如何在 OpenSSL 中获取 SSL 证书

Question

所以我一直在寻找如何在我正在开发的 C++ 应用程序中从 OpenSSL 中验证我的服务器证书的方法，我终于得到了一个提示。但是，我仍然缺少一些步骤。

所以我发现 OpenSSL 有一个名为 s_client 的 ssl 客户端应用程序。当我使用以下命令时：

echo -n | openssl s_client -connect mywebsite.me:443  -debug | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > my.cert

我在应用程序中收到此错误：

verify error:num=20:unable to get local issuer certificate

直到我进行了更多搜索，我才发现错误的含义，并且我必须执行以下操作：

echo -n | openssl s_client -connect mywebsite.me:443  -debug | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > my.cert
echo -n | openssl s_client -connect mywebsite.me:443  -debug -CAfile my.cert

第一个命令连接，接收响应，将其保存到文件中，但无法验证响应。第二个重新连接发送保存的文件并允许正确验证证书。

我的问题是，我怎样才能获取发送到 sed 的流并在 c/c++ 中发送“my.cert”，最好是一次连接？我一直在走 s_client 代码，但似乎找不到它。

Answer 1

openssl s_client -connect mywebsite.me:443  -debug
...
I receive this error as I do within my application:

verify error:num=20:unable to get local issuer certificate

mywebsite.me 由 Go Daddy 认证。特别是Go Daddy Class 2 Certification Authority。

$ openssl s_client -connect mywebsite.me:443
CONNECTED(00000003)
depth=2 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/O=breezi.com/OU=Domain Control Validated/CN=breezi.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
 2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
...

导航到Go Daddy Repository, SSL Certificate Information 并获取Go Daddy Class 2 Certification Authority Root Certificate。您不能使用 URL 执行简单的 wget，因为 GoDaddy 已经使用 javascript 完成了下载（它获取的是网页而不是证书）。 GoDaddy 根目录另存为gd-class2-root.crt。

然后，使用-CAfile 选项再次运行openssl s_client。证书已过期，因此您将收到Verify return code: 10 (certificate has expired)。但它解决了信任问题。

