZJBK6/6iBRlWVm8r+5TaQM Kev1FbHoNbNwEJTVG1m0Jg/Wg1dZneF8Cd3gE8pNb0Obzc+HOhWnhd1mg+2TDP4r BTGCEYIQZ61YGC1R0CKJ8KEMBZGJJJmLY4OUH+rgo7XZe5trD0P5yu6ADSin dvEl9ME1PPZ0rd5qM4J73P1LdqfC7vJqv6kkpl/nLnwO28N0c/p+xtjPYOs2ViG2 wYq4JIJNeCS66R2hiqeHvmYlab++O3JuT+DkhSUIsZGJuNZ0ZXabLE9iH6H6Or6c JL+FYRDFWGENAGMBAAGGGHUMIB6JAFBGNVHSMEGDAWGBQ901CL1QCT7VNKYAPL 0yHU+PJWDZADBGNVHQ4EFGQUAKOQFTUYFHJSLTQKAPD+FF+06YwJQYDVR0RBB4w HIIKZ2L0AHVILLMNVBYIOD3LMDPDGH1YI5JB20WDGYDVR0PAQH/BAQDAGGWGMB0G A1UDJQQWMBQGCCSGAQUFBWMBBGGRBGEFBQCDAJB1BGNVHR8EBJBSMDSGMQAWI5O DHRWOI8VY3JSMY5KAWDPY2VYDC5JB20VC2HHMI1LDIZXJ2ZXITZEUY3JSMDSG MQAWHI5ODHRWOI8VY3JSNC5KAWDPY2VYDC5JB20VC2HHMI1LDI1ZZXJ2ZXITZEU Y3JSMeiga1UIQ7MDKWWWYJYZIAYB9BAIBMCOWKAYKYKWYBBQUHAGEWHGH0DHBZ OI8VD3D3LMRPZ2LJZXJ0LMNVBS9DUFMWGYGCCSGAQUFBWEBHWWEJAKBGGRBGEF BQCWAYYYAHR0CDOVL29JC3UZGLNAWNLCNQUY29TMFIGCCSGAQUFBZACHKZODHRW OI8VY2FJZXJ0CY5KAWDPY2VYDC5JB20VRGLNAULCNRTSEYRXH0ZW5KZWRWWXP ZGF0AW9UU2VYDMVYQ0EUY3J0MAWGA1UDEWB/WQCMAAWQYJKOZHIHVCNAQELBQAD ggEBAG/nbcuC8++QhwnXDxUiLIz+06scipbbXRJd0XjAMbD/RciJ9wiYUhcfTEsg ZGpt21DXEL5+q/4vgNipSlhBaYFyGQiDm5IQTmIte0ZwQ26jUxMf4pOmI1v3kj43 FHU7UUSKQS6LPUGND5NQHKKXXV6 V2QTHMSSRA9YNQMEK93GA2RWDPK21MUKGLVIT PB5sPdE7IzprOCp+Ynpf3RcFddAkXb6NqJoQRPrStMrv19C1dqUmJRwIQdhkkqev FF6IQDLHC8BIMKMCNK33CEYDFDROTW7JNGBVBTWW8JO1GYUG8SBGZ6BZ3K8OV8 XX4C2NesiZcLYbc2n7B9O+63M2k= -----结束证书----- subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548第四街/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub,Inc./CN=GitHub.com issuer=/C=US/O=DigiCert Inc/OU=www.DigiCert.com/CN=DigiCert SHA2扩展验证服务器CA --- 未发送客户端证书CA名称 --- SSL握手读取3243字节,写入379字节 --- 新的TLSv1/SSLv3密码是ECDHE-RSA-AES128-SHA 服务器公钥为2048位 支持安全的重新协商 压缩:无 扩展:无 SSL会话: 协议:TLSv1 密码:ECDHE-RSA-AES128-SHA 会话ID:9364E0346A77ABA5087FEEDA3C59443B1C672B6F553B7183B9F48C2D3DE34CB 会话ID ctx: 主钥匙:8B055C9CED9F517F7F3B1B49A4B517D478532503B3BB254BE4F11A2BD6445BE144115797450604C6D6f16lang1024 D169AA030 键Arg:无 PSK身份:无 PSK标识提示:无 SRP用户名:无 开始时间:1398213115 超时:7200(秒) 验证返回代码:0(正常) --- HTTP/1.0 400错误请求 缓存控制:没有缓存 连接:关闭 内容类型:text/html 400错误请求 您的浏览器发送了无效的请求。 关闭
$ echo "GET / HTTP/1.0\r\n" | openssl s_client -connect github.com:443 -tls1 -servername github.com -CAfile DigiCert-CA.pem -ign_eof CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA verify return:1 depth=0 businessCategory = Private Organization, 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, serialNumber = 5157550, street = 548 4th Street, postalCode = 94107, C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = github.com verify return:1 --- Certificate chain 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA --- Server certificate -----BEGIN CERTIFICATE----- MIIF4DCCBMigAwIBAgIQDACTENIG2+M3VTWAEY3chzANBgkqhkiG9w0BAQsFADB1 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE0MDQwODAwMDAwMFoXDTE2MDQxMjEy MDAwMFowgfAxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF Ewc1MTU3NTUwMRcwFQYDVQQJEw41NDggNHRoIFN0cmVldDEOMAwGA1UEERMFOTQx MDcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T YW4gRnJhbmNpc2NvMRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xEzARBgNVBAMTCmdp dGh1Yi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCx1Nw8r/3z Tu3BZ63myyLot+KrKPL33GJwCNEMr9YWaiGwNksXDTZjBK6/6iBRlWVm8r+5TaQM Kev1FbHoNbNwEJTVG1m0Jg/Wg1dZneF8Cd3gE8pNb0Obzc+HOhWnhd1mg+2TDP4r bTgceYiQz61YGC1R0cKj8keMbzgJubjvTJMLy4OUh+rgo7XZe5trD0P5yu6ADSin dvEl9ME1PPZ0rd5qM4J73P1LdqfC7vJqv6kkpl/nLnwO28N0c/p+xtjPYOs2ViG2 wYq4JIJNeCS66R2hiqeHvmYlab++O3JuT+DkhSUIsZGJuNZ0ZXabLE9iH6H6Or6c JL+fyrDFwGeNAgMBAAGjggHuMIIB6jAfBgNVHSMEGDAWgBQ901Cl1qCt7vNKYApl 