TASSL-1.1.1k icon indicating copy to clipboard operation
TASSL-1.1.1k copied to clipboard

Published 20 hours ago verified publisher icon jntass

与国密测试网站握手失败

Open ccxhwmy opened this issue 3 years ago • 9 comments

./openssl s_client -gmtls1_1 -connect sm2test.ovssl.cn:443

CONNECTED(00000004) depth=2 C = CN, O = \E6\B2\83\E9\80\9A\E7\94\B5\E5\AD\90\E8\AE\A4\E8\AF\81\E6\9C\8D\E5\8A\A1\E6\9C\89\E9\99\90\E5\85\AC\E5\8F\B8, CN = \E5\9B\BD\E5\AF\86SM2\E6\A0\B9\E8\AF\81\E4\B9\A6 verify error:num=19:self signed certificate in certificate chain verify return:1 depth=2 C = CN, O = \E6\B2\83\E9\80\9A\E7\94\B5\E5\AD\90\E8\AE\A4\E8\AF\81\E6\9C\8D\E5\8A\A1\E6\9C\89\E9\99\90\E5\85\AC\E5\8F\B8, CN = \E5\9B\BD\E5\AF\86SM2\E6\A0\B9\E8\AF\81\E4\B9\A6 verify return:1 depth=1 C = CN, O = \E6\B2\83\E9\80\9A\E7\94\B5\E5\AD\90\E8\AE\A4\E8\AF\81\E6\9C\8D\E5\8A\A1\E6\9C\89\E9\99\90\E5\85\AC\E5\8F\B8, CN = \E5\9B\BD\E5\AF\86SM2\E6\9C\8D\E5\8A\A1\E5\99\A8\E6\A0\B9\E8\AF\81\E4\B9\A6V3 verify return:1 depth=0 C = CN, ST = \E5\B9\BF\E4\B8\9C\E7\9C\81, L = \E6\B7\B1\E5\9C\B3\E5\B8\82, O = \E6\B2\83\E9\80\9A\E7\94\B5\E5\AD\90\E8\AE\A4\E8\AF\81\E6\9C\8D\E5\8A\A1\E6\9C\89\E9\99\90\E5\85\AC\E5\8F\B8, OU = \E6\B2\83\E9\80\9A\E7\94\B5\E5\AD\90\E8\AE\A4\E8\AF\81\E6\9C\8D\E5\8A\A1\E6\9C\89\E9\99\90\E5\85\AC\E5\8F\B8, CN = sm2test.ovssl.cn verify return:1 140707533051648:error:1416F12B:SSL routines:tls_process_server_certificate:unable to find enc cert:ssl/statem/statem_clnt.c:1965:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 3306 bytes and written 96 bytes Verification error: self signed certificate in certificate chain

New, (NONE), Cipher is (NONE) Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : GMTLSv1.1 Cipher : 0000 Session-ID: 492D526D15B70C1CB46AE64E53A13A054B4DF6086D9938FCAFB0B836EA5722A4 Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1641540646 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no

ccxhwmy avatar Jan 07 '22 07:01 ccxhwmy

1641778945(1) 对证书的扩展字段keyusage有限制,签发过程参考tassl_demo/cert/openssl.cnf中的v3_req和v3enc_req

yanshichao0226 avatar Jan 10 '22 01:01 yanshichao0226

没有太理解,是我编译openssl编译选项的问题还是使用的方式不对呢?

ccxhwmy avatar Jan 10 '22 04:01 ccxhwmy

请问你的意思是不是服务端的证书扩展字段中没有添加 keyusage 的 dataEncipherment 标志位?

ccxhwmy avatar Jan 10 '22 06:01 ccxhwmy

是的

yanshichao0226 avatar Jan 10 '22 07:01 yanshichao0226

你贴的截图中表示当设置了 c)、d)、h)、i) 位中任意一项时,表示该证书为加密证书,为什么在代码中 :ssl/statem/statem_clnt.c文件的第 1957 行,如下所示,仅检查了 d) 项呢? tassl问题

ccxhwmy avatar Jan 10 '22 07:01 ccxhwmy

tassl用此项区分签名证书和加密证书;签发的时候可以把这几项都带上

yanshichao0226 avatar Jan 10 '22 08:01 yanshichao0226

我的理解该处是否可以改写为: X509_get_key_usage(sk_X509_value(sk, i)) & (X509v3_KU_DATA_ENCIPHERMENT | X509v3_KU_KEY_ENCIPHERMENT | X509v3_KU_ENCIPHER_ONLY | X509v3_KU_DECIPHER_ONLY) 因为获取到的该扩展项只要有任意一个标志位都应该认为是加密证书,这样修改之后,与 sm2test.ovssl.cn:443 建联时就不会报错了。

ccxhwmy avatar Jan 10 '22 08:01 ccxhwmy

可以,后续会增加其它字段的检查

yanshichao0226 avatar Jan 11 '22 01:01 yanshichao0226

问题已修复,sm2test.ovssl.cn:443建链正常

yanshichao0226 avatar Feb 16 '22 10:02 yanshichao0226