如何修复x509:无法验证<ip>证书,因为它不包含任何IP SAN
如何修复x509:无法验证<ip>证书,因为它不包含任何IP SAN
提问于 2020-09-23 20:53:35
我使用go http客户端连接到有自签名证书的物联网设备。我已经有了
TLSClientConfig: &tls.Config{
RootCAs: certPool,
Certificates: []tls.Certificate{tlsClientCert},
InsecureSkipVerify: true,
},尽管如此,尽管InsecureSkipVerify=true go仍然试图验证证书:
x509: cannot validate certificate for <ip> because it doesn't contain any IP SANs由于我无法更改设备上的证书- TLS客户端配置的哪个部分可以修改以接受它?
更新
可以在设备上运行https://github.com/jbardin/gotlsscan/blob/master/main.go来再现go错误:
Testing TLS1.2
...
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA [NOT SUPPORTED]
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 [NOT SUPPORTED] x509: cannot validate certificate for 192.168.1.145 because it doesn't contain any IP SANs
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 [NOT SUPPORTED]
...这是openssl在运行openssl s_client -connect <ip:port>时说的
CONNECTED(00000003)
depth=0 C = DE, O = Bebro, OU = ULK High GEN 1, CN = ICCPD...
verify error:num=18:self signed certificate
verify return:1
depth=0 C = DE, O = Bebro, OU = ULK High GEN 1, CN = ICCPD...
verify return:1
4460842604:error:1401E410:SSL routines:CONNECT_CR_FINISHED:sslv3 alert handshake failure:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.140.1/libressl-2.8/ssl/ssl_pkt.c:1200:SSL alert number 40
4460842604:error:1401E0E5:SSL routines:CONNECT_CR_FINISHED:ssl handshake failure:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.140.1/libressl-2.8/ssl/ssl_pkt.c:585:
---
Certificate chain
0 s:/C=DE/O=Bebro/OU=ULK High GEN 1/CN=ICCPD...
i:/C=DE/O=Bebro/OU=ULK High GEN 1/CN=ICCPD...
---
Server certificate
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
subject=/C=DE/O=Bebro/OU=ULK High GEN 1/CN=ICCPD...
issuer=/C=DE/O=Bebro/OU=ULK High GEN 1/CN=ICCPD...
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 969 bytes and written 178 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES128-SHA256
Session-ID: 9C7D...
Session-ID-ctx:
Master-Key: AC9E...
Start Time: 1600892515
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---更新我正在运行最新的go 1.15.2
回答 1
Stack Overflow用户
发布于 2021-05-20 05:37:56
这可能有用,
在证书中有一个名为"SANs“的字段,我们需要在这个SAN列表中添加'hostname‘。
添加后,应该在使用"ServerName“字段的TLS配置中添加相同的名称。在此配置之后,将解决此问题。在SANS属性中,我添加了"test.com“,因此我按照以下方式配置了TLS:
ServerName: "test.com",
RootCAs: pool,
Certificates: []tls.Certificate{clientCert},
MinVersion: tls.VersionTLS12,由于您正在使用的证书可能不包含任何SAN,因此会发生此错误。我仍在探索,如果你们对此有任何评论,请留下回复。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/64036060
复制相关文章
相似问题
腾讯云开发者
