Perl中的证书错误
[英]Certificate error in Perl
问题描述
I am connecting to a CAS server. 
我正在连接到CAS服务器。 But My CAS server certificate is expired and due to this getting below error: 但是我的CAS服务器证书已过期,并且由于出现以下错误:
error SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed unable to connect https://<domain Name>:443/
To avoid this error few suggestion is like verify_hostname & verify_ssl to "0". 为避免此错误,很少有建议将“ verify_hostname”和“ verify_ssl”设置为“ 0”。 But it's not solving the issue. 但这并不能解决问题。 Can anyone help? 有人可以帮忙吗?
Perl version: 5.22 Perl版本:5.22
LWP:6.0.16 LWP:6.0.16
1 个解决方案
解决方案1
2 已采纳 2016-01-29 06:23:05
To avoid this error few suggestion is like verify_hostname & verify_ssl to "0"
If you would follow these suggestions then you should ask yourself why do you use https at all. 如果您遵循这些建议,那么您应该问自己为什么要使用https。 Because ignoring certificate errors means that man in the middle attacks are possible and thus the protection TLS should offer simply vanishes. 因为忽略证书错误意味着中间人的攻击是可能的,因此保护TLS应该完全消失。
To connect to a server where the certificate cannot be properly validated by normal means you have to use a different kind of verification instead of no verification at all. 要连接到无法正常验证证书的服务器,则意味着必须使用其他类型的验证,而不是根本不进行验证。 Support for https in current versions of LWP is realized using IO::Socket::SSL . 使用IO :: Socket :: SSL实现对LWP当前版本的https支持。 This module offers a simple mechanism to deal with such problems by comparing the fingerprint of the certificate against the expected fingerprint. 该模块提供了一种简单的机制,可以通过将证书的指纹与预期的指纹进行比较来处理此类问题。
First you need to get the current fingerprint of the certificate. 首先,您需要获取证书的当前指纹。 This can be done with some openssl commands or if you are sure that there is currently no man in the middle attack you could simply access the server: 这可以通过一些openssl命令来完成,或者如果您确定当前没有中间人攻击,则可以直接访问服务器:
use strict;
use warnings;
use IO::Socket::SSL 1.980;
my $dst = 'bad-cert.example.com';
my $cl = IO::Socket::SSL->new(
PeerAddr => $dst,
PeerPort => 443,
# certificate cannot be validated the normal way, so we need to
# disable validation this one time in the hope that there is
# currently no man in the middle attack
SSL_verify_mode => 0,
) or die "connect failed";
my $fp = $cl->get_fingerprint;
print "fingerprint: $fp\n";
This will give you a fingerprint with hash algorithm, ie something like sha256$55a5dfaaf... . 这将为您提供带有哈希算法的指纹,例如sha256$55a5dfaaf... This fingerprint then can be used to validate the certificate in future calls: 然后,可以使用此指纹在以后的调用中验证证书:
use strict;
use warnings;
use IO::Socket::SSL 1.980;
use LWP::UserAgent;
my $dst = ....; # from above example
my $fp = ....; # from above example
my $ua = LWP::UserAgent->new(ssl_opts => { SSL_fingerprint => $fp });
my $resp = $ua->get("https://$dst");
print $resp->content;
Apart from that please not that there is a reason certificates expire. 除此之外,请不要认为证书过期是有原因的。 After the expiration time no more revocations will be tracked. 到期时间过后,将不再跟踪吊销。 This means you have to really know that this certificate is definitely not revoked, because no CA will tell you. 这意味着您必须真正知道此证书绝对不会被吊销,因为没有CA会告诉您。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.