Nginx-ru mailing list archive (nginx-ru@sysoev.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: wget + nginx + ssl
On Fri, Sep 11, 2009 at 10:52:00AM +0300, Mihails wrote:
> С использованием : "ssl_client_certificate ca.crt" и команды "wget -d
> --no-check-certificate --certificate=./client.crt
> --private-key=./client.key https://192.168.1.210" ,соединение
> происходит,но выдает ошибку :
>
> ---request begin---
> GET / HTTP/1.0
> User-Agent: Wget/1.11.4
> Accept: */*
> Host: 192.168.1.210
> Connection: Keep-Alive
>
> ---request end---
> HTTP request sent, awaiting response...
> ---response begin---
> HTTP/1.1 400 Bad Request
> Server: nginx/0.7.61
> Date: Fri, 11 Sep 2009 07:46:39 GMT
> Content-Type: text/html
> Content-Length: 231
> Connection: close
>
> ---response end---
> 400 Bad Request
> Closed 3/SSL 0x08976f28
> 2009-09-11 10:46:39 ERROR 400: Bad Request.
>
> Лог фаил пишет :
> 2009/09/11 10:46:27 [info] 2288#3484: *100 client SSL certificate verify
> error: (7:certificate signature failure) while reading client request
> headers, client: 192.168.1.211, server: 192.168.1.210, request: "GET /
> HTTP/1.0", host: "192.168.1.210"
> 2009/09/11 10:46:39 [info] 2288#3484: *101 client SSL certificate verify
> error: (7:certificate signature failure) while reading client request
> headers, client: 192.168.1.211, server: 192.168.1.210, request: "GET /
> HTTP/1.0", host: "192.168.1.210"
>
> После чего в конфиге обратно прописал : ssl_client_certificate
> client.crt и запустил такую же команду с wget. В результате успешно
> соединился и скачал фаил:
>
> ---request begin---
> GET / HTTP/1.0
> User-Agent: Wget/1.11.4
> Accept: */*
> Host: 192.168.1.210
> Connection: Keep-Alive
>
> ---request end---
> HTTP request sent, awaiting response...
> ---response begin---
> HTTP/1.1 200 OK
> Server: nginx/0.7.61
> Date: Fri, 11 Sep 2009 07:50:44 GMT
> Content-Type: text/html
> Content-Length: 151
> Last-Modified: Wed, 30 Aug 2006 11:39:18 GMT
> Connection: keep-alive
> Accept-Ranges: bytes
>
> ---response end---
> 200 OK
> Registered socket 3 for persistent reuse.
> Length: 151 [text/html]
> Saving to: `index.html'
В --certificate= нужно указывать сертификат, выданный клиенту.
В ssl_client_certificate нужно указывать сертификат, которым был подписан
это клиентский сертификат. Это разные сертифиткаты.
> Igor Sysoev wrote:
> >On Thu, Sep 10, 2009 at 11:02:04AM +0300, Mihails wrote:
> >
> >
> >>Запускаю : " wget -d --certificate=/home/client.crt
> >>https://192.168.1.210"
> >>Connecting to 192.168.1.210|192.168.1.210|:443... connected.
> >>Created socket 3.
> >>Releasing 0x09456c98 (new refcount 1).
> >>Initiating SSL handshake.
> >>SSL handshake failed.
> >>OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
> >>handshake failure
> >>Closed fd 3
> >>Unable to establish SSL connection.
> >>После чего пришёл к выводу,что через
> >>wget не происходит соединение.
> >>
> >
> >Что в error_log nginx' на info уровне ?
> >
> >- ssl_client_certificate client.crt;
> >+ ssl_client_certificate ca.crt;
> >
> >У меня wget с этим набором сертификатов соединялся только в таком случае:
> >
> >wget -d --no-check-certificate
> > --certificate=client.crt
> > --private-key=client.key
> >
> >Для
> >
> >wget -d --ca-certificate=ca.crt
> > --certificate=client.crt
> > --private-key=client.key
> >
> >Выдавалось
> >
> >Initiating SSL handshake.
> >Handshake successful; connected socket 3 to SSL handle 0x0808fa00
> >certificate:
> > subject: ...
> > issuer: ...
> >ERROR: Certificate verification error for t42: self signed certificate
> >To connect to localhost insecurely, use `--no-check-certificate'.
> >Closed 3/SSL 0x808fa00
> >Unable to establish SSL connection.
--
Игорь Сысоев
http://sysoev.ru
|