让我们加密 ssl 证书在 TLS 握手中发送两次
Let's Encrypt ssl certificate send twice in TLS handshake
在进行 wireshark 跟踪以检查我们的服务器是否正确提供了我的 Let's Encrypt 证书时,我发现在 'Server Hello Done'.
时,同一个证书在 TLS 握手中发送了两次
这怎么会发生?如何更正?
证书详情2次完全相同:
请求额外信息:
我通过使用 Fedora 25 客户端上的 Chrome 浏览器访问我的 Apache 网络服务器(CentOS Linux 版本 7.4.1708(核心版))的 https 页面来使用 wireshark 跟踪这一点。
虚拟主机配置:
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/letsencrypt/live/my.domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my.domain.tld/fullchain.pem
不知道这是否重要,但我还有第二个带有不同 Let's Encrypt 证书的 VirtualHost :
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/letsencrypt/live/my2.domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my2.domain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my2.domain.tld/fullchain.pem
问题
这是由于同时配置了 SSLCertificateFile 和 SSLCertificateChainFile。
来自 the mod_ssl documentation(强调我的):
This directive sets the optional all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate. This starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate.
但是如果您检查 fullchain.pem,您会发现它在顶部包含 server 证书,后面是 Let's Encrypt 颁发 CA。 Apache 正在传送 SSLCertificateFile 的内容,并在其后连接 SSLCertificateChainFile。由于您的服务器证书出现在两者中,因此它在 SSL 握手中看到的最终链中被复制,就像您在 Wireshark 中观察到的那样:
vhost.conf Sent To Client
+---------------+ +------------------+
| cert.pem |----------> |Server Certificate|
| | | + |
| + | +---> |Server Certificate|
| | | | + |
| fullchain.pem |----------> | CA Certificate |
+---------------+ +------------------+
修复
在现代 Apache 中,不再使用 SSLCertificateChainFile 指令,直接将 fullchain.pem 赋给 SSLCertificateFile。
同样,来自the mod_ssl documentation:
SSLCertificateChainFile is deprecated
SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.
所以你需要做的就是改变你的虚拟主机配置:
SSLCertificateFile /etc/letsencrypt/live/my.domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my.domain.tld/fullchain.pem
为此:
SSLCertificateFile /etc/letsencrypt/live/my.domain.tld/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.tld/privkey.pem
在进行 wireshark 跟踪以检查我们的服务器是否正确提供了我的 Let's Encrypt 证书时,我发现在 'Server Hello Done'.
时,同一个证书在 TLS 握手中发送了两次这怎么会发生?如何更正?
证书详情2次完全相同:
请求额外信息: 我通过使用 Fedora 25 客户端上的 Chrome 浏览器访问我的 Apache 网络服务器(CentOS Linux 版本 7.4.1708(核心版))的 https 页面来使用 wireshark 跟踪这一点。
虚拟主机配置:
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/letsencrypt/live/my.domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my.domain.tld/fullchain.pem
不知道这是否重要,但我还有第二个带有不同 Let's Encrypt 证书的 VirtualHost :
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/letsencrypt/live/my2.domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my2.domain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my2.domain.tld/fullchain.pem
问题
这是由于同时配置了 SSLCertificateFile 和 SSLCertificateChainFile。
来自 the mod_ssl documentation(强调我的):
This directive sets the optional all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate. This starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate.
但是如果您检查 fullchain.pem,您会发现它在顶部包含 server 证书,后面是 Let's Encrypt 颁发 CA。 Apache 正在传送 SSLCertificateFile 的内容,并在其后连接 SSLCertificateChainFile。由于您的服务器证书出现在两者中,因此它在 SSL 握手中看到的最终链中被复制,就像您在 Wireshark 中观察到的那样:
vhost.conf Sent To Client
+---------------+ +------------------+
| cert.pem |----------> |Server Certificate|
| | | + |
| + | +---> |Server Certificate|
| | | | + |
| fullchain.pem |----------> | CA Certificate |
+---------------+ +------------------+
修复
在现代 Apache 中,不再使用 SSLCertificateChainFile 指令,直接将 fullchain.pem 赋给 SSLCertificateFile。
同样,来自the mod_ssl documentation:
SSLCertificateChainFile is deprecated
SSLCertificateChainFilebecame obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.
所以你需要做的就是改变你的虚拟主机配置:
SSLCertificateFile /etc/letsencrypt/live/my.domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my.domain.tld/fullchain.pem
为此:
SSLCertificateFile /etc/letsencrypt/live/my.domain.tld/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.tld/privkey.pem