如何列出 OpenSSL 信任的证书? [英] How to list certificates, trusted by OpenSSL?
问题描述
据我所知,任何使用 X.509 证书的软件都可能有自己的依据来决定证书是否可信.
As I understand, any software working with X.509 certificates may have own basis to decide, whether a certificate is trusted or not.
AFAIK OpenSSL 只是查阅一个列表(例如,/etc/ssl/certs)并检查证书是否存在.
AFAIK OpenSSL just consults a list (such as, for example, /etc/ssl/certs) and checks if the certificate is present there.
OpenSSL 有没有办法列出它信任的所有证书?我知道我可以自己查阅该文件(在我特定的 OpenSSL 安装中),但是有没有一种(与安装无关的)方法可以从 OpenSSL 本身获取受信任的列表?
Is there a way for OpenSSL to list all certificates which it trusts? I know that I can consult that file myself (on my particular installation of OpenSSL), but is there a (installation-independent) way to get the trusted list from OpenSSL itself?
推荐答案
AFAIK OpenSSL 只是查阅一个列表(例如,/etc/ssl/certs)并检查证书是否存在.
AFAIK OpenSSL just consults a list (such as, for example, /etc/ssl/certs) and checks if the certificate is present there.
不,默认情况下 OpenSSL 不信任任何内容.你必须指示它信任什么.甚至还有一个常见问题解答主题涵盖它:为什么
No, OpenSSL trusts nothing by default. You have to instruct it what to trust. There's even a FAQ topic covering it: Why does <SSL program> fail with a certificate verify error?:
这个问题通常是由日志消息指出的例如无法获得本地发行人证书"或自签名"证书".当证书被验证时,它的根 CA 必须是OpenSSL信任"这通常意味着 CA 证书必须放置在目录或文件中并配置相关程序阅读它.OpenSSL 程序验证"的行为方式类似,并且发出类似的错误消息:检查 verify(1) 程序手册页了解更多信息.
This problem is usually indicated by log messages saying something like "unable to get local issuer certificate" or "self signed certificate". When a certificate is verified its root CA must be "trusted" by OpenSSL this typically means that the CA certificate must be placed in a directory or file and the relevant program configured to read it. The OpenSSL program 'verify' behaves in a similar way and issues similar error messages: check the verify(1) program manual page for more information.
您还可以测试与 Google 的连接以了解 OpenSSL 的行为:
You can also test your connection to Google to see how OpenSSL behaves:
$ openssl s_client -connect google.com:443
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
...
Start Time: 1407377002
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
请注意,上述失败是因为 OpenSSL 在默认情况下不信任 GeoTrust Global CA.实际上,链中还有另一个信任点,那就是Google Internet Authority G2.
Notice the above fails because OpenSSL does not trust GeoTrust Global CA by default. Actually, there's another trust point in the chain and that's Google Internet Authority G2.
您可以通过告诉 OpenSSL 信任什么来纠正这种情况.下面,我将 -CAfile 选项与 Google Internet Authority G2 一起使用:
You can remedy the situation by telling OpenSSL what to trust. Below, I use -CAfile option with Google Internet Authority G2:
$ openssl s_client -connect google.com:443 -CAfile google-ca.pem
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = google.com
verify return:1
...
Start Time: 1407377196
Timeout : 300 (sec)
Verify return code: 0 (ok)
接下来,您可以通过转至 cURL 并下载 cacert.pem 来充当浏览器.cacert.pem 中有很多 CA:
Next, you can act like a browser by going to cURL and download cacert.pem. cacert.pem has lots of CAs in it:
$ openssl s_client -connect google.com:443 -CAfile cacert.pem
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = google.com
verify return:1
...
Start Time: 1407377356
Timeout : 300 (sec)
Verify return code: 0 (ok)
您并不像拥有数百个 CA 和从属 CA 的浏览器那么糟糕,但您已经接近了:
You're not quite as bad as a browser with its hundreds of CAs and subordinate CAs, but you're getting close:
$ cat cacert.pem | grep -o "-----BEGIN" | wc -l
153
<小时>
OpenSSL 安全模型与 Web 应用程序/浏览器安全模型形成对比,其中浏览器带有一系列信任锚或信任点,称为证书颁发机构 (CA).注意:在这个模型中,错误的 CA 可能声称认证一个站点,浏览器也不会更聪明.
OpenSSL security model is in contrast to the web app/browser security model, where the browser carries around a list of trust anchors or trust points known as Certificate Authorities (CAs). Note: in this model, the wrong CA could claim to certify a site, and the browser would be no wiser.
这种情况过去发生过,将来很可能会再次发生.有关 PKIX 有趣业务的良好历史,请参阅 CAcert 的风险历史.例如,您知道 Google Internet Authority G2 和 GeoTrust Global CA 认证 Google 的网站.荷兰 CA 称为 Diginotar 没有理由声称对它们进行认证,或者 法国网络防御机构声称对其进行了认证.
This has happened in the past, and it will likely happen again in the future. For a good history of PKIX funny business, see CAcert's Risk History. For example, you know Google Internet Authority G2 and GeoTrust Global CA certify Google's sites. There's no reason for a Dutch CA called Diginotar to claim to certify them, or a French Cyberdefense Agency to claim to certify them.
与安全模型相关:Web 应用程序/浏览器模型的另一个问题是您无法打包应用程序所需的一个信任锚或 CA 并使用它(假设您有一个受信任的分发渠道).您的证书与 CA Zoo 一起被扔进了一堆.其他人仍然可以声称认证您的网站,您也可以声称认证其他网站.
Related to security models: another problem with the web app/browser model is you cannot package the one trust anchor or CA needed for your app and use it (assuming you have a trusted distribution channel). Your certificates gets tossed in the pile with the CA Zoo. Others can still claim to certify your site, and you can claim to certify other sites.
安全模型是网络应用被归为低价值数据的原因之一.网络应用不应处理中等价值或高价值的数据,因为我们无法设置所需的安全控制.
The security model one of the reasons web apps are relegated to low value data. Web apps should not handle medium value or high value data because we can't place the needed security controls.
OpenSSL 有没有办法列出它信任的所有证书?
Is there a way for OpenSSL to list all certificates which it trusts?
不需要,因为列表有 0 个成员:)
No need since the list has 0 members :)
这篇关于如何列出 OpenSSL 信任的证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
