ssl - SSL handshake with SNI extension enabled - certificate selection on server
问题描述
During the SSL handshake, when the SNI extension is enabled in the client the server is not selecting and presenting the desired certificate back to the client.
I have a certificate chain that I've imported to the JVM's keystore on the server.
server certificate issued by an internal intermediate issuing CA.
Subject: CN=myserver.example.com
intermediate certificate issued by internal root CA.
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
self signed root CA certificate.
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
I used "openssl s_client" to test.
I used the following command to test with Server Name Indication (SNI) TLS extension disabled and the certificate chain in the keystore is selected and presented by the server in the SSL handshake. That's what I expected.
openssl s_client -connect myserver.example.com:port
I used the following command to test with the Server Name Indication (SNI) TLS extension enabled and a different (default?) certificate was selected and presented by the server in the SSL handshake. This certificate is not in the keystore. I did not expect this.
openssl s_client -connect myserver.example.com:port -servername myserver.example.com
I'm trying to figure out why the server is not selecting my certificate chain that's in the keystore, and instead is selecting the "other" (default?) certificate when the SNI extension is enabled. Any help would be appreciated.
I don't know how certificate selection works on the server during the SSL handshake process.
解决方案
我不知道在 SSL 握手过程中证书选择在服务器上是如何工作的。
如果客户端不发送 SNI,则服务器应使用默认证书进行应答(但有些服务器未配置任何默认值,握手失败)。如果客户端发送 SNI,服务器应该选择合适的证书。您的问题看起来很奇怪,因为它看起来不像任何一种可能性。尝试将您的 JVM (OpenJDK ? Oracle ?) 升级到最新版本,因为自您的版本以来发生了许多变化,例如Support TLS Server Name Indication (SNI) Extension in JSSE Server。
推荐阅读
- javascript - 如何获得可点击多边形的六个顶点?
- r - 将 JSONstream 读入 R 数据帧
- excel - VBA Outlook Gmail 发送的项目被标记为垃圾邮件。从浏览器发送正常
- c# - 使用 Polly 刷新令牌的 RestEase 不起作用
- android - 如何在 android jetpack compose 中相互重叠列表项?
- github - 在 GitHub 上链接现有问题和拉取请求
- python - 我如何摆脱值错误,视图 xxx 没有返回 HttpResponse 对象。它没有返回
- python - 在 Python 中拆分 CSV 文件,用分号分隔记录
- java - java Hufman:霍夫曼的编码
- mongodb - Mongoose 文档在第二个键值对上给出未定义