OpenSSL忽略自签名证书错误 [英] OpenSSL Ignore Self-signed certificate error

问题描述

我正在使用OpenSSL库编写一个小程序，假定它与SSLv3服务器建立连接。此服务器分发自签名证书，导致握手失败，并显示以下消息：sslv3警报握手失败，证书链中的自签名证书。

I'm writing a small program with the OpenSSL library that is suppose to establish a connection with an SSLv3 server. This server dispenses a self-signed certificate, which causes the handshake to fail with this message: "sslv3 alert handshake failure, self signed certificate in certificate chain."

一种方式，我可以强制连接继续？我已尝试调用SSL_CTX_set_verify，如下所示：

Is there a way I can force the connection to proceed? I've tried calling SSL_CTX_set_verify like so:

SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);

但它似乎没有任何改变。

But it does not seem to change anything.

任何建议？

推荐答案

默认情况下，OpenSSL遍历证书链并尝试在每个步骤上验证 SSL_set_verify（）不会更改，请参阅手册页。引用：

By default OpenSSL walks the certificate chain and tries to verify on each step, SSL_set_verify() does not change that, see tha man page. Quoting it:

实际的验证程序是使用
内置验证程序或使用另一个提供的应用程序
验证函数设置为SSL_CTX_set_cert_verify_callback（3）。

The actual verification procedure is performed either using the built-in verification procedure or using another application provided verification function set with SSL_CTX_set_cert_verify_callback(3).

因此，解决方案是创建一个简单的回调并设置一个，您覆盖所有证书链行走：

So the solution is to create a simple callback and set that one, so that you override all certificate-chain walking:

static int always_true_callback(X509_STORE_CTX *ctx, void *arg)
{
    return 1;
}

SSL_CTX_set_cert_verify_callback(CTX, always_true_callback);

这篇关于OpenSSL忽略自签名证书错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！