zhangshdn
commented
1 year ago 我现在用铜锁和guanzhi的GMSSL互相访问,但是发现,两者无法互通,只用tongsuo对tongsuo,gmssl对gmssl才通 以下是铜锁作为客户端的报错,gmssl作为服务端
[root@localhost zsh]# openssl s_client -connect 192.168.56.132:15003 -sign_key tlcp-client-sign.key -sign_cert tlcp-client-sign.crt -enc_cert tlcp-client-enc.crt -enc_key tlcp-client-enc.key -CAfile cas.pem -enable_ntls -ntls
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 CN = tlcp-ca
verify return:1
depth=1 CN = tlcp-intca
verify return:1
depth=0 CN = tlcp-server-enc
verify return:1
depth=2 CN = tlcp-ca
verify return:1
depth=1 CN = tlcp-intca
verify return:1
depth=0 CN = tlcp-server-sign
verify return:1
140299320743744:error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:ssl/record/rec_layer_s3.c:1548:SSL alert number 51
---
Certificate chain
0 s:CN = tlcp-server-sign
i:CN = tlcp-intca
1 s:CN = tlcp-server-enc
i:CN = tlcp-intca
2 s:CN = tlcp-intca
i:CN = tlcp-ca
3 s:CN = tlcp-ca
i:CN = tlcp-ca
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIBkzCCATigAwIBAgIUGIkLAz7D4ttqcn+O/Nq6e7xUl8YwCgYIKoEcz1UBg3Uw
FTETMBEGA1UEAwwKdGxjcC1pbnRjYTAeFw0yMzExMjEwOTA0MTRaFw0zMzExMTgw
OTA0MTRaMBsxGTAXBgNVBAMMEHRsY3Atc2VydmVyLXNpZ24wWTATBgcqhkjOPQIB
BggqgRzPVQGCLQNCAATFXb4kfSCQa3+b1gRN0M7abGu1jF4D0DEMAc2zvmoxQgiF
4HJD+uWCURKFCVSqigj1nC5b2cYIFITQWcUP9spvo2AwXjAdBgNVHQ4EFgQUB+D1
NXhTr7dwhiAR5XwMTaqFy2wwHwYDVR0jBBgwFoAUgvmWB9PXYnGkFy3Xu8/Hi0bk
xUswDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwCgYIKoEcz1UBg3UDSQAw
RgIhAMRY3w7pvjMgFccGllqBgvQPTADHsEzv35IABCNR9KUNAiEAsIEE+oMazxFz
h6b5YxGwr/bF+z3noPCFzAJMH8o3aMs=
-----END CERTIFICATE-----
subject=CN = tlcp-server-sign
issuer=CN = tlcp-intca
---
Acceptable client certificate CA names
CN = tlcp-intca
CN = tlcp-ca
Client Certificate Types: RSA sign, DSA sign
---
SSL handshake has read 1836 bytes and written 2040 bytes
Verification: OK
---
New, NTLSv1.1, Cipher is ECC-SM2-SM4-CBC-SM3
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : NTLSv1.1
Cipher : ECC-SM2-SM4-CBC-SM3
Session-ID:
Session-ID-ctx:
Master-Key: 01FD0D259FF150F880C8EAD80D2DD3068EDEE69AA109250685183624E1ECF1A751546C9DC6E1ED10B1F71784321FA25B
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1700622055
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
QUIC: no
---然后我使用铜锁作为服务端,gmssl作为客户端,客户端报错如下
[root@localhost zsh]# gmssl s_client -connect 192.168.56.134:15003 -key tlcp-client-sign.key -dkey tlcp-client-enc.key -cert tlcp-client-sign.crt -dcert tlcp-client-enc.crt -CAfile cas.pem -state
[GMTLS_DEBUG] set sm2 signing certificate
[GMTLS_DEBUG] set sm2 signing private key
[GMTLS_DEBUG] set sm2 encryption certificate
[GMTLS_DEBUG] set sm2 decryption private key
CONNECTED(00000003)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL3 alert read:fatal:handshake failure
SSL_connect:error in SSLv3/TLS write client hello
140560061241152:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1385:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 196 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1700621890
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---看现象是两者不通,老师,帮忙看下吧,能看出有什么原因吗
Laisky
InfoHunter
请教一个问题,困扰很长时间没搞定,openssl版本如下
openssl version BabaSSL 8.3.2 OpenSSL 1.1.1h 22 Sep 2020我利用国密双证书,server_sign.crt server_enc.crt,以及CA证书 root.crt启动服务端和客户端的例子,请问这两个双证书如何使用, 服务启动: openssl s_server -port 15003 -key tlcp-server-sign.key -cert tlcp-server-sign.crt -dkey tlcp-server-enc.key -dcert tlcp-server-enc.crt -CAfile cas.pem 现在不知道客户端如何启动,我的客户端也是双证书的