Welcome! Log In Create A New Profile

Re: wget + nginx + ssl

Forum List Message List New Topic Print View

Mihails

September 11, 2009 10:30AM

Ok,так и сделаю. Спасибо за помощь!

Igor Sysoev wrote:
> On Fri, Sep 11, 2009 at 12:46:15PM +0300, Mihails wrote:
>
>
>> Я согласен,только почему такой вариант сработал ?
>>
>
> Не знаю, я воспроизвёл описанную процедуру создания сертификатов
> и получил описанные ниже результаты с wget. Я бы рекомендовал повторить
> процедуру создания сертификата, причё написав всё в виде Makefile
> для вопроизводимости.
>
>
>> Igor Sysoev wrote:
>>
>>> On Fri, Sep 11, 2009 at 10:52:00AM +0300, Mihails wrote:
>>>
>>>
>>>
>>>> С использованием : "ssl_client_certificate ca.crt" и команды "wget -d
>>>> --no-check-certificate --certificate=./client.crt
>>>> --private-key=./client.key https://192.168.1.210" ,соединение
>>>> происходит,но выдает ошибку :
>>>>
>>>> ---request begin---
>>>> GET / HTTP/1.0
>>>> User-Agent: Wget/1.11.4
>>>> Accept: */*
>>>> Host: 192.168.1.210
>>>> Connection: Keep-Alive
>>>>
>>>> ---request end---
>>>> HTTP request sent, awaiting response...
>>>> ---response begin---
>>>> HTTP/1.1 400 Bad Request
>>>> Server: nginx/0.7.61
>>>> Date: Fri, 11 Sep 2009 07:46:39 GMT
>>>> Content-Type: text/html
>>>> Content-Length: 231
>>>> Connection: close
>>>>
>>>> ---response end---
>>>> 400 Bad Request
>>>> Closed 3/SSL 0x08976f28
>>>> 2009-09-11 10:46:39 ERROR 400: Bad Request.
>>>>
>>>> Лог фаил пишет :
>>>> 2009/09/11 10:46:27 [info] 2288#3484: *100 client SSL certificate verify
>>>> error: (7:certificate signature failure) while reading client request
>>>> headers, client: 192.168.1.211, server: 192.168.1.210, request: "GET /
>>>> HTTP/1.0", host: "192.168.1.210"
>>>> 2009/09/11 10:46:39 [info] 2288#3484: *101 client SSL certificate verify
>>>> error: (7:certificate signature failure) while reading client request
>>>> headers, client: 192.168.1.211, server: 192.168.1.210, request: "GET /
>>>> HTTP/1.0", host: "192.168.1.210"
>>>>
>>>> После чего в конфиге обратно прописал : ssl_client_certificate
>>>> client.crt и запустил такую же команду с wget. В результате успешно
>>>> соединился и скачал фаил:
>>>>
>>>> ---request begin---
>>>> GET / HTTP/1.0
>>>> User-Agent: Wget/1.11.4
>>>> Accept: */*
>>>> Host: 192.168.1.210
>>>> Connection: Keep-Alive
>>>>
>>>> ---request end---
>>>> HTTP request sent, awaiting response...
>>>> ---response begin---
>>>> HTTP/1.1 200 OK
>>>> Server: nginx/0.7.61
>>>> Date: Fri, 11 Sep 2009 07:50:44 GMT
>>>> Content-Type: text/html
>>>> Content-Length: 151
>>>> Last-Modified: Wed, 30 Aug 2006 11:39:18 GMT
>>>> Connection: keep-alive
>>>> Accept-Ranges: bytes
>>>>
>>>> ---response end---
>>>> 200 OK
>>>> Registered socket 3 for persistent reuse.
>>>> Length: 151 [text/html]
>>>> Saving to: `index.html'
>>>>
>>>>
>>> В --certificate= нужно указывать сертификат, выданный клиенту.
>>> В ssl_client_certificate нужно указывать сертификат, которым был подписан
>>> это клиентский сертификат. Это разные сертифиткаты.
>>>
>>>
>>>
>>>> Igor Sysoev wrote:
>>>>
>>>>
>>>>> On Thu, Sep 10, 2009 at 11:02:04AM +0300, Mihails wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Запускаю : " wget -d --certificate=/home/client.crt
>>>>>> https://192.168.1.210"
>>>>>> Connecting to 192.168.1.210|192.168.1.210|:443... connected.
>>>>>> Created socket 3.
>>>>>> Releasing 0x09456c98 (new refcount 1).
>>>>>> Initiating SSL handshake.
>>>>>> SSL handshake failed.
>>>>>> OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
>>>>>> handshake failure
>>>>>> Closed fd 3
>>>>>> Unable to establish SSL connection.
>>>>>> После чего пришёл к выводу,что через
>>>>>> wget не происходит соединение.
>>>>>>
>>>>>>
>>>>>>
>>>>> Что в error_log nginx' на info уровне ?
>>>>>
>>>>> - ssl_client_certificate client.crt;
>>>>> + ssl_client_certificate ca.crt;
>>>>>
>>>>> У меня wget с этим набором сертификатов соединялся только в таком случае:
>>>>>
>>>>> wget -d --no-check-certificate
>>>>> --certificate=client.crt
>>>>> --private-key=client.key
>>>>>
>>>>> Для
>>>>>
>>>>> wget -d --ca-certificate=ca.crt
>>>>> --certificate=client.crt
>>>>> --private-key=client.key
>>>>>
>>>>> Выдавалось
>>>>>
>>>>> Initiating SSL handshake.
>>>>> Handshake successful; connected socket 3 to SSL handle 0x0808fa00
>>>>> certificate:
>>>>> subject: ...
>>>>> issuer: ...
>>>>> ERROR: Certificate verification error for t42: self signed certificate
>>>>> To connect to localhost insecurely, use `--no-check-certificate'.
>>>>> Closed 3/SSL 0x808fa00
>>>>> Unable to establish SSL connection.
>>>>>
>>>>>
>>>
>>>
>
>

Reply Quote

RSS

Subject	Author	Posted
wget + nginx + ssl	Mihails	September 09, 2009 11:16AM
Re: wget + nginx + ssl	Artem Bokhan	September 10, 2009 03:08AM
Re: wget + nginx + ssl	Mihails	September 10, 2009 04:16AM
Re: wget + nginx + ssl	Igor Sysoev	September 10, 2009 09:54AM
Re: wget + nginx + ssl	Mihails	September 11, 2009 03:56AM
Re: wget + nginx + ssl	Igor Sysoev	September 11, 2009 05:04AM
Re: wget + nginx + ssl	Mihails	September 11, 2009 05:50AM
Re: wget + nginx + ssl	Igor Sysoev	September 11, 2009 06:06AM
Re: wget + nginx + ssl	Mihails	September 11, 2009 10:30AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 286

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018