0yHU+PjWDzAdBgNVHQ4EFgQUakOQfTuYFHJSlTqqKApD+FF+06YwJQYDVR0RBB4w HIIKZ2l0aHViLmNvbYIOd3d3LmdpdGh1Yi5jb20wDgYDVR0PAQH/BAQDAgWgMB0G A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB1BgNVHR8EbjBsMDSgMqAwhi5o dHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1ldi1zZXJ2ZXItZzEuY3JsMDSg MqAwhi5odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1ldi1zZXJ2ZXItZzEu Y3JsMEIGA1UdIAQ7MDkwNwYJYIZIAYb9bAIBMCowKAYIKwYBBQUHAgEWHGh0dHBz Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwgYgGCCsGAQUFBwEBBHwwejAkBggrBgEF BQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFIGCCsGAQUFBzAChkZodHRw Oi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRTSEEyRXh0ZW5kZWRWYWxp ZGF0aW9uU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQAD ggEBAG/nbcuC8++QhwnXDxUiLIz+06scipbbXRJd0XjAMbD/RciJ9wiYUhcfTEsg ZGpt21DXEL5+q/4vgNipSlhBaYFyGQiDm5IQTmIte0ZwQ26jUxMf4pOmI1v3kj43 FHU7uUskQS6lPUgND5nqHkKXxv6V2qtHmssrA9YNQMEK93ga2rWDpK21mUkgLviT PB5sPdE7IzprOCp+Ynpf3RcFddAkXb6NqJoQRPrStMrv19C1dqUmJRwIQdhkkqev ff6IQDlhC8BIMKmCNK33cEYDfDWROtW7JNgBvBTwww8jO1gyug8SbGZ6bZ3k8OV8 XX4C2NesiZcLYbc2n7B9O+63M2k= -----END CERTIFICATE----- subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA --- No client certificate CA names sent --- SSL handshake has read 3243 bytes and written 379 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : ECDHE-RSA-AES128-SHA Session-ID: 9364E0346A77ABA5087FEEDA3C59443B1C672B6F553AB7183B9F48C2D3DE34CB Session-ID-ctx: Master-Key: 8B055C9CED9F517F7F3B1B49A4B517D478532503B3BB254BE4F11A2BD6445BE14444115797450604C6D6F17D169AA030 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1398213115 Timeout : 7200 (sec) Verify return code: 0 (ok) --- HTTP/1.0 400 Bad request Cache-Control: no-cache Connection: close Content-Type: text/html <html><body><h1>400 Bad request</h1> Your browser sent an invalid request. </body></html> closed
#OpenDNS
nameserver 208.67.222.222
nameserver 208.67.220.220
#Google
nameserver 8.8.8.8
nameserver 8.8.4.4
$ wget -d https://www.digicert.com/CACerts/DigiCertSHA2ExtendedValidationServerCA.crt
DEBUG output created by Wget 1.13.4 on linux-gnu.
URI encoding = `UTF-8'
--2014-04-24 10:57:05-- https://www.digicert.com/CACerts/DigiCertSHA2ExtendedValidationServerCA.crt
Resolving www.digicert.com (www.digicert.com)... ::ffff:67.215.65.132, 64.78.193.234
Caching www.digicert.com => ::ffff:67.215.65.132 64.78.193.234
Connecting to www.digicert.com (www.digicert.com)|::ffff:67.215.65.132|:443... connected.
Created socket 3.
Releasing 0x099f77d8 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x099f7968
certificate:
subject: /C=US/ST=California/L=San Francisco/O=OpenDNS, Inc./CN=*.opendns.com
issuer: /C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
ERROR: no certificate subject alternative name matches
requested host name `www.digicert.com'.
To connect to www.digicert.com insecurely, use `--no-check-certificate'.
Closed 3/SSL 0x099f7968
$ sudo resolvconf -d eth0.inet
$ sudo vim /etc/resolvconf/resolv.conf.d/base
nameserver 8.8.8.8
$ sudo resolvconf -u
$ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 8.8.8.8
(CURLOPT_SSL_VERIFYPEER => 0, CURLOPT_SSL_VERIFYHOST => 0,)
echo | openssl s_client -connect server:port 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /path/to/certs
echo | openssl s_client -connect pigeon@github.com:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/ssl/certs/ca-certificates.crt
update-ca-certificates
git remote set-url origin https://bitbucket.org/scm/test/some-application.git