wget + nginx + ssl

Fri Sep 11 13:46:15 MSD 2009

Я согласен,только почему такой вариант сработал ?

Igor Sysoev wrote:
> On Fri, Sep 11, 2009 at 10:52:00AM +0300, Mihails wrote:
>
>   
>> С использованием : "ssl_client_certificate ca.crt" и команды "wget -d  
>> --no-check-certificate --certificate=./client.crt 
>> --private-key=./client.key https://192.168.1.210" ,соединение 
>> происходит,но выдает ошибку :
>>
>> ---request begin---
>> GET / HTTP/1.0
>> User-Agent: Wget/1.11.4
>> Accept: */*
>> Host: 192.168.1.210
>> Connection: Keep-Alive
>>
>> ---request end---
>> HTTP request sent, awaiting response...
>> ---response begin---
>> HTTP/1.1 400 Bad Request
>> Server: nginx/0.7.61
>> Date: Fri, 11 Sep 2009 07:46:39 GMT
>> Content-Type: text/html
>> Content-Length: 231
>> Connection: close
>>
>> ---response end---
>> 400 Bad Request
>> Closed 3/SSL 0x08976f28
>> 2009-09-11 10:46:39 ERROR 400: Bad Request.
>>
>> Лог фаил пишет :
>> 2009/09/11 10:46:27 [info] 2288#3484: *100 client SSL certificate verify 
>> error: (7:certificate signature failure) while reading client request 
>> headers, client: 192.168.1.211, server: 192.168.1.210, request: "GET / 
>> HTTP/1.0", host: "192.168.1.210"
>> 2009/09/11 10:46:39 [info] 2288#3484: *101 client SSL certificate verify 
>> error: (7:certificate signature failure) while reading client request 
>> headers, client: 192.168.1.211, server: 192.168.1.210, request: "GET / 
>> HTTP/1.0", host: "192.168.1.210"
>>
>> После чего в конфиге обратно прописал : ssl_client_certificate 
>> client.crt и запустил такую же команду с wget. В результате успешно 
>> соединился и скачал фаил:
>>
>> ---request begin---
>> GET / HTTP/1.0
>> User-Agent: Wget/1.11.4
>> Accept: */*
>> Host: 192.168.1.210
>> Connection: Keep-Alive
>>
>> ---request end---
>> HTTP request sent, awaiting response...
>> ---response begin---
>> HTTP/1.1 200 OK
>> Server: nginx/0.7.61
>> Date: Fri, 11 Sep 2009 07:50:44 GMT
>> Content-Type: text/html
>> Content-Length: 151
>> Last-Modified: Wed, 30 Aug 2006 11:39:18 GMT
>> Connection: keep-alive
>> Accept-Ranges: bytes
>>
>> ---response end---
>> 200 OK
>> Registered socket 3 for persistent reuse.
>> Length: 151 [text/html]
>> Saving to: `index.html'
>>     
>
> В --certificate= нужно указывать сертификат, выданный клиенту.
> В ssl_client_certificate нужно указывать сертификат, которым был подписан
> это клиентский сертификат. Это разные сертифиткаты.
>
>   
>> Igor Sysoev wrote:
>>     
>>> On Thu, Sep 10, 2009 at 11:02:04AM +0300, Mihails wrote:
>>>
>>>  
>>>       
>>>> Запускаю : " wget -d --certificate=/home/client.crt
>>>> https://192.168.1.210"
>>>> Connecting to 192.168.1.210|192.168.1.210|:443... connected.
>>>> Created socket 3.
>>>> Releasing 0x09456c98 (new refcount 1).
>>>> Initiating SSL handshake.
>>>> SSL handshake failed.
>>>> OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
>>>> handshake failure
>>>> Closed fd 3
>>>> Unable to establish SSL connection.
>>>> После чего пришёл к выводу,что через
>>>> wget не происходит соединение.
>>>>    
>>>>         
>>> Что в error_log nginx' на info уровне ?
>>>
>>> -       ssl_client_certificate  client.crt;
>>> +       ssl_client_certificate  ca.crt;
>>>
>>> У меня wget с этим набором сертификатов соединялся только в таком случае:
>>>
>>> wget -d --no-check-certificate
>>>        --certificate=client.crt
>>>        --private-key=client.key
>>>
>>> Для
>>>
>>> wget -d --ca-certificate=ca.crt
>>>        --certificate=client.crt
>>>        --private-key=client.key
>>>
>>> Выдавалось
>>>
>>> Initiating SSL handshake.
>>> Handshake successful; connected socket 3 to SSL handle 0x0808fa00
>>> certificate:
>>>  subject: ...
>>>  issuer:  ...
>>> ERROR: Certificate verification error for t42: self signed certificate
>>> To connect to localhost insecurely, use `--no-check-certificate'.
>>> Closed 3/SSL 0x808fa00
>>> Unable to establish SSL connection.
>>>       
>
>
>   