在我的开发环境中,我正在构建将与只接受TLS 1.2(Authorize.net Ruby SDK(的API连接的代码。
#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)>
我的同事可以在他的本地环境中运行代码,而不会出现这个错误。它依赖ssl吗?我使用的是openssl 1.1.1h,他使用的是libressl。
更新:
的输出
─$ openssl s_client -showcerts -connect apitest.authorize.net:443
是:
CONNECTED(00000005) depth=1 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K verify return:1 depth=0 C = US, ST = California, L = Foster City, O = Authorize.Net, CN = *.authorize.net verify return:1
--- Certificate chain 0 s:C = US, ST = California, L = Foster City, O = Authorize.Net, CN = *.authorize.net i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority
- L1K
-----BEGIN CERTIFICATE----- MIIGxzCCBa+gAwIBAgIQfjbSKF+9lNAAAAAAUP5NeTANBgkqhkiG9w0BAQsFADCB ujELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsT H1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAy MDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEuMCwG A1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxSzAeFw0y MDAyMDUyMDQ0MDhaFw0yMTAzMTUyMTE0MDhaMGoxCzAJBgNVBAYTAlVTMRMwEQYD VQQIEwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtGb3N0ZXIgQ2l0eTEWMBQGA1UEChMN QXV0aG9yaXplLk5ldDEYMBYGA1UEAwwPKi5hdXRob3JpemUubmV0MIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnBMtpwsQcEI3Pd7MKBPs/bhVye/yYNnL Pp3zrJloBy217QtpZpbXj9c1Sjt7xMXv9RotOt9aSbOsAc7CGkKPuwUIcdVbQg/8 gOlWxuT2zF+gek3NzmQSUSbrnVLe5XuT5OQBxjLH922Rm5OTJ3k6rcrQz6Q3nN37 hBClYcHBlTdnFTfCFsSDMAm2w9njNgLSkF1JaPnWfTPnda8xBmqLwJBDgTEy/a1P kPnbsosyp1/R9cE5Dn7VuFfzEgN/D9/YNbg8KxK63O5GVswc/mSzHT19wb4lgXlF zptvoYHKIyl1KwCw4/tt5fAuI59KRUAYzQKQFTcRZbNcYAEccmKilwIDAQABo4ID FjCCAxIwKQYDVR0RBCIwIIIPKi5hdXRob3JpemUubmV0gg1hdXRob3JpemUubmV0 MIIBfQYKKwYBBAHWeQIEAgSCAW0EggFpAWcAdQBVgdTCFpA2AUrqC5tXPFPwwOQ4 eHAlCBcvo6odBxPTDAAAAXAXNAX7AAAEAwBGMEQCIAOcM5IXfx51+2Ne2ApYlwkw /sHPMPZUSbXYwF6m4P4uAiBZOnqTkH63rvErM3JZ3nLc0om+qqRLriHI5KZxYN4O JQB2AFYUBpov18Ls0/XhvUSyPsdGdrm8mRFcwO+UmFXWidDdAAABcBc0BggAAAQD AEcwRQIhAJrKOTbyOlcTpELU1FDB844Svqz0BQFO5a8beVuPQoulAiAZwnatMff6 6VGE80UJ8BqHDwPFZOjj5jt4dHtYKonU/AB2AKS5CZC0GFgUh7sTosxncAo8NZgE
+RvfuON3zQ7IDdwQAAABcBc0BgQAAAQDAEcwRQIgbC4cCT2jB38DWbzWobGL4NG1 9BdOTPaWd3acm2v+7yACIQDE2H8U5+65+IMrn5UXRFP/DdSCHNQI/xr7OKEQGDJp 4zAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC MDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuZW50cnVzdC5uZXQvbGV2ZWwx ay5jcmwwSwYDVR0gBEQwQjA2BgpghkgBhvpsCgEFMCgwJgYIKwYBBQUHAgEWGmh0 dHA6Ly93d3cuZW50cnVzdC5uZXQvcnBhMAgGBmeBDAECAjBoBggrBgEFBQcBAQRc MFowIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmVudHJ1c3QubmV0MDMGCCsGAQUF BzAChidodHRwOi8vYWlhLmVudHJ1c3QubmV0L2wxay1jaGFpbjI1Ni5jZXIwHwYD VR0jBBgwFoAUgqJwdN28Uz/Pe9T3zX+nYMYKTL8wHQYDVR0OBBYEFK069bMPyloE nNXcyli5AieCD9MiMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAB2wqZ17 AAmYCO4EnmXWDTp1D9iBbNQxYSnj6oR9w0kMVahQ4Q43rdERaw2BsNWByG2peXP0 GRoOTUr5dpAKu5qa1A4V93Y/pc8RuDM0mxI/EmgzO7D4eSPRvC6735sa6XVDc5mk G9hccypCAR6u+tYeXGTmcYG10zunnHPQIf67zM1INdm+pfMfBc/IzvZ7tVWkfOEQ Wl2C/+i5hcdrIONTWD7QWqmr34kZckq+NLcF0z2M70ZdwvdeWxf1xFjgGfdoakuH PsuQI8XDA9DMc3r4GbTid70rTB+z0DNajMz/jGOm7r/Sp2C8wK+ukrzd9vVpZyf/ Q+GfoA0hiovUxiI=
-----END CERTIFICATE----- 1 s:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
