Lexa Software: Nginx-ru@sysoev.ru archive

		Apache-Talk @lexa.ru
		Inet-Admins @info.east.ru
		Filmscanners @halftone.co.uk
		Security-alerts @yandex-team.ru
		nginx-ru @sysoev.ru

СТАТЬИ

ПЕРСОНАЛЬНОЕ

ПРОГРАММЫ

ПИШИТЕ
ПИСЬМА

АРХИВ :: nginx-ru

Nginx-ru mailing list archive (nginx-ru@sysoev.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: wget + nginx + ssl

To: nginx-ru@xxxxxxxxx
Subject: Re: wget + nginx + ssl
From: Mihails <mixei@xxxxxxxx>
Date: Fri, 11 Sep 2009 17:25:30 +0300
In-reply-to: <20090911095723.GE72906@xxxxxxxxxxxxx>
References: <1252508100.4aa7c1c48d9f2@xxxxxxxxxxxxx> <4AA8A69F.1050604@xxxxxxxxxx> <1252569724.4aa8b27c5298a@xxxxxxxxxxxxx> <20090910134746.GG32992@xxxxxxxxxxxxx> <4AAA01A0.60403@xxxxxxxx> <20090911085829.GC72906@xxxxxxxxxxxxx> <4AAA1C67.9090006@xxxxxxxx> <20090911095723.GE72906@xxxxxxxxxxxxx>

Ok,так и сделаю. Спасибо за помощь!

Igor Sysoev wrote:

On Fri, Sep 11, 2009 at 12:46:15PM +0300, Mihails wrote:

Я согласен,только почему такой вариант сработал ?


Не знаю, я воспроизвёл описанную процедуру создания сертификатов
и получил описанные ниже результаты с wget. Я бы рекомендовал повторить
процедуру создания сертификата, причё написав всё в виде Makefile
для вопроизводимости.

Igor Sysoev wrote:

On Fri, Sep 11, 2009 at 10:52:00AM +0300, Mihails wrote:

С использованием : "ssl_client_certificate ca.crt" и команды "wget -d--no-check-certificate --certificate=./client.crt--private-key=./client.key https://192.168.1.210"; ,соединениепроисходит,но выдает ошибку :
---request begin---
GET / HTTP/1.0
User-Agent: Wget/1.11.4
Accept: */*
Host: 192.168.1.210
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 400 Bad Request
Server: nginx/0.7.61
Date: Fri, 11 Sep 2009 07:46:39 GMT
Content-Type: text/html
Content-Length: 231
Connection: close

---response end---
400 Bad Request
Closed 3/SSL 0x08976f28
2009-09-11 10:46:39 ERROR 400: Bad Request.

Лог фаил пишет :
2009/09/11 10:46:27 [info] 2288#3484: *100 client SSL certificate verifyerror: (7:certificate signature failure) while reading client requestheaders, client: 192.168.1.211, server: 192.168.1.210, request: "GET /HTTP/1.0", host: "192.168.1.210"2009/09/11 10:46:39 [info] 2288#3484: *101 client SSL certificate verifyerror: (7:certificate signature failure) while reading client requestheaders, client: 192.168.1.211, server: 192.168.1.210, request: "GET /HTTP/1.0", host: "192.168.1.210"
После чего в конфиге обратно прописал : ssl_client_certificateclient.crt и запустил такую же команду с wget. В результате успешносоединился и скачал фаил:
---request begin---
GET / HTTP/1.0
User-Agent: Wget/1.11.4
Accept: */*
Host: 192.168.1.210
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Server: nginx/0.7.61
Date: Fri, 11 Sep 2009 07:50:44 GMT
Content-Type: text/html
Content-Length: 151
Last-Modified: Wed, 30 Aug 2006 11:39:18 GMT
Connection: keep-alive
Accept-Ranges: bytes

---response end---
200 OK
Registered socket 3 for persistent reuse.
Length: 151 [text/html]
Saving to: `index.html'

В --certificate= нужно указывать сертификат, выданный клиенту.
В ssl_client_certificate нужно указывать сертификат, которым был подписан
это клиентский сертификат. Это разные сертифиткаты.

Igor Sysoev wrote:

On Thu, Sep 10, 2009 at 11:02:04AM +0300, Mihails wrote:

Запускаю : " wget -d --certificate=/home/client.crt
https://192.168.1.210";
Connecting to 192.168.1.210|192.168.1.210|:443... connected.
Created socket 3.
Releasing 0x09456c98 (new refcount 1).
Initiating SSL handshake.
SSL handshake failed.
OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
handshake failure
Closed fd 3
Unable to establish SSL connection.
После чего пришёл к выводу,что через
wget не происходит соединение.

Что в error_log nginx' на info уровне ?

-       ssl_client_certificate  client.crt;
+       ssl_client_certificate  ca.crt;

У меня wget с этим набором сертификатов соединялся только в таком случае:

wget -d --no-check-certificate
      --certificate=client.crt
      --private-key=client.key

Для

wget -d --ca-certificate=ca.crt
      --certificate=client.crt
      --private-key=client.key

Выдавалось

Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x0808fa00
certificate:
subject: ...
issuer:  ...
ERROR: Certificate verification error for t42: self signed certificate
To connect to localhost insecurely, use `--no-check-certificate'.
Closed 3/SSL 0x808fa00
Unable to establish SSL connection.

References:
- wget + nginx + ssl
  - From: Mihails
- Re: wget + nginx + ssl
  - From: Artem Bokhan
- Re: wget + nginx + ssl
  - From: Mihails
- Re: wget + nginx + ssl
  - From: Igor Sysoev
- Re: wget + nginx + ssl
  - From: Mihails
- Re: wget + nginx + ssl
  - From: Igor Sysoev
- Re: wget + nginx + ssl
  - From: Mihails
- Re: wget + nginx + ssl
  - From: Igor Sysoev

Prev by Date: Re: wget + nginx + ssl
Next by Date: Границы слов в regexps
Previous by thread: Re: wget + nginx + ssl
Next by thread: Yet another fastcgi-wsgi gateway
Index(es):
- Date
- Thread