gateway.sandbox.push.apple.com에 연결할 때 "verify error : num = 20"
iOS 6 Tutorial : Part 1/2의 Apple Push Notification Services에 있는 Ray Wenderlich 튜토리얼을 실행하려고합니다 .
로컬 디렉터리에 AppID 및 SSL 인증서와 키 및 PEM 파일을 만들었습니다. 그 후 인증서가 작동하는지 테스트하는 단계에 도달했고이 로컬 디렉터리에서 다음 명령을 호출했습니다.
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195
-cert PushChatCert.pem -key PushChatKey.pem
이것은 많은 결과를 낳았습니다. 출력 중간에는 다음이 있습니다.
verify error:num=20:unable to get local issuer certificate
verify return:0
오류입니까, 아니면 오류 테스트입니까? 오류 인 경우 원인은 무엇이며 해결 방법은 무엇입니까?
다음은 전체 출력입니다 (인증서 데이터 제외).
Enter pass phrase for PushChatKey.pem:
CONNECTED(00000003)
depth=1 /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com
i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
---
Server certificate
-----BEGIN CERTIFICATE-----
<Long string of data removed>
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com
issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
---
No client certificate CA names sent
---
SSL handshake has read 2731 bytes and written 2215 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key: <removed>
Key-Arg : None
Start Time: 1398633302
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
튜토리얼은 "연결에 성공하면 몇 개의 문자를 입력 할 수 있어야합니다. Enter 키를 누르면 서버 연결이 끊어 져야합니다."라고 계속 설명합니다. 나는 이것을 할 수 있었고 서버 연결이 끊어졌습니다.
그러나 튜토리얼은 계속해서 오류를 찾기 위해 출력을 살펴 봐야 할 수도 있다고 말합니다. 따라서이 질문에 대한 이유입니다.
This produced a lot of output. In the middle of the output was the following: verify error:num=20:unable to get local issuer certificate verify return:0
루트 인증서가 없습니다 . -CAfile또는로 지정해야합니다 -CApath.
그러나 루트 인증서 문제를 수정 한 후 핸드 셰이크 경고 가 발생할 수 있습니다 . 나는 그것이 내가 가지고 있지 않아서 발생한 클라이언트 인증서 문제라고 생각합니다 (따라서 경험하지 못할 수도 있습니다). 아래에서 0x14094410은 OpenSSL 오류이고 SSL 오류 (TLS 프로토콜에서)는 단순히 SSL alert number 40. 경고 40은 핸드 셰이크 경고이며 추가 정보가 없습니다.
먼저
필요한 루트를 결정하십시오.
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195
CONNECTED(00000003)
depth=1 C = US, O = "Entrust, Inc.", OU = www.entrust.net/rpa is incorporated by reference, OU = "(c) 2009 Entrust, Inc.", CN = Entrust Certification Authority - L1C
verify error:num=20:unable to get local issuer certificate
verify return:0
140067272132264:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
140067272132264:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com
i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
따라서 Entrust.net 인증 기관 (2048) 이 필요합니다 . Entrust 루트 인증서 에서 다운로드 할 수 있습니다 . 이름이 지정 entrust_2048_ca.cer되고 PEM 형식으로 표시됩니다.
둘째
이제 openssl s_client다시 실행 하지만 이번에는 -CAfile entrust_2048_ca.cer. 다음과 같이 완료됩니다 Verify return code: 0 (ok).
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -CAfile entrust_2048_ca.cer
CONNECTED(00000003)
depth=2 O = Entrust.net, OU = www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net Certification Authority (2048)
verify return:1
depth=1 C = US, O = "Entrust, Inc.", OU = www.entrust.net/rpa is incorporated by reference, OU = "(c) 2009 Entrust, Inc.", CN = Entrust Certification Authority - L1C
verify return:1
depth=0 C = US, ST = California, L = Cupertino, O = Apple Inc., OU = iTMS Engineering, CN = gateway.sandbox.push.apple.com
verify return:1
140642906502824:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
140642906502824:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com
i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFGzCCBAOgAwIBAgIETBz90jANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
KGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZp
Y2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xMjA1MjUyMzM3NDZaFw0xNDA1MzEw
NTA4NDhaMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAG
A1UEBxMJQ3VwZXJ0aW5vMRMwEQYDVQQKEwpBcHBsZSBJbmMuMRkwFwYDVQQLExBp
VE1TIEVuZ2luZWVyaW5nMScwJQYDVQQDEx5nYXRld2F5LnNhbmRib3gucHVzaC5h
cHBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/r1z4BRFu
DIU9/vOboVmd7OwaPPLRtcZiZLWxSyG/6KeRPpaeaC6DScvSDRoJuIeTDBup0bg4
08K0Gzh+lfKRlJOC2sma5Wgvk7oP4sty83My3YCZQv4QvgDhx+seONNs6XiA8Cl4
ingDymWGlzb0sTdfBIE/nWiEOtXQZcg6GKePOWXKSYgWyi/08538UihKK4JZIOL2
