如何在OpenSSL中獲取SSL證書
[英]How to Grab SSL Certificate in OpenSSL
問題描述
因此,我一直在高低尋找如何在我正在開發的C ++應用程序中的OpenSSL內驗證服務器證書的方法,最后得到了提示。 但是,我仍然缺少一些步驟。
因此,我發現OpenSSL有一個名為s_client的ssl客戶端應用程序。 當我使用以下命令時:
echo -n | openssl s_client -connect mywebsite.me:443 -debug | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > my.cert
我在應用程序中收到此錯誤:
verify error:num=20:unable to get local issuer certificate
直到我進行了更多搜索之后,我才發現錯誤的含義,並且必須執行以下操作:
echo -n | openssl s_client -connect mywebsite.me:443 -debug | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > my.cert
echo -n | openssl s_client -connect mywebsite.me:443 -debug -CAfile my.cert
第一個命令連接,接收響應,將其保存到文件中,但無法驗證響應。 第二個重新連接發送已保存的文件,並允許正確驗證證書。
我的問題是,我該如何抓住要發送到sed的流,並最好在一個連接中以c / c ++的形式發送“ my.cert”? 我一直在瀏覽s_client代碼,但似乎找不到它。
1 個解決方案
解決方案1
4 2014-03-03 22:17:47
openssl s_client -connect mywebsite.me:443 -debug ... I receive this error as I do within my application: verify error:num=20:unable to get local issuer certificate
mywebsite.me已通過Go Daddy認證。 特別是Go Daddy Class 2 Certification Authority 。
$ openssl s_client -connect mywebsite.me:443
CONNECTED(00000003)
depth=2 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/O=breezi.com/OU=Domain Control Validated/CN=breezi.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
...
導航到Go Daddy存儲庫,SSL證書信息並獲取Go Daddy 2類證書頒發機構根證書 。 您無法使用URL進行簡單的wget ,因為GoDaddy已使用javascript來完成下載(它會獲取網頁而不是證書)。 GoDaddy根目錄另存為gd-class2-root.crt 。
然后,使用-CAfile選項再次運行openssl s_client 。 證書已過期,因此您將收到Verify return code: 10 (certificate has expired) 。 但這清除了信任問題。
$ openssl s_client -CAfile gd-class2-root.crt -connect mywebsite.me:443
CONNECTED(00000003)
depth=2 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certificates.godaddy.com/repository, CN = Go Daddy Secure Certification Authority, serialNumber = 07969287
verify return:1
depth=0 O = breezi.com, OU = Domain Control Validated, CN = breezi.com
verify error:num=10:certificate has expired
notAfter=Sep 29 02:23:46 2013 GMT
verify return:1
depth=0 O = breezi.com, OU = Domain Control Validated, CN = breezi.com
notAfter=Sep 29 02:23:46 2013 GMT
verify return:1
---
Certificate chain
0 s:/O=breezi.com/OU=Domain Control Validated/CN=breezi.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFUzCCBDugAwIBAgIHJ84NzOXfzDANBgkqhkiG9w0BAQUFADCByjELMAkGA1UE
BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY
BgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlm
aWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5
IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5Njky
ODcwHhcNMTIwOTI5MDIyMzQ2WhcNMTMwOTI5MDIyMzQ2WjBNMRMwEQYDVQQKEwpi
cmVlemkuY29tMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxEzAR
BgNVBAMTCmJyZWV6aS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDVdxshW9y7VRrN8VtPeKqfC2PXdBnxSH2Lh3jzu6ESOuQw3Jn4oFHTVNJBGxA6
v3dh607UroG9LfjN3rz+qvfmN8A7+gKtJOVM7Grc+IlTU/gy+1Ks8cs84Gsn6cq9
3yM3Qix3POf//T8q6jsYuthmzKpAcrqZizF4OFT2bDnHr2WHDDIL+BXVSBbVRgQM
r8TOtPAagiEgpjpgtSTDMTuk4fDnWolyLMW8HhBKMq2HkfoV/fD3osS0ZGgqTbwm
KnPbdAXmonMWztEr8tJe2SRdQx5HlJ5VDNgH5/ckpFnebSo0pUmthHAI5tAMiBRB
