如何在OpenSSL Windows(OpenSSL 1.0.1c)中使用SSL_CERT_FILE [英] How to use SSL_CERT_FILE for OpenSSL Windows (OpenSSL 1.0.1c)
问题描述
如何(如果有的话)可以为OpenSSL定义一个受信任的证书文件 Windows上使用SSL_CERT_FILE环境变量在Windows(Win-7,OpenSSL 1.0.1c)上运行?
How (if at all) can one define a single trusted certificate file for OpenSSL on Windows (Win-7, OpenSSL 1.0.1c) using the SSL_CERT_FILE environment variable?
各种研究促使我下载了Mozilla的12月'12版本 PEM格式的受信任证书,位于此处: http://curl.haxx.se/docs/caextract. html 这包含所有证书和各种相关的信息,将它们连接在一起 到一个文件中.
Various research led me to download the December '12 version of Mozilla's trusted certificates in PEM format, from here: http://curl.haxx.se/docs/caextract.html This contains all of the certs and assorted related info concatenated together into one file.
我找到了有关环境变量用法的各种参考资料 关于依赖于其他产品的SSL_CERT_DIR和SSL_CERT_FILE 的OpenSSL.例如, http://lynx.isc.org/current/README.sslcerts 表示 可以同时设置这两者,而底层的OpenSSL库将使用 他们.但是,这并不是我对OpenSSL工具本身的经验.
I've found various references to the usage of the environment variables SSL_CERT_DIR and SSL_CERT_FILE with respect to other products which rely on OpenSSL. For instance, http://lynx.isc.org/current/README.sslcerts indicates that one can set both of these, and the underlying OpenSSL libraries will use them. However, that hasn't been my experience with the OpenSSL tool itself.
我能够成功使用SSL_CERT_DIR,但是非常痛苦,如下所示. 我从IE 8导出了www.wellsfargo.com的证书(已选择 随机)以及其信任链中的两个证书,均来自 威瑞信.我将两个Verisign证书中的每一个都放在目录C:\ ca_stuff中, 并为每一个生成一个哈希值
I was able to use SSL_CERT_DIR successfully, but with great pain, as follows. I exported (from IE 8) the certificate from www.wellsfargo.com (selected randomly), along with the two certificates in its trust chain, both from Verisign. I put each of the two Verisign certs in a directory C:\ca_stuff, and for each, generated a hash thus
openssl x509 -hash -noout -in"Verisign Intl Server.cer"
openssl x509 -hash -noout -in "Verisign Intl Server.cer"
已输出a302054c,并由此创建了一个链接
which had output a302054c, and from this created a link thus
mklink a302054c.0"Verisign Intl Server.cer"
mklink a302054c.0 "Verisign Intl Server.cer"
,对于其他Verisign证书也是如此.然后,我把富国银行的证书.在 一个不同的目录,并能够使用
and likewise for the other Verisign cert. I then put the Wells Fargo cert. in a different directory, and was able to verify it successfully using
设置SSL_CERT_DIR = C:\ ca_stuff openssl验证"Wells Fargo web.cer"
set SSL_CERT_DIR=C:\ca_stuff openssl verify "Wells Fargo web.cer"
但是,在定义SSL_CERT_FILE之后,指向下载的cacert.pem 从cURL站点下载,相同的命令失败.它是这样做的,并且 没有定义SSL_CERT_DIR.我验证了必要的CA 证书在包装中,并确认其序列号匹配 那些是我从IE手动提取的.
However, after defining SSL_CERT_FILE, pointing to the downloaded cacert.pem downloaded from the cURL site, the same command failed. It did so with and without having SSL_CERT_DIR defined. I verified that the necessary CA certificates were in the bundle, and confirmed their serial numbers matched those I'd manually extracted from IE.
手动提取每个证书并放入它似乎是一个艰巨的过程 它在自己的文件中,并带有指向它的哈希链接.如果这是Unix,我 可以实现自动化,但是在Windows上……我显然误解了如何使一个大型CA cert文件与OpenSSL一起使用的问题.
It seems like an arduous process to manually extract each certificate and put it in its own file with a hash link pointing at it. If this were Unix, I could automate it, but on Windows... I've apparently misunderstood something about how to get one big CA cert file working with OpenSSL.
在此先感谢您的任何建议,见解和帮助.
Thank you in advance for any recommendations, insights and assistance.
推荐答案
如何(如果有的话)可以为OpenSSL定义一个受信任的证书文件
How (if at all) can one define a single trusted certificate file for OpenSSL
CAFile只是您信任并要使用的自签名证书的串联.如果您只想信任一个,则CA文件中应该只有一个.
The CAFile is simply a concatenation of self-signed certificates that you trust and want to use. If you only want to trust one, then there should only be one in the CA File.