eIeBwjEwlaXFFpMlStc36uS/8oy+KMjwvuu3HazNMidvbGK2Z68rBnqnOAaDBtuT
K7rwAa5+i8GYY+sJA0DywMViZxgG/xWWyr4DvhtpHfUjyQgg1ixM8q651LNgdRVf
4sB0PfANitq7AgMBAAGjggFZMIIBVTALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwu
ZW50cnVzdC5uZXQvbGV2ZWwxYy5jcmwwZQYIKwYBBQUHAQEEWTBXMCMGCCsGAQUF
BzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAwBggrBgEFBQcwAoYkaHR0cDov
L2FpYS5lbnRydXN0Lm5ldC9sMWMtY2hhaW4uY2VyMEAGA1UdIAQ5MDcwNQYJKoZI
hvZ9B0sCMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuZW50cnVzdC5uZXQvcnBh
MB8GA1UdIwQYMBaAFB7xq4kG+EkPATN37hR67hl8kyhNMB0GA1UdDgQWBBSgNiNR
qtTShi8PuJ7UNUEbeE71STAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUAA4IBAQAS
EDkUyBHVdRJnCLHY8w9ec92NWqBYqKiSGP0uVCvgpsJIWDBkCGIw1Olks6mQuS9+
R7VRJJFg7EhtufmoRIvjgntKpTe49sB/lrmiZVQGnhjd6YdyYm9+OBUWRvwketLM
v0S+nxZD0qLLJ9foVUB8zP8LtutqFJ5IZw1xb9eSNzhpKkQ9ylj8MCd4tpXZxICL
Gt327poTXwmjQ+31fz7HCQCowMHccP8kiKM5SeYC9q+nkmdaozHVvw4e1RsP+EWO
vPtcH1x1BCkTJajmrO7JuRPLuBEnZGSPUVFRKWP9jy0a28VnJek+oA7rRMRD8irU
fMGbLqkGn8YogdPqe5T1
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com
issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
---
No client certificate CA names sent
---
SSL handshake has read 2683 bytes and written 338 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key: A2F375CC440179ADF831179C32A35AF4...
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1398721005
Timeout : 300 (sec)
Verify return code: 0 (ok)
제삼
This is kind of the old way of doing things, back when SSLv3 was still popular. That is, the POODLE attack was unknown:
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -CAfile entrust_2048_ca.cer
You should probably switch to TLS 1.0 or above and use Server Name Indication (SNI). SNI is a TLS feature not present in SSL. You might need to force TLS 1.2 in 2016; and you can do so with -tls1_2.
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 \
-tls1 -servername gateway.sandbox.push.apple.com -CAfile entrust_2048_ca.cer
Below is information from other comments and answers. I'm gathering them up for convenience. You should upvote the comment or answer as appropriate.
Client Certificate
Korbbit provides additional information below. It addresses the statement I made, "alert handshake failure ... I believe its a client certificate issue caused by me not having one". You should provide feedback for Korbbit if its helpful to you:
if you look at the tutorial again you are meant to type...
-cert PushChatCert.pem -key PushChatKey.pem
With Korbbit's feedback, the answer becomes:
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 \
-tls1 -servername gateway.sandbox.push.apple.com \
-cert PushChatCert.pem -key PushChatKey.pem -CAfile entrust_2048_ca.cer
ca-certificates bundle and -CApath
From Timur Bakeyev, Entrust.net is a well-known Root Certificate Authority, so it's certificate comes in the common CA certificates bundle (ca-certificates in Debian). It is usually installed, among others, into the /etc/ssl/certs directory and, alternatively, can be referred with the -CApath /etc/ssl/certs/ option.
You can use -CApath in place of -CAfile as follows.
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -CApath /etc/ssl/certs/
I just did the same tutorial and the accepted answer might not be what you want. if you look at the tutorial again you are meant to type:
openssl s_client -connect gateway.sandbox.push.apple.com:2195
-cert PushChatCert.pem -key PushChatKey.pem
not just:
openssl s_client -connect gateway.sandbox.push.apple.com:2195
if you type it as one line it will work:
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert PushChatCert.pem -key PushChatKey.pem
'program story' 카테고리의 다른 글
| Android : 인 텐트를 통해 특정 폴더를 열고 파일 브라우저에 해당 콘텐츠를 표시하는 방법은 무엇입니까? (0) | 2020.11.28 |
|---|---|
| Amazon RDS Oracle 인스턴스에 연결할 때 "읽기 호출에서 빼기 1"오류에 접근하는 방법 (0) | 2020.11.28 |
| null 객체 참조에 대한 android.content.Context.getPackageName () ' (0) | 2020.11.28 |
| git 명령에서 'origin'과 'remote'의 차이점은 무엇입니까? (0) | 2020.11.28 |
| 실제 서버가 deflate 인코딩보다 gzip을 선호하는 이유는 무엇입니까? (0) | 2020.11.28 |