gpt4 book ai didi

ssl - OpenSSL s_client 仅从链中返回 2/3 证书?

转载 作者:行者123 更新时间:2023-12-04 22:38:05 29 4
gpt4 key购买 nike

我对 OpenSSL 还很陌生,所以请在这里耐心等待。我正在尝试使用 s_client 从各个网站检索根 CA 证书,但由于某种原因,它有时不会返回链中的最终证书,这是我最需要的证书。

我正在使用以下(在 FreeBSD 10.0 上):

openssl s_client -showcerts -connect www.facebook.com:443

要实现以下输出:
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=CA/L=Menlo Park/O=Facebook, Inc./CN=*.facebook.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
-----BEGIN CERTIFICATE-----
MIIGqTCCBZGgAwIBAgIQDssJObKxAVS4lXDHsit6RzANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNDA4MjgwMDAwMDBaFw0xNjEyMzAxMjAwMDBa
MGExCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTETMBEGA1UEBxMKTWVubG8gUGFy
azEXMBUGA1UEChMORmFjZWJvb2ssIEluYy4xFzAVBgNVBAMMDiouZmFjZWJvb2su
Y29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2NHdNb3iWbb7mx9UFYzbv05Y
vUe+uBD8IunSnpj4SSol+5RG5EKZhFAcXwH9FCUxXE7ZZP3FDLNG0qG8cLSHjqOC
BBcwggQTMB8GA1UdIwQYMBaAFFFo/5CvAgd1PMzZZWRiohK4WXI7MB0GA1UdDgQW
BBRDCZNA+hFLMDPs8odujXEYz4q8jjCBxwYDVR0RBIG/MIG8gg4qLmZhY2Vib29r
LmNvbYIOKi5mYWNlYm9vay5uZXSCCCouZmIuY29tggsqLmZiY2RuLm5ldIILKi5m
YnNieC5jb22CECoubS5mYWNlYm9vay5jb22CDyoubWVzc2VuZ2VyLmNvbYIOKi54
eC5mYmNkbi5uZXSCDioueHkuZmJjZG4ubmV0gg4qLnh6LmZiY2RuLm5ldIIMZmFj
ZWJvb2suY29tggZmYi5jb22CDW1lc3Nlbmdlci5jb20wDgYDVR0PAQH/BAQDAgeA
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB1BgNVHR8EbjBsMDSgMqAw
hi5odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzUuY3Js
MDSgMqAwhi5odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXIt
ZzUuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0
dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMIGDBggrBgEFBQcB
AQR3MHUwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBNBggr
BgEFBQcwAoZBaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hB
MkhpZ2hBc3N1cmFuY2VTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADCCAX0GCisG
AQQB1nkCBAIEggFtBIIBaQFnAHUApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fN
DsgN3BAAAAFRq3vp+wAABAMARjBEAiAoyH2GXfEUMp06UD4vwpmA7BPI+R9dn4oK
gfv56gKM9QIgKG9/l7MnAWa7iU3FqFM6NM72q0au8XC9uCctwgMo9iwAdgBo9pj4
H2SCvjqM7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAAAVGre+m9AAAEAwBHMEUCIQD7
e876HXRr63YgdxbjwFhysyE1msBDLaiQd+G3mtpfbQIgBKqLQtKsytGH33BUxx4i
IFM235NbuB9b/IAF0Zpaq7AAdgBWFAaaL9fC7NP14b1Esj7HRna5vJkRXMDvlJhV
1onQ3QAAAVGre+qPAAAEAwBHMEUCIQD+LLbU75X//M14cYGIrTqzoxIMgrLYtUzm
8Wb+1H40pQIgLSvV1ROEnJnZFmUVCNxZZcXALGqV5+mDn68mizkQJigwDQYJKoZI
hvcNAQELBQADggEBAKqRrlIBjGD2AraU669u6908yOFvF6u4KIDs3FSCViTBFgjh
wsg+PA9TGEB/30E2k5Vfsdk1Q16UYPnWp4Nqfce09guQdvi0CsExDRYYtctxXPmT
AiGqu0D97gobqfLDDiUTY2eiQut56l+P+9i7doxfYcosvgFECa82Hqn3QByks2V4
QmgE8EsMfx/ZE/YKOzV5c2nHPHDlXQaY6ojV3WvmZmJXz6/Q+2eb4MggOrm2Tzl6
X8T9oEaMvMdEp7OrUknbhpftLryAVpWf0mOEV+eSFTLkdcWBUss7JuFdS/3gOV6B
Bq/MfnfRnZoGb+/3/OKGWhZawgTegON4Hw/8f98=
-----END CERTIFICATE-----
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
-----BEGIN CERTIFICATE-----
MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy
YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2
4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC
Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1
itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn
4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X
sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft
bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA
MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t
L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG
BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ
UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D
aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd
aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH
E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly
/D6q1UEL2tU2ob8cbkdJf17ZSHwD2f2LSaCYJkJA69aSEaRkCldUxPUd1gJea6zu
xICaEnL6VpPX/78whQYwvwt/Tv9XBZ0k7YXDK/umdaisLRbvfXknsuvCnQsH6qqF
0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae
cPUeybQ=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=CA/L=Menlo Park/O=Facebook, Inc./CN=*.facebook.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3401 bytes and written 417 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES128-GCM-SHA256
Session-ID: 775663B26F3B0570F8B6BA08243E9079F2A36735BDCB39883D4D6C14A35ADC31
Session-ID-ctx:
Master-Key: 096644B949FBA333F6205CD76E4C38519D7413BC2BA20CD307199F40E9B1992EC4A6813B8C28295247C4B2E1B8FDD386
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 172800 (seconds)
TLS session ticket:
0000 - 5b d1 e2 4c bd 77 70 f6-0b ac 12 67 27 3f 80 b0 [..L.wp....g'?..
0010 - e9 1b 02 f7 cc 70 50 10-21 ee 0c a4 37 c2 d9 e1 .....pP.!...7...
0020 - a9 54 ef 74 c7 12 c9 d5-0f e7 3d e9 59 dc 1d ac .T.t......=.Y...
0030 - 8f bb a2 58 ad 92 56 24-dd 29 7b 65 01 53 f3 4d ...X..V$.){e.S.M
0040 - cd 05 19 cc dd 00 bc ff-2a bd 16 99 c0 59 2d 7d ........*....Y-}
0050 - dd 09 86 02 a1 f2 00 52-2c 84 88 d3 3d 03 93 81 .......R,...=...
0060 - a3 d2 b3 30 b1 b9 2a e3-fe 45 63 99 e7 3a 24 62 ...0..*..Ec..:$b
0070 - e4 6a 83 41 45 8c 08 2a-8d fb f1 96 0e c0 3e 26 .j.AE..*......>&
0080 - cc ad b4 75 3b c3 96 e5-a5 89 c5 3e fa 8d 7c 96 ...u;......>..|.
0090 - cf 70 b9 99 8a fc 65 5a-9a 34 7d f2 d7 db bb 25 .p....eZ.4}....%
00a0 - e9 b1 4c b4 3e 1b d6 d5-36 de c0 03 95 e3 93 ..L.>...6......
00b0 - <SPACES/NULS>