我更喜欢PEM编码,因为它更易于使用文本编辑器(-----BEGIN CERTIFICATE-----和-----END CERTIFICATE-----)进行检查.例如,这是Startcom的ca-bundle.pem( http://www.startssl.com/certs/):
I prefer the PEM encoding because its easier to inspect with a text editor (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----). For example, here's the ca-bundle.pem from Startcom (http://www.startssl.com/certs/):
因此,要创建一个,只需使用cat和重定向(或复制并粘贴):
So, to create one, just use cat and redirections (or copy and paste):
# Empty my-ca-file.pem
echo "" > my-ca-file.pem
# Add Startcom certs
cat startcom-ca-bundle.pem >> my-ca-file.pem
# Add others as desired
...
各种研究促使我以PEM格式下载了Mozilla的受信任证书的12年12月版本...
Various research led me to download the December '12 version of Mozilla's trusted certificates in PEM format...
好吧,这就是您可以使用的列表之一.使用Mozilla的列表时,您的意思是我相信Mozilla会做正确的事".请记住,当Trustwave被发现拦截SSL/TLS流量时,Mozilla奖励了Trustwave的不良行为.即使Trustwave至少违反了两项包含政策,但Mozilla仍继续将其包含在内,因为Trustwave承诺永远不会再这样做.有关详细信息,请参见从受信任的根证书中删除Trustwave证书.
Well, that's one of the lists you can use. When you use Mozilla's list, you are saying "I trust Mozilla to do the right thing". Keep in mind Mozilla rewarded Trustwave's bad behavior when Trustwave was caught intercepting SSL/TLS traffic. Even though Trustwave violated at least two inclusion policies, Mozilla continued to include them because Trustwave promised never to do it again. See Remove Trustwave Certificate(s) from trusted root certificates for details.
如果您不信任Mozilla的判断,则可以使用/usr/lib/ssl/certs/ca-certificates.crt上的OpenSSL内置列表,使用其他列表(大多数主要供应商都提供)或构建自己的列表.
If you don't trust Mozilla's judgement, then you can use OpenSSL's built-in list at /usr/lib/ssl/certs/ca-certificates.crt, use another list (most major vendors have them), or build your own.
使用其他供应商的列表通常等同于将您知道的恶魔换成您不知道的恶魔.例如,Apple有一个供他们使用的列表,您可以在 iOS:iOS:可用的受信任根证书列表(iOS 7 ).但是苹果公司的清单存在很多问题: http://seclists.org/fulldisclosure/2013/Sep/186 和 http://seclists.org/fulldisclosure/2013/Sep/184.
Using a different vendor's list is usually the equivalent of trading the devil you know for the devil you don't know. For example, Apple has a list they use that you can inspect at iOS: List of available trusted root certificates (iOS 7). But Apple's list has lots of problems: http://seclists.org/fulldisclosure/2013/Sep/186 and http://seclists.org/fulldisclosure/2013/Sep/184.
我建议您建立自己的列表或固定证书.固定证书或公用密钥是更好的方法,因为它可以消除SSL/TLS中的系统性问题,这些问题使Trustwave可以执行其工作.有关详细信息,请参见OWASP的证书和公钥固定.
I would recommend building your own list or pinning certificates. Pinning certificates or public keys is better because it neutralizes the systemic problems in SSL/TLS that allowed Trustwave to do what they did. See OWASP's Certificate and Public Key Pinning for details.
在Windows(Win-7,OpenSSL 1.0.1c)上使用SSL_CERT_FILE环境变量...?
... on Windows (Win-7, OpenSSL 1.0.1c) using the
SSL_CERT_FILEenvironment variable?
我不知道如何通过环境变量来做到这一点,因为我不使用它们.但是Linux/Unix/OSX/Windows之间应该没有区别(也许除了处理长文件名和空格外).
I don't know how to do it through environmental variables because I don't use them. But there should be no difference between Linux/Unix/OSX/Windows (except, perhaps, the handling of long file names and spaces).
查看OpenSSL来源,您在cryptlib.h中具有以下内容:
Looking at the OpenSSL sources, you have the following in cryptlib.h:
#define X509_CERT_FILE_EVP "SSL_CERT_FILE"
x509_def.c使用X509_CERT_FILE_EVP:
const char *X509_get_default_cert_file_env(void)
{ return(X509_CERT_FILE_EVP); }
X509_get_default_cert_file_env在by_file_ctrl的by_file.c中使用:
...
switch (cmd)
{
case X509_L_FILE_LOAD:
if (argl == X509_FILETYPE_DEFAULT)
{
file = (char *)getenv(X509_get_default_cert_file_env());
if (file)
ok = (X509_load_cert_crl_file(ctx,file,
X509_FILETYPE_PEM) != 0);
else
ok = (X509_load_cert_crl_file(ctx,X509_get_default_cert_file(),
X509_FILETYPE_PEM) != 0);
if (!ok)
{
X509err(X509_F_BY_FILE_CTRL,X509_R_LOADING_DEFAULTS);
}
}
else
{
if(argl == X509_FILETYPE_PEM)
ok = (X509_load_cert_crl_file(ctx,argp,
X509_FILETYPE_PEM) != 0);
else
ok = (X509_load_cert_file(ctx,argp,(int)argl) != 0);
}
break;
}
return(ok);
因此,在使用SSL_CERT_FILE时,最好将PEM格式串联起来(必需?).