-----BEGIN CERTIFICATE----- MIIFDjCCA/agAwIBAgIMDulMwwAAAABR03eFMA0GCSqGSIb3DQEBCwUAMIG+MQsw CQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2Vl IHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMDkg RW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTIwMAYDVQQD EylFbnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMjAeFw0x NTEwMDUxOTEzNTZaFw0zMDEyMDUxOTQzNTZaMIG6MQswCQYDVQQGEwJVUzEWMBQG A1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2VlIHd3dy5lbnRydXN0Lm5l dC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMTIgRW50cnVzdCwgSW5jLiAt IGZvciBhdXRob3JpemVkIHVzZSBvbmx5MS4wLAYDVQQDEyVFbnRydXN0IENlcnRp ZmljYXRpb24gQXV0aG9yaXR5IC0gTDFLMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEA2j+W0E25L0Tn2zlem1DuXKVh2kFnUwmqAJqOV38pa9vH4SEkqjrQ jUcj0u1yFvCRIdJdt7hLqIOPt5EyaM/OJZMssn2XyP7BtBe6CZ4DkJN7fEmDImiK m95HwzGYei59QAvS7z7Tsoyqj0ip/wDoKVgG97aTWpRzJiatWA7lQrjV6nN5ZGhT JbiEz5R6rgZFDKNrTdDGvuoYpDbwkrK6HIiPOlJ/915tgxyd8B/lw9bdpXiSPbBt LOrJz5RBGXFEaLpHPATpXbo+8DX3Fbae8i4VHj9HyMg4p3NFXU2wO7GOFyk36t0F ASK7lDYqjVs1/lMZLwhGwSqzGmIdTivZGwIDAQABo4IBDDCCAQgwDgYDVR0PAQH/ BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwMwYIKwYBBQUHAQEEJzAlMCMGCCsG AQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAwBgNVHR8EKTAnMCWgI6Ah hh9odHRwOi8vY3JsLmVudHJ1c3QubmV0L2cyY2EuY3JsMDsGA1UdIAQ0MDIwMAYE VR0gADAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L3JwYTAd BgNVHQ4EFgQUgqJwdN28Uz/Pe9T3zX+nYMYKTL8wHwYDVR0jBBgwFoAUanImetAe 733nO2lR1GyNn5ASZqswDQYJKoZIhvcNAQELBQADggEBADnVjpiDYcgsY9NwHRkw y/YJrMxp1cncN0HyMg/vdMNY9ngnCTQIlZIv19+4o/0OgemknNM/TWgrFTEKFcxS BJPok1DD2bHi4Wi3Ogl08TRYCj93mEC45mj/XeTIRsXsgdfJghhcg85x2Ly/rJkC k9uUmITSnKa1/ly78EqvIazCP0kkZ9Yujs+szGQVGHLlbHfTUqi53Y2sAEo1GdRv c6N172tkw+CNgxKhiucOhk3YtCAbvmqljEtoZuMrx1gL+1YQ1JH7HdMxWBCMRON1 exCdtTix9qrKgWRs6PLigVWXUX/hwidQosk8WwBD9lu51aX8/wdQQGcHsFXwt35u Lcw=
-----END CERTIFICATE----- 2 s:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2 i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
-----BEGIN CERTIFICATE----- MIIEPjCCAyagAwIBAgIESlOMKDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50 cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs IEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVz dCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwHhcNMDkwNzA3MTcy NTU0WhcNMzAxMjA3MTc1NTU0WjCBvjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVu dHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwt dGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0 aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVzdCBSb290IENlcnRpZmlj YXRpb24gQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQC6hLZy254Ma+KZ6TABp3bqMriVQRrJ2mFOWHLP/vaCeb9zYQYKpSfYs1/T RU4cctZOMvJyig/3gxnQaoCAAEUesMfnmr8SVycco2gvCoe9amsOXmXzHHfV1IWN cCG0szLni6LVhjkCsbjSR87kyUnEO6fe+1R9V77w6G7CebI6C1XiUJgWMhNcL3hW wcKUs/Ja5CeanyTXxuzQmyWC48zCxEXFjJd6BmsqEZ+pCm5IO2/b1BEZQvePB7/1 U1+cPvQXLOZprE4yTGJ36rfo5bs0vBmLrpxR57d+tVOxMyLlbc9wPBr64ptntoP0 jaWvYkxN4FisZDQSA/i2jZRjJKRxAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqciZ60B7vfec7aVHUbI2fkBJmqzAN BgkqhkiG9w0BAQsFAAOCAQEAeZ8dlsa2eT8ijYfThwMEYGprmi5ZiXMRrEPR9RP/ jTkrwPK9T3CMqS/qF8QLVJ7UG5aYMzyorWKiAHarWWluBh1+xLlEjZivEtRh2woZ Rkfz6/djwUAFQKXSt/S1mja/qYh2iARVBCuch38aNzx+LaUa2NSJXsq9rD1s2G2v 1fN2D807iDginWyTmsQ9v4IbZT+mD12q/OWyFcq1rca8PdCE6OoGcrBNOTJ4vz4R nAuknZoh8/CbCzB428Hch0P+vGOaysXCHMnHjf87ElgI5rY97HosTvuDls4MPGmH VHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xOe4pIb4tF9g==