Start Time: 1468438138
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
closed

如您所见,它在第二个(DigiCert SHA2 High Assurance Server CA)之后停止返回证书,并且不返回根证书(DigiCert High Assurance EV Root CA)。

难道我做错了什么?有没有办法强制它也返回这个证书?

如果是这样,有没有办法强制它返回 仅限 那个,因为它是我唯一需要的?

最佳答案

为什么我们没有获得根证书
@user2797321 的评论是有道理的,基于我试图追查数字证书签名证书的经验:

Root certificates are typically not included in the chain presented during the handshake since it is expected that the client trying to connect to the server already has the root in its trust store.


This Security Stack Exchange answer给出了 openssl 文档中的一些上下文 - 带有 s_client connect -showcerts我们只会看到通过网络发送的证书。
我仍然需要为自己的用例获取该证书,并且我目前正在使用 Windows。因此,我已经填充了 Windows 说明,并添加了几个链接,这些链接似乎让我们为其他操作系统找到了正确的方向——如果在那些操作系统上找到这个答案并填写相应部分的详细信息,我将不胜感激。
导出根证书 - Windows
我(可悲地)在 Windows 上工作。当我用谷歌搜索东西时,我总是得到奇怪的结果,我疯狂地推断,所以我从 this random confluence page 中找出了该怎么做,但为了让您省去心理体操,这里有一个(希望)更有针对性的指令集:
  • 开始 -> 搜索“证书” -> 管理用户证书(或者 certmgr 似乎也可以)
  • 选择左侧的受信任的根证书颁发机构;双击右侧的“证书”。
  • 向下滚动到右侧所需的根证书
  • 右键 -> 所有任务 -> 导出...
  • 按照提示操作,在我的例子中,我选择“Base64 编码 X.509 (.CER)”作为导出格式

  • 导出受信任的根证书 - Mac OS
    Instructions (untested / require adaptation) for Mac
    导出受信任的根证书 - Linux
    Instructions (untested / require adaptation) for Linux

    关于ssl - OpenSSL s_client 仅从链中返回 2/3 证书?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/38359307/

    29 4 0
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com