gpt4 book ai didi

openssl - 使用openssl s_client connect时如何忽略证书验证?

转载 作者:行者123 更新时间:2023-12-03 14:48:34 37 4
gpt4 key购买 nike

我正在尝试使用以下命令连接到服务器:

openssl s_client -connect xx.xx.xx.xx:443

错误:
CONNECTED(00000005)
depth=0 L = XXXXXXX
verify error:num=20:**unable to get local issuer certificate**
verify return:1
depth=0 L = XXXXXXXX
verify error:num=21:**unable to verify the first certificate
verify return:1**
---
Certificate chain
0 s:/L=XXXX
i:/C=XXXX
---
Server certificate
-----BEGIN CERTIFICATE-----
....
...
..
<removed cert>
..
...
....
-----END CERTIFICATE-----
subject=xxxxxxx CN=*xxx.xom
issuer=XXXX CA
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2281 bytes and written 326 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 52A27BC97001D52A7DA4A73FBA87C7DD2902A0C55B0AE9FAA87A3A8DBA94A7CE
Session-ID-ctx:
Master-Key: ECD435DCDD59B2BAD50A1BF8BAEA39E68058524A082DC219CEE290DB7A80A37AE4E763DF7FA
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 5d b4 5c fe ca 2d 54 2e-31 49 74 a6 18 a7 3a f5 ].\..-T.1It...:.
XXXX
0080 - ab 5c 0a bc 45 9c 10 01-9f 3b ce 6e ee 1a a6 99 .\..E....;.n....
0090 - 04 81 ea e0 be a5 91 a2-18 09 d4 b8 90 b7 c7 50 ...............P
00a0 - f7 7d 73 e5 b1 3d 0d 58-20 07 78 7b 57 c4 34 58 .}s..=.X .x{W.4X

Start Time: 1566410644
Timeout : 7200 (sec)
**Verify return code: 21 (unable to verify the first certificate)**
---

所以看起来该命令正在尝试验证我不想要的证书。如何绕过验证?
有没有类似 curl 的东西 -k 旗帜?

最佳答案

OpenSSL 的 s_client永远不会以错误的证书终止,除非您也使用-verify_return_error论点(正如@bartonjs 在评论中已经建议的那样)。
您可以在手册页 man 1 s_client 中阅读更多相关信息或 online .寻找 -verify参数或稍后在 备注 :

If there are problems verifying a server certificate then the -showcertsoption can be used to show all the certificates sent by the server.

The s_client utility is a test tool and is designed to continue the handshakeafter any certificate verification errors. As a result it will accept anycertificate chain (trusted or not) sent by the peer. None test applicationsshould not do this as it makes them vulnerable to a MITM attack. Thisbehaviour can be changed by with the -verify_return_error option: any verifyerrors are then returned aborting the handshake.


如果您看到的结果是您看到的最后一个“错误”,则可能是服务器上的其他内容正在终止连接。您应该会在 Web 服务器日志中看到原因。

关于openssl - 使用openssl s_client connect时如何忽略证书验证?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57597144/

37 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com