在我的apache web-server中,有一条路径,客户端必须使用有效的证书进行身份验证。
有时会有一个无法连接的客户端(soap-webservice),我的apache返回403“sslv3警告错误证书(SSL警报号42) - 证书中的主体CN不是服务器名称或与CA相同!?”我需要检查它使用的原因和证书。
我为mod_ssl和一个自定义日志设置了trace3 loglevel,如下所示:
CustomLog /var/log/httpd-ssl.log "%t %h \"%{User-agent}i\" %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s \"%{SSL_CLIENT_S_DN_CN}x\" <<<%{SSL_CLIENT_CERT}x>>>"
<IfModule mod_ssl.c>
ErrorLog /var/log/apache2/ssl_engine.log
LogLevel trace3
</IfModule>
在第一个文件日志中,我可以看到可以连接的客户端的所有信息,但是当客户端失败时,没有有用的信息:
[16/Feb/2019:11:01:43 +0100] XXX.XXX.XXX.XXX "IBM WebServices/1.0" - - "POST MYSECRETPATH HTTP/1.1" 403 "-" <<<->>>
在第二个我可以看到一些信息,如:
[Thu Feb 21 13:57:55.288418 2019] [ssl:debug] [pid 99609] ssl_engine_kernel.c(359): [client xxx.xxx.xxx.xxx:56892] AH02034: Initial (No.1) HTTPS request received for child 5 (server XXX.XXX.XXX:443)
[Thu Feb 21 13:57:55.288591 2019] [ssl:debug] [pid 99609] ssl_engine_kernel.c(743): [client xxx.xxx.xxx.xxx:56892] AH02255: Changed client verification type will force renegotiation
[Thu Feb 21 13:57:55.557866 2019] [ssl:info] [pid 99609] [client xxx.xxx.xxx.xxx:56892] AH02221: Requesting connection re-negotiation
[Thu Feb 21 13:57:55.557902 2019] [ssl:debug] [pid 99609] ssl_engine_kernel.c(970): [client xxx.xxx.xxx.xxx:56892] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation)
[Thu Feb 21 13:57:55.557919 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1988): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Handshake: start
[Thu Feb 21 13:57:55.557932 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSL renegotiate ciphers
[Thu Feb 21 13:57:55.557948 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 write hello request A
[Thu Feb 21 13:57:55.557978 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 flush data
[Thu Feb 21 13:57:55.557986 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 write hello request C
[Thu Feb 21 13:57:55.557996 2019] [ssl:info] [pid 99609] [client xxx.xxx.xxx.xxx:56892] AH02226: Awaiting re-negotiation handshake
[Thu Feb 21 13:57:55.558005 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1988): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Handshake: start
[Thu Feb 21 13:57:55.558016 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: before accept initialization
[Thu Feb 21 13:57:55.590106 2019] [ssl:debug] [pid 99609] ssl_engine_kernel.c(2141): [client xxx.xxx.xxx.xxx:56892] AH02645: Server name not provided via TLS extension (using default/first virtual host)
[Thu Feb 21 13:57:55.590134 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 read client hello A
[Thu Feb 21 13:57:55.590146 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 write server hello A
[Thu Feb 21 13:57:55.590177 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 write certificate A
[Thu Feb 21 13:57:55.590190 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 write certificate request A
[Thu Feb 21 13:57:55.590217 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 flush data
[Thu Feb 21 13:57:55.887495 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(2001): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Read: SSLv3 read client certificate A
[Thu Feb 21 13:57:55.887530 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(2020): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Exit: failed in SSLv3 read client certificate A
[Thu Feb 21 13:57:55.887538 2019] [ssl:error] [pid 99609] [client xxx.xxx.xxx.xxx:56892] AH02261: Re-negotiation handshake failed
[Thu Feb 21 13:57:55.887567 2019] [ssl:error] [pid 99609] SSL Library Error: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (SSL alert number 42) -- Subject CN in certificate not server name or identical to CA!?
[Thu Feb 21 13:57:55.887578 2019] [core:trace3] [pid 99609] request.c(117): [client xxx.xxx.xxx.xxx:56892] auth phase 'check access (with Satisfy All)' gave status 403: /my/secret/path
[Thu Feb 21 13:57:55.887611 2019] [http:trace3] [pid 99609] http_filters.c(1003): [client xxx.xxx.xxx.xxx:56892] Response sent with status 403
但是没有什么真正有用的东西。
我想记录/写入apache正在阅读但不接受的证书。我该如何记录?
您可以通过添加以下JVM命令行参数在Application Server JVM配置中启用SSL调试日志,然后重新启动Application Server:
-Djavax.net.debug =所有
根据您的WAS版本,添加上述参数通常通过导航到WAS管理控制台>服务器>应用程序服务器> YourServer>进程管理> Java虚拟机>通用JVM参数来完成