Openssl SSL错误证书使用者名称与github.com的目标主机不匹配_Openssl

Openssl SSL错误证书使用者名称与github.com的目标主机不匹配

openssl

Openssl SSL错误证书使用者名称与github.com的目标主机不匹配,openssl,Openssl,我正在尝试使用git fetch访问github的存储库，但出现以下错误： error: SSL: certificate subject name (*.opendns.com) does not match target host name 'github.com' while accessing https://github.com/<repo name> 任何帮助都将不胜感激更新日期：2014年5月1日：最后更新Ubuntu来解决这个问题。从某个地方读到，这是最安全的解

我正在尝试使用git fetch访问github的存储库，但出现以下错误：

error: SSL: certificate subject name (*.opendns.com) does not match target host name 'github.com' while accessing https://github.com/<repo name>

任何帮助都将不胜感激

更新日期：2014年5月1日：

最后更新Ubuntu来解决这个问题。从某个地方读到，这是最安全的解决方案，因为我的本地计算机和Github的服务器将尽可能相互更新。

这可能更像是一个注释，但它不适合注释块。要测试SSL/TLS连接，请执行以下操作：

openssl s_client -connect github.com:443 -tls1 -servername github.com
        -CAfile DigiCert-CA.pem -ign_eof

首先，转到并下载“DigiCert SHA2扩展验证服务器CA”。文件名为

DigiCertSHA2ExtendedValidationServerCA.crt

其次，将DER转换为PEM：

$ openssl x509 -inform DER -in DigiCertSHA2ExtendedValidationServerCA.crt
          -outform PEM -out DigiCert-CA.pem

第三，使用OpenSSL的

s_客户端

验证连接：

openssl s_client -connect github.com:443 -tls1 -servername github.com
        -CAfile DigiCert-CA.pem -ign_eof

需要注意的是最后的验证结果：

Verify return code: 0 (ok)

我接到一个坏请求。我怀疑这是因为我需要根文档。你应该插入你的具体细节

最后，验证主机名。1.0.2之前的OpenSSL不执行主机名验证，因此您可以跳过额外的障碍：

$ openssl s_client -connect github.com:443 -tls1 -servername github.com
          -CAfile DigiCert-CA.pem | openssl x509 -noout -text | grep "DNS:"
...
    DNS:github.com, DNS:www.github.com

据我所知，从我的世界观来看，SSL/TLS部分没有问题。问题似乎出在

git

上

您可以使用

nslookup

检查DNS，但我不确定您是否会发现任何有用的内容：

$ nslookup
> set q=a
> github.com
Server:     172.16.1.10
Address:    172.16.1.10#53