-----END CERTIFICATE-----
--- Server certificate subject=C = US, ST = California, L = Foster City, O = Authorize.Net, CN = *.authorize.net
issuer=C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
--- No client certificate CA names sent
--- SSL handshake has read 4298 bytes and written 641 bytes Verification: OK
--- New, TLSv1.2, Cipher is AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: A2982432F7DD99178A611C2F5D25409F91236B173AF83B08C0E479142EB590AF
Session-ID-ctx:
Master-Key: ECBB0DEAE245D006AA30D090D9D00B8C937DBECB2F8D1A19EC8B720A5B3A1A946B55FC00C20778E0FD89E6EF98A730E1
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1608845194
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
我在里面没有看到自签名证书?还是我走错了路。。。
代码很简单,如果你有兴趣,你可以在家里试用它来测试自己。
include AuthorizeNet::API
trx = AuthorizeNet::API::Transaction.new('8Gxa...', '6LKh9...', gateway: :sandbox)
request = CreateCustomerProfileRequest.new
request.profile = CustomerProfileType.new
request.profile.merchantCustomerId = 'abc'
request.profile.description = 'name'
response = trx.create_customer_profile(request)
所以我需要两样东西:
- 了解这是否是我的设置/环境的问题,以及如何解决它
- 或者,了解这是否是API方面的问题(Authorize.net(,以及如何对其进行补偿,或者告诉他们实际发生了什么
您是否与开发人员仔细检查过libressl在其设置中加载了哪些CA证书?
链中的自签名错误意味着验证操作能够建立信任链,但无法在该链中找到证书颁发机构。
由于证书链检查和验证在其他地方确实有效,我将首先验证他的设置。
更准确地说,如果我们看看这个链条:
$ openssl s_client -showcerts -connect apitest.authorize.net:443
CONNECTED(00000003)
depth=2 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
verify return:1
depth=1 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
verify return:1
depth=0 C = US, ST = California, L = Foster City, O = Authorize.Net, CN = *.authorize.net
verify return:1
---
Certificate chain
0 s:C = US, ST = California, L = Foster City, O = Authorize.Net, CN = *.authorize.net
i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
1 s:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
2 s:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
---
Server certificate
subject=C = US, ST = California, L = Foster City, O = Authorize.Net, CN = *.authorize.net
issuer=C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
---
No client certificate CA names sent
---
SSL handshake has read 4298 bytes and written 641 bytes
Verification: OK
---
这告诉我们,链使用的是带有L1k证书的Entrust G2根证书。
此CA证书可以从下载https://www.entrust.com/resources/certificate-solutions/tools/root-certificate-downloads(仔细检查(。
我建议与开发人员核实这个证书在他的设置中是正确可信的。
apitest.authorize.net
具有通配符证书。
来自openssl-1.1.1h
中的文件x509v3.h
/* Disable wildcard matching for dnsName fields and common name. */
# define X509_CHECK_FLAG_NO_WILDCARDS 0x2
这表明默认情况下禁用通配符匹配。
在v3_utl.c
中
if (flags & X509_CHECK_FLAG_NO_WILDCARDS)
equal = equal_nocase;
else
equal = equal_wildcard;
这意味着Openssl将使用不区分大小写的比较,在这种情况下apitest.authorize.net
将与*.authorize.net
不匹配
我想您的服务器不必发送Entrust的根证书,该证书必须是自签名证书。
2 s:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
Ug事实证明,authorize.net沙箱实际上需要这样做。我需要传递一个verify_ssl
标志并将其设置为false。