So, a concatenation of PEM formats is preferred (required?) when using SSL_CERT_FILE.
最后,请确保配置文件设置未覆盖SSL_CERT_FILE.有关详细信息,请参见 OpenSSL config(5).
Finally, be sure the SSL_CERT_FILE is not being overridden by a configuration file setting. See OpenSSL config(5) for details.
手动提取每个证书并将其放在带有指向其的哈希链接的文件中似乎是一个艰巨的过程.
It seems like an arduous process to manually extract each certificate and put it in its own file with a hash link pointing at it.
我不认为您在使用SSL_CERT_FILE,-CAfile或SSL_CTX_load_verify_locations时需要重新哈希.
I don't believe you need to rehash when using SSL_CERT_FILE, -CAfile, or SSL_CTX_load_verify_locations.
在使用-CAfile或SSL_CTX_load_verify_locations时,我从不熟悉,而且一切正常.当事情中断时,通常是因为(1)根证书不存在或不受信任;或(2)没有中间证书.
I've never rehashed when using -CAfile or SSL_CTX_load_verify_locations, and everything has worked fine. When things break, it usually because (1) the root certificate is not present or trusted; or (2) an intermediate certificate is not present.
对于上面的项目(2),您需要服务器发送所有必需的证书以构建链.否则,客户端将不知道在哪里寻找丢失的中间证书.是PKI中一个众所周知的问题,称为哪个目录"问题(客户端不知道要在哪个X500目录中搜索丢失的证书).
For item (2) above, you need the server to send all the required certificates to build the chain. Otherwise, a client won't know where to look to find a missing intermediate certificate. Is a well known problem in PKI called the "Which Directory" problem (the client does not know which X500 directory to search for the missing certificate).
相关,这是在OpenSSL的s_client中使用它们的方法.这实际上是有效的,因为pagepeeker.com使用StartCom,如果省略-CAfile选项,它将失败:
Related, here's how to use them in OpenSSL's s_client. This actually works because pagepeeker.com uses StartCom, and it will fail if you omit the -CAfile option:
$ echo "GET / HTTP\1.1" | openssl s_client -connect api.pagepeeker.com:443 -CAfile startcom-ca-bundle.pem
CONNECTED(00000003)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/description=8CTO6gSuxeRRsIXl/C=RO/CN=api.pagepeeker.com/emailAddress=alexandru.florescu@gmail.com
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGZTCCBU2gAwIBAgIDCJkoMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
...
以及进行C编程时的相关代码.这是我用来建立SSL/TLS连接(除了公共密钥固定)的代码的一部分:
And related code when doing C programming. This is part of the code I use to setup a SSL/TLS connection (in addition to public key pinning):
int ret = 0;
unsigned long ssl_err = 0;
SSL_CTX* ctx = NULL;
do
{
ret = SSL_library_init();
ssl_err = ERR_get_error();
if(!(1 == ret))
{
display_error("SSL_library_init", ssl_err);
break; /* failed */
}
/* SSLv23_method() is 'everything' */
const SSL_METHOD* method = SSLv23_method();
ssl_err = ERR_get_error();
if(!(NULL != method))
{
display_error("SSLv23_method", ssl_err);
break; /* failed */
}
/* http://www.openssl.org/docs/ssl/ctx_new.html */
ctx = SSL_CTX_new(method);
ssl_err = ERR_get_error();
if(!(ctx != NULL))
{
display_error("SSL_CTX_new", ssl_err);
break; /* failed */
}
/* Enable standard certificate validation and our callback */
/* https://www.openssl.org/docs/ssl/ctx_set_verify.html */
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, my_verify_cb);
/* Cannot fail ??? */
/* Remove most egregious */
const long flags = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
long old_opts = SSL_CTX_set_options(ctx, flags);
UNUSED(old_opts);
/* http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html */
ret = SSL_CTX_load_verify_locations(ctx, "startcom-ca-bundle.pem", NULL);
ssl_err = ERR_get_error();
if(!(1 == ret))
display_warning("SSL_CTX_load_verify_locations", ssl_err);
} while(0);
// Use context
return ctx;
如果SSL_CTX_load_verify_locations失败,则可以.这意味着您将不信任任何东西,因此您无法关闭或关闭.
Its OK if SSL_CTX_load_verify_locations fails. It means you won't trust anything, so you fail closed or shut.
这篇关于如何在OpenSSL Windows(OpenSSL 1.0.1c)中使用SSL_CERT_FILE的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