Non-authoritative answer:
Name:   github.com
Address: 192.30.252.129

$echo“GET/HTTP/1.0\r\n”| openssl s_客户端-connect github.com:443-tls1-servername github.com-CAfile DigiCert-CA.pem-ign_eof
已连接（00000003）
深度=2 C=US，O=DigiCert Inc，OU=www.DigiCert.com，CN=DigiCert高保证EV根CA
验证返回：1
深度=1 C=US，O=DigiCert Inc，OU=www.DigiCert.com，CN=DigiCert SHA2扩展验证服务器CA
验证返回：1
深度= 0商业类别=私人组织，1.3.61.4.1.31.60.2.1.3＝美国，1.3.61.4.1.31.60.0.1.2 1.2＝特拉华，序列号＝5157550，街道＝548，第四街，邮编＝94107，C=美国，ST＝加利福尼亚，L＝旧金山，O＝“GITHUB，Inc.”，CN＝GITHUB.com。
验证返回：1
---
证书链
0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub，Inc./CN=GitHub.com
i:/C=US/O=DigiCert Inc/OU=www.DigiCert.com/CN=DigiCert SHA2扩展验证服务器CA
1 s:/C=US/O=DigiCert Inc/OU=www.DigiCert.com/CN=DigiCert SHA2扩展验证服务器CA
i:/C=US/O=DigiCert Inc/OU=www.DigiCert.com/CN=DigiCert高保证EV根CA
---
服务器证书
-----开始证书-----
MIIF4DCBMIGGAWIBAGIQDACTENIG2+M3VTWAEY3chzANBgkqhkiG9w0BAQsFADB1
MQSWCQYDVQGEWJVUZEVMBMGA1ECHMMRGLNAUNLCNQGSW5JMRKWFWYDVQLEXB3
D3CUZGLNAWNLCNQUY29TMTQMGYDVQDEYTEAWPQ2VYDCBTSEYIEV4DGVUZGVK
IFZHBGLKYXRPB24GU2VYDMVYIENB4XDTE0MDQWODAWMDAWMFOXDTE2MDQXMJEY
MDAWMFOWGFAXHTABBGNVBA8MFBYAXZHDGUGT3JNYW5PEMF0AW9UMRMWEQYLKWYB
BAGCNZWCAQMTALVTMRKWFWYLKWYBBAGCNZWCAQITCERLBF3YXJLMRAWDGYDVQQF
EWC1MTU3NTUWMRCWFQYDVQJEW41NDGGNHROIFN0CMVLDDEOMAWGA1UERMFOTQX
MDCxCzajbgNVBaytalVTMRMweqydvqqqewpdywxPzm9YBMlHmrywfaydvqhew1T
YW4GRNJHBMNPC2NVMRUWEWYDVQKEWXHAXRIDWISIELUY4XZEZARBGNVBAMTCMDP
DGH1YI5JB20WGGEIMA0GCSQGSIB3DQEBAQAA4IBDWAWGGEKAOIBAQCX1NW8R/3z
Tu3BZ63myyLot+KRKPL33GJWCNEMR9YWAIGWNKXDTZJBK6/6iBRlWVm8r+5TaQM
Kev1FbHoNbNwEJTVG1m0Jg/Wg1dZneF8Cd3gE8pNb0Obzc+HOhWnhd1mg+2TDP4r
BTGCEYIQZ61YGC1R0CKJ8KEMBZGJJJmLY4OUH+rgo7XZe5trD0P5yu6ADSin
dvEl9ME1PPZ0rd5qM4J73P1LdqfC7vJqv6kkpl/nLnwO28N0c/p+xtjPYOs2ViG2
wYq4JIJNeCS66R2hiqeHvmYlab++O3JuT+DkhSUIsZGJuNZ0ZXabLE9iH6H6Or6c
JL+FYRDFWGENAGMBAAGGGHUMIB6JAFBGNVHSMEGDAWGBQ901CL1QCT7VNKYAPL
0yHU+PJWDZADBGNVHQ4EFGQUAKOQFTUYFHJSLTQKAPD+FF+06YwJQYDVR0RBB4w
HIIKZ2L0AHVILLMNVBYIOD3LMDPDGH1YI5JB20WDGYDVR0PAQH/BAQDAGGWGMB0G
A1UDJQQWMBQGCCSGAQUFBWMBBGGRBGEFBQCDAJB1BGNVHR8EBJBSMDSGMQAWI5O
DHRWOI8VY3JSMY5KAWDPY2VYDC5JB20VC2HHMI1LDIZXJ2ZXITZEUY3JSMDSG
MQAWHI5ODHRWOI8VY3JSNC5KAWDPY2VYDC5JB20VC2HHMI1LDI1ZZXJ2ZXITZEU
Y3JSMeiga1UIQ7MDKWWWYJYZIAYB9BAIBMCOWKAYKYKWYBBQUHAGEWHGH0DHBZ
OI8VD3D3LMRPZ2LJZXJ0LMNVBS9DUFMWGYGCCSGAQUFBWEBHWWEJAKBGGRBGEF
BQCWAYYYAHR0CDOVL29JC3UZGLNAWNLCNQUY29TMFIGCCSGAQUFBZACHKZODHRW
OI8VY2FJZXJ0CY5KAWDPY2VYDC5JB20VRGLNAULCNRTSEYRXH0ZW5KZWRWWXP
ZGF0AW9UU2VYDMVYQ0EUY3J0MAWGA1UDEWB/WQCMAAWQYJKOZHIHVCNAQELBQAD
ggEBAG/nbcuC8++QhwnXDxUiLIz+06scipbbXRJd0XjAMbD/RciJ9wiYUhcfTEsg
ZGpt21DXEL5+q/4vgNipSlhBaYFyGQiDm5IQTmIte0ZwQ26jUxMf4pOmI1v3kj43
FHU7UUSKQS6LPUGND5NQHKKXXV6 V2QTHMSSRA9YNQMEK93GA2RWDPK21MUKGLVIT
PB5sPdE7IzprOCp+Ynpf3RcFddAkXb6NqJoQRPrStMrv19C1dqUmJRwIQdhkkqev
FF6IQDLHC8BIMKMCNK33CEYDFDROTW7JNGBVBTWW8JO1GYUG8SBGZ6BZ3K8OV8
XX4C2NesiZcLYbc2n7B9O+63M2k=
-----结束证书-----
subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548第四街/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub，Inc./CN=GitHub.com
issuer=/C=US/O=DigiCert Inc/OU=www.DigiCert.com/CN=DigiCert SHA2扩展验证服务器CA
---
未发送客户端证书CA名称
---
SSL握手读取3243字节，写入379字节
---
新的TLSv1/SSLv3密码是ECDHE-RSA-AES128-SHA
服务器公钥为2048位
支持安全的重新协商
压缩：无
扩展：无
SSL会话：
协议：TLSv1
密码：ECDHE-RSA-AES128-SHA
会话ID:9364E0346A77ABA5087FEEDA3C59443B1C672B6F553B7183B9F48C2D3DE34CB
会话ID ctx:
主钥匙：8B055C9CED9F517F7F3B1B49A4B517D478532503B3BB254BE4F11A2BD6445BE144115797450604C6D6f16lang1024 D169AA030
键Arg：无
PSK身份：无
PSK标识提示：无
SRP用户名：无
开始时间：1398213115
超时：7200（秒）
验证返回代码：0（正常）
---
HTTP/1.0 400错误请求
缓存控制：没有缓存
连接：关闭
内容类型：text/html
400错误请求
您的浏览器发送了无效的请求。
关闭
$ echo "GET / HTTP/1.0\r\n" | openssl s_client -connect github.com:443 -tls1 -servername github.com -CAfile DigiCert-CA.pem -ign_eof
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA
verify return:1
depth=0 businessCategory = Private Organization, 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, serialNumber = 5157550, street = 548 4th Street, postalCode = 94107, C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = github.com
verify return:1
---
Certificate chain
 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF4DCCBMigAwIBAgIQDACTENIG2+M3VTWAEY3chzANBgkqhkiG9w0BAQsFADB1
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE0MDQwODAwMDAwMFoXDTE2MDQxMjEy
MDAwMFowgfAxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF
Ewc1MTU3NTUwMRcwFQYDVQQJEw41NDggNHRoIFN0cmVldDEOMAwGA1UEERMFOTQx
MDcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
YW4gRnJhbmNpc2NvMRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xEzARBgNVBAMTCmdp
dGh1Yi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCx1Nw8r/3z
Tu3BZ63myyLot+KrKPL33GJwCNEMr9YWaiGwNksXDTZjBK6/6iBRlWVm8r+5TaQM
Kev1FbHoNbNwEJTVG1m0Jg/Wg1dZneF8Cd3gE8pNb0Obzc+HOhWnhd1mg+2TDP4r
bTgceYiQz61YGC1R0cKj8keMbzgJubjvTJMLy4OUh+rgo7XZe5trD0P5yu6ADSin
dvEl9ME1PPZ0rd5qM4J73P1LdqfC7vJqv6kkpl/nLnwO28N0c/p+xtjPYOs2ViG2
wYq4JIJNeCS66R2hiqeHvmYlab++O3JuT+DkhSUIsZGJuNZ0ZXabLE9iH6H6Or6c
JL+fyrDFwGeNAgMBAAGjggHuMIIB6jAfBgNVHSMEGDAWgBQ901Cl1qCt7vNKYApl
0yHU+PjWDzAdBgNVHQ4EFgQUakOQfTuYFHJSlTqqKApD+FF+06YwJQYDVR0RBB4w
HIIKZ2l0aHViLmNvbYIOd3d3LmdpdGh1Yi5jb20wDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB1BgNVHR8EbjBsMDSgMqAwhi5o
dHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1ldi1zZXJ2ZXItZzEuY3JsMDSg
MqAwhi5odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1ldi1zZXJ2ZXItZzEu
Y3JsMEIGA1UdIAQ7MDkwNwYJYIZIAYb9bAIBMCowKAYIKwYBBQUHAgEWHGh0dHBz
Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwgYgGCCsGAQUFBwEBBHwwejAkBggrBgEF
BQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFIGCCsGAQUFBzAChkZodHRw
Oi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRTSEEyRXh0ZW5kZWRWYWxp
ZGF0aW9uU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQAD
ggEBAG/nbcuC8++QhwnXDxUiLIz+06scipbbXRJd0XjAMbD/RciJ9wiYUhcfTEsg
ZGpt21DXEL5+q/4vgNipSlhBaYFyGQiDm5IQTmIte0ZwQ26jUxMf4pOmI1v3kj43
FHU7uUskQS6lPUgND5nqHkKXxv6V2qtHmssrA9YNQMEK93ga2rWDpK21mUkgLviT
PB5sPdE7IzprOCp+Ynpf3RcFddAkXb6NqJoQRPrStMrv19C1dqUmJRwIQdhkkqev
ff6IQDlhC8BIMKmCNK33cEYDfDWROtW7JNgBvBTwww8jO1gyug8SbGZ6bZ3k8OV8
XX4C2NesiZcLYbc2n7B9O+63M2k=
-----END CERTIFICATE-----
subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3243 bytes and written 379 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES128-SHA
    Session-ID: 9364E0346A77ABA5087FEEDA3C59443B1C672B6F553AB7183B9F48C2D3DE34CB
    Session-ID-ctx: 
    Master-Key: 8B055C9CED9F517F7F3B1B49A4B517D478532503B3BB254BE4F11A2BD6445BE14444115797450604C6D6F17D169AA030
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1398213115
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
HTTP/1.0 400 Bad request
Cache-Control: no-cache
Connection: close
Content-Type: text/html

