博客讨论了在使用openssl时遇到的错误SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED。该错误通常涉及到SSL流程中的问题,可能是由于证书未由TLS客户端策略中定义的CA签发、证书过期或Subject Alternative Name不匹配请求的DNS主机。AWS提供了一些可能的原因和解决方案,包括验证证书的有效性、检查签发CA和匹配DNS主机名。
文章目录
错误
2021-11-15 03:35:51.692][359][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:225] [C8] TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
[2021-11-15 03:35:51.692][359][debug][connection] [source/common/network/connection_impl.cc:242] [C8] closing socket: 0
[2021-11-15 03:35:51.692][359][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:225] [C8] TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
[2021-11-15 03:35:51.692][359][debug][client] [source/common/http/codec_client.cc:99] [C8] disconnect. resetting 0 pending requests
[2021-11-15 03:35:51.692][359][debug][pool] [source/common/conn_pool/conn_pool_base.cc:343] [C8] client disconnected, failure reason: TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
[2021-11-15 03:35:51.692][359][debug][router] [source/common/router/router.cc:1026] [C0][S5574975610885113654] upstream reset: reset reason: connection failure, transport failure reason: TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
[2021-11-15 03:35:51.692][359][debug][http] [source/common/http/filter_manager.cc:839] [C0][S5574975610885113654] Sending local reply with details upstream_reset_before_response_started{connection failure,TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED}
[2021-11-15 03:35:51.692][359][debug][http] [source/common/http/conn_manager_impl.cc:1501] [C0][S5574975610885113654] encoding headers via codec (end_stream=false):
envoy
代码:
https://github.com/envoyproxy/envoy/blob/c64497b8d727ef7631565c7674a2233c58bb51ac/source/extensions/transport_sockets/tls/ssl_socket.cc
if (failure_reason_.empty()) {
failure_reason_ = "TLS error:";
}
failure_reason_.append(absl::StrCat(" ", err, ":", // 拼接字符串;
absl::NullSafeStringView(ERR_lib_error_string(err)), ":",
absl::NullSafeStringView(ERR_func_error_string(err)), ":",
absl::NullSafeStringView(ERR_reason_error_string(err))));
}
三个error_string函数 都是openssl 提供的转换函数;
const char *ERR_lib_error_string(unsigned long e)
{
ERR_STRING_DATA d, *p;
unsigned long l;
if (!RUN_ONCE(&err_string_init, do_err_strings_init)) {
return NULL;
}
# define ERR_GET_LIB(l) (int)(((l) >> 24L) & 0x0FFL)
# define ERR_GET_FUNC(l) (int)(((l) >> 12L) & 0xFFFL)
# define ERR_GET_REASON(l) (int)( (l) & 0xFFFL)
l = ERR_GET_LIB(e);
d.error = ERR_PACK(l, 0, 0);
p = int_err_get_item(&d);
return ((p == NULL) ? NULL : p->string);
}
需要将错误码,非常三个部分,前10位,中间12位,后12位。
分别代表:LIB、Func、reason。
SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
这个就代表,是SSL routines 出的错误。SSL流程出错。
函数:OPENSSL_internal,
错误原因:CERTIFICATE_VERIFY_FAILED
再没有其他有用信息。
AWS总结的可能原因
https://docs.aws.amazon.com/app-mesh/latest/userguide/troubleshooting-security.html
证书,不是由TLS客户规则中定义的证书机构签发。
The certificate was not signed by one of the certificate authorities defined in the TLS client policy trust bundle.
证书过期。
The certificate is no longer valid (expired).
SAN不能匹配请求的DNS主机。
The Subject Alternative Name (SAN) does not match the requested DNS hostname.
Make sure that the certificate offered by the backend service is valid, that it is signed by one of the certificate authorities in your TLS client policies trust bundle, and that it meets the criteria defined in Transport Layer Security (TLS).
扫一扫
8023
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