$ openssl s_client -CAfile gd-class2-root.crt -connect mywebsite.me:443
CONNECTED(00000003)
depth=2 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certificates.godaddy.com/repository, CN = Go Daddy Secure Certification Authority, serialNumber = 07969287
verify return:1
depth=0 O = breezi.com, OU = Domain Control Validated, CN = breezi.com
verify error:num=10:certificate has expired
notAfter=Sep 29 02:23:46 2013 GMT
verify return:1
depth=0 O = breezi.com, OU = Domain Control Validated, CN = breezi.com
notAfter=Sep 29 02:23:46 2013 GMT
verify return:1
---
Certificate chain
 0 s:/O=breezi.com/OU=Domain Control Validated/CN=breezi.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
 2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFUzCCBDugAwIBAgIHJ84NzOXfzDANBgkqhkiG9w0BAQUFADCByjELMAkGA1UE
BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY
BgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlm
aWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5
IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5Njky
ODcwHhcNMTIwOTI5MDIyMzQ2WhcNMTMwOTI5MDIyMzQ2WjBNMRMwEQYDVQQKEwpi
cmVlemkuY29tMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxEzAR
BgNVBAMTCmJyZWV6aS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDVdxshW9y7VRrN8VtPeKqfC2PXdBnxSH2Lh3jzu6ESOuQw3Jn4oFHTVNJBGxA6
v3dh607UroG9LfjN3rz+qvfmN8A7+gKtJOVM7Grc+IlTU/gy+1Ks8cs84Gsn6cq9
3yM3Qix3POf//T8q6jsYuthmzKpAcrqZizF4OFT2bDnHr2WHDDIL+BXVSBbVRgQM
r8TOtPAagiEgpjpgtSTDMTuk4fDnWolyLMW8HhBKMq2HkfoV/fD3osS0ZGgqTbwm
KnPbdAXmonMWztEr8tJe2SRdQx5HlJ5VDNgH5/ckpFnebSo0pUmthHAI5tAMiBRB
jShnAHu+GVczKuc03gYTNSQXAgMBAAGjggG4MIIBtDAPBgNVHRMBAf8EBTADAQEA
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAw
MwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5nb2RhZGR5LmNvbS9nZHMxLTc3
LmNybDBTBgNVHSAETDBKMEgGC2CGSAGG/W0BBxcBMDkwNwYIKwYBBQUHAgEWK2h0
dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS8wgYAGCCsG
AQUFBwEBBHQwcjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20v
MEoGCCsGAQUFBzAChj5odHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3Jl
cG9zaXRvcnkvZ2RfaW50ZXJtZWRpYXRlLmNydDAfBgNVHSMEGDAWgBT9rGEyk2xF
1uLuhV+auud2mWjM5zAlBgNVHREEHjAcggpicmVlemkuY29tgg53d3cuYnJlZXpp
LmNvbTAdBgNVHQ4EFgQUPbIjjMZfa7Cmna7cApwl4ltIWIgwDQYJKoZIhvcNAQEF
BQADggEBAAbv7E5Gg/s0+2u4hvxHvFs5fNCT/x3QKw2AjECYM5e/jdzIBPPzA9us
zT20mDWGj/2uxoxpYg8Yjh82G68eCQ/DykKVskiR4Fiud4q9+5S+ZBsZsozNb6F8
GO2ckdhR4mDI/6xaSCzoCZljlpNXLuhOjvK3/1frxVgzbNxwERIIT8eVhBbPh7KG
3r+AQi3bbtcLJP4j0cNMHWup8FcTeRJyobjAwfOB/ot62ZeDuhtDM37wmL6XWAfw
0a0JjAD1xb8iYeKQ+aOqKTTcExdlckQFPnjfJwqk+xbXoXZGWI6pTdtTTYOOeJGu
ZXKr/ICABK8DviHq0RfVp3lnbVgfwkQ=
-----END CERTIFICATE-----
subject=/O=breezi.com/OU=Domain Control Validated/CN=breezi.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
---
No client certificate CA names sent
---
SSL handshake has read 4497 bytes and written 518 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 41C9F384CAB44419C20452CCBD7B7346A224F55906F943DD977198B48B44FC33
    Session-ID-ctx: 
    Master-Key: BAD61F7C0883D5C3918DCB766C83A85FFF4C533823C5CA41C62617701E87C66C6D1351C30521B337267753B16C830BBD
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket:
    0000 - 77 82 b3 42 d2 32 f9 4f-32 55 ea 03 0a 0f 66 16   w..B.2.O2U....f.
    0010 - 97 8f 93 2e 47 4e ae cc-d2 a8 c0 ee 81 47 63 be   ....GN.......Gc.
    0020 - 07 40 fc c4 a0 28 78 e6-a2 97 22 73 87 28 77 f2   .@...(x..."s.(w.
    0030 - a2 80 a3 6f d3 3c 50 cc-82 a8 0c 8e 9b 04 f0 7e   ...o.<P........~
    0040 - 12 24 d2 2a 9c 6b ef b8-49 d7 16 f1 45 80 e1 44   .$.*.k..I...E..D
    0050 - fe d4 87 0e 92 80 b3 63-98 36 5e 9b 39 91 a3 76   .......c.6^.9..v
    0060 - 3a 37 dc 1b 4d de 7e 01-22 d0 cd c0 7a 4c cf f8   :7..M.~."...zL..
    0070 - ae d4 a5 fe 74 19 03 db-99 28 b7 09 ce 08 35 dd   ....t....(....5.
    0080 - 33 ff cd 9f 88 63 05 8a-f4 d1 f7 32 16 0b ed b9   3....c.....2....
    0090 - 9f b4 ee 53 2d 8b b4 c2-27 bd b5 4d e3 19 a3 72   ...S-...'..M...r

    Compression: 1 (zlib compression)
    Start Time: 1393884832
    Timeout   : 300 (sec)
    Verify return code: 10 (certificate has expired)

---

It's not until I did some more searching that I found out
what the error meant and that I had to do the following:
echo -n | openssl s_client -connect mywebsite.me:443  -debug | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > my.cert
echo -n | openssl s_client -connect mywebsite.me:443  -debug -CAfile my.cert

不，这不是做事的方式。

---

如果您拥有mywebsite.me 域，则可以从StartCom 获得免费的1 类证书。他们的证书受到大多数移动和桌面浏览器的信任。

虽然 StartCom 不收取颁发证书的费用，但他们会收取撤销证书的费用，因为那是要花钱的。 （其他 CA 会预先向您收取撤销费用，然后在不需要时将钱放入口袋）。