<html><body><h1>400 Bad request</h1>
Your browser sent an invalid request.
</body></html>
closed

#OpenDNS
nameserver 208.67.222.222
nameserver 208.67.220.220

#Google
nameserver 8.8.8.8
nameserver 8.8.4.4

$ wget -d https://www.digicert.com/CACerts/DigiCertSHA2ExtendedValidationServerCA.crt
DEBUG output created by Wget 1.13.4 on linux-gnu.

URI encoding = `UTF-8'
--2014-04-24 10:57:05--  https://www.digicert.com/CACerts/DigiCertSHA2ExtendedValidationServerCA.crt
Resolving www.digicert.com (www.digicert.com)... ::ffff:67.215.65.132, 64.78.193.234
Caching www.digicert.com => ::ffff:67.215.65.132 64.78.193.234
Connecting to www.digicert.com (www.digicert.com)|::ffff:67.215.65.132|:443... connected.
Created socket 3.
Releasing 0x099f77d8 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x099f7968
certificate:
  subject: /C=US/ST=California/L=San Francisco/O=OpenDNS, Inc./CN=*.opendns.com
  issuer:  /C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
ERROR: no certificate subject alternative name matches
    requested host name `www.digicert.com'.
To connect to www.digicert.com insecurely, use `--no-check-certificate'.
Closed 3/SSL 0x099f7968

$ sudo resolvconf -d eth0.inet

$ sudo vim /etc/resolvconf/resolv.conf.d/base

nameserver 8.8.8.8

$ sudo resolvconf -u

$ cat /etc/resolv.conf

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 8.8.8.8

(CURLOPT_SSL_VERIFYPEER => 0, CURLOPT_SSL_VERIFYHOST => 0,)

echo | openssl s_client -connect server:port 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /path/to/certs

echo | openssl s_client -connect pigeon@github.com:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/ssl/certs/ca-certificates.crt

update-ca-certificates

git remote set-url origin https://bitbucket.org/scm/test/some-application.git