有没有办法获取 C++ 中发送给对等方的 OpenSSL X509 证书名称?
[英]Is there a way to get the OpenSSL X509 certificate name that im sending to peer in C++?
问题描述
I am getting remote certficate mismatch error for a few cases from a peer and I am unable to track the issues from server side.
在某些情况下,我从对等方收到remote certficate mismatch错误,我无法从服务器端跟踪问题。
After doing int ret = SSL_accept(ssl) , is there a way that I can get the certificate name and its details from server (C++ binary) during SSL handshake and print that?在执行int ret = SSL_accept(ssl)之后,有没有办法在 SSL 握手期间从服务器(C++ 二进制文件)获取证书名称及其详细信息并打印出来?
Is there any SSL API that I can use?我可以使用 SSL API 吗?
Thanks!谢谢!
2 个解决方案
解决方案1
4 已采纳 2012-07-03 09:03:54
You can use SSL_get_certificate with the SSL session structure (which is returned in the SSL_Accept) to retrieve the X509 structure that owns the certificate served to the client.您可以将SSL_get_certificate与 SSL session 结构(在 SSL_Accept 中返回)一起使用,以检索拥有提供给客户端的证书的 X509 结构。 Later you can extract with some X509 specific functions the CN of the certificate:稍后您可以使用一些 X509 特定函数提取证书的 CN:
X509_NAME_oneline(X509_get_subject_name(certificate), buf, 256);
This would be a naive approach since one cert can handle different CN's, but, it could be enough for your problem.这将是一种天真的方法,因为一个证书可以处理不同的 CN,但是,它可能足以解决您的问题。
解决方案2
0 2012-07-03 08:18:30
I usually do this the 'stupid way' - capturing the我通常以“愚蠢的方式”这样做——捕捉
tcpdump -n -s 1500 -w - port 443 and host www.foobar.com | strings
tcpdump -n -s 1500 -w - port 443 and host www.foobar.com | hexdump -C
ie just sniffing on the wire.即只是嗅探电线。 As during a normal (non upgrade, etc) ssl exchange this is exchanged in the clear.在正常(非升级等)ssl 交换期间,这是明文交换。 While ASN1 encoded - easy to simply 'see' the common name and other DN fields.虽然 ASN1 编码 - 很容易简单地“看到”通用名称和其他 DN 字段。
000305e0 06 03 55 04 0b 13 16 77 77 77 2e 71 75 6f 76 61 |..U....www.quova|
000305f0 64 69 73 67 6c 6f 62 61 6c 2e 63 6f 6d 31 20 30 |disglobal.com1 0|
00030600 1e 06 03 55 04 03 13 17 51 75 6f 56 61 64 69 73 |...U....QuoVadis|
00030610 20 47 6c 6f 62 61 6c 20 53 53 4c 20 49 43 41 30 | Global SSL ICA0|
00030620 1e 17 0d 31 31 30 38 30 35 31 30 31 38 30 36 5a |...110805101806Z|
00030630 17 0d 31 32 30 38 30 35 31 30 31 38 30 36 5a 30 |..120805101806Z0|
00030670 1b 30 19 06 03 55 04 0a 13 12 41 42 4e 20 41 4d |.0...U....ABN AM|
00030680 52 4f 20 42 61 6e 6b 20 4e 2e 56 2e 31 19 30 17 |RO Bank N.V.1.0.|
00030690 06 03 55 04 0b 13 10 49 6e 74 65 72 6e 65 74 20 |..U....Internet |
000306a0 42 61 6e 6b 69 6e 67 31 16 30 14 06 03 55 04 03 |Banking1.0...U..|
is the sort of stuff you see.是你看到的那种东西。 The proper way to do this is to sit on the callback and analyse the cert stack.执行此操作的正确方法是坐在回调上并分析证书堆栈。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.