jShnAHu+GVczKuc03gYTNSQXAgMBAAGjggG4MIIBtDAPBgNVHRMBAf8EBTADAQEA
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAw
MwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5nb2RhZGR5LmNvbS9nZHMxLTc3
LmNybDBTBgNVHSAETDBKMEgGC2CGSAGG/W0BBxcBMDkwNwYIKwYBBQUHAgEWK2h0
dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS8wgYAGCCsG
AQUFBwEBBHQwcjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20v
MEoGCCsGAQUFBzAChj5odHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3Jl
cG9zaXRvcnkvZ2RfaW50ZXJtZWRpYXRlLmNydDAfBgNVHSMEGDAWgBT9rGEyk2xF
1uLuhV+auud2mWjM5zAlBgNVHREEHjAcggpicmVlemkuY29tgg53d3cuYnJlZXpp
LmNvbTAdBgNVHQ4EFgQUPbIjjMZfa7Cmna7cApwl4ltIWIgwDQYJKoZIhvcNAQEF
BQADggEBAAbv7E5Gg/s0+2u4hvxHvFs5fNCT/x3QKw2AjECYM5e/jdzIBPPzA9us
zT20mDWGj/2uxoxpYg8Yjh82G68eCQ/DykKVskiR4Fiud4q9+5S+ZBsZsozNb6F8
GO2ckdhR4mDI/6xaSCzoCZljlpNXLuhOjvK3/1frxVgzbNxwERIIT8eVhBbPh7KG
3r+AQi3bbtcLJP4j0cNMHWup8FcTeRJyobjAwfOB/ot62ZeDuhtDM37wmL6XWAfw
0a0JjAD1xb8iYeKQ+aOqKTTcExdlckQFPnjfJwqk+xbXoXZGWI6pTdtTTYOOeJGu
ZXKr/ICABK8DviHq0RfVp3lnbVgfwkQ=
-----END CERTIFICATE-----
subject=/O=breezi.com/OU=Domain Control Validated/CN=breezi.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
---
No client certificate CA names sent
---
SSL handshake has read 4497 bytes and written 518 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 41C9F384CAB44419C20452CCBD7B7346A224F55906F943DD977198B48B44FC33
Session-ID-ctx:
Master-Key: BAD61F7C0883D5C3918DCB766C83A85FFF4C533823C5CA41C62617701E87C66C6D1351C30521B337267753B16C830BBD
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
0000 - 77 82 b3 42 d2 32 f9 4f-32 55 ea 03 0a 0f 66 16 w..B.2.O2U....f.
0010 - 97 8f 93 2e 47 4e ae cc-d2 a8 c0 ee 81 47 63 be ....GN.......Gc.
0020 - 07 40 fc c4 a0 28 78 e6-a2 97 22 73 87 28 77 f2 .@...(x..."s.(w.
0030 - a2 80 a3 6f d3 3c 50 cc-82 a8 0c 8e 9b 04 f0 7e ...o.<P........~
0040 - 12 24 d2 2a 9c 6b ef b8-49 d7 16 f1 45 80 e1 44 .$.*.k..I...E..D
0050 - fe d4 87 0e 92 80 b3 63-98 36 5e 9b 39 91 a3 76 .......c.6^.9..v
0060 - 3a 37 dc 1b 4d de 7e 01-22 d0 cd c0 7a 4c cf f8 :7..M.~."...zL..
0070 - ae d4 a5 fe 74 19 03 db-99 28 b7 09 ce 08 35 dd ....t....(....5.
0080 - 33 ff cd 9f 88 63 05 8a-f4 d1 f7 32 16 0b ed b9 3....c.....2....
0090 - 9f b4 ee 53 2d 8b b4 c2-27 bd b5 4d e3 19 a3 72 ...S-...'..M...r
Compression: 1 (zlib compression)
Start Time: 1393884832
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
It's not until I did some more searching that I found out what the error meant and that I had to do the following: echo -n | openssl s_client -connect mywebsite.me:443 -debug | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > my.cert echo -n | openssl s_client -connect mywebsite.me:443 -debug -CAfile my.cert
不,這不是做事的方法。
如果您擁有mywebsite.me域,則可以從StartCom獲得免費的1類證書。 他們的證書受到大多數移動和桌面瀏覽器的信任。
雖然StartCom不收取頒發證書的費用,但他們卻收取吊銷費用,因為這是要花錢的。 (其他CA會先向您收取撤銷費用,然后在不需要時將其收入口袋)。
如何在 C++ 中使用 openssl 創建證書驗證的信任鏈。
[英]how to create trust chain for certificate validation using openssl in C++.?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.