未能使用OpenSSL验证服务器证书 [英] Failing to validate server certificate with OpenSSL
问题描述
我已经使用OpenSSL(在Ubuntu 12.04上用C ++编写)编写了一个SOAP客户端,但它目前无需检查服务器安全证书即可正常工作。这是我用来设置连接并检查证书的函数
I have written a SOAP client using OpenSSL (written in C++ on Ubuntu 12.04) but it currently works without checking the server security certificate. This is the function I am using to set up the connection and checking the certificate
bool bInitialiseSSL(SSL_CTX* &ctx, SSL* &ssl, BIO* &bio)
{
ctx = SSL_CTX_new(SSLv23_client_method());
bio = BIO_new_ssl_connect(ctx);
if (bio == NULL) {
ERR_print_errors_fp(stderr);
SSL_CTX_free(ctx);
return false;
}
BIO_get_ssl(bio, &ssl);
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
char target[] = "api.betfair.com:https";
BIO_set_conn_hostname(bio, target);
BIO_set_nbio(bio,1);
while (1) {
if (BIO_do_connect(bio) <= 0) {
if (!BIO_should_retry(bio)) {
cout << "Connect failed." << endl;
BIO_free_all(bio);
SSL_CTX_free(ctx);
return false;
}
} else {
break;
}
}
if (BIO_do_handshake(bio) <= 0) {
BIO_free_all(bio);
SSL_CTX_free(ctx);
return false;
}
X509 *cert;
bool bValid = false;
cert = SSL_get_peer_certificate(ssl);
if ( cert != NULL ) {
long res = SSL_get_verify_result(ssl);
if (res == X509_V_OK) {
bValid = true;
} else {
cout << "Error in security validation: " << res << endl;
}
X509_free(cert);
}
return bValid;
}
这很好,但SSL_get_verify_result的返回值为20, p>
This works fine but the return value of SSL_get_verify_result is 20 which corresponds to
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:无法取得本机
发行者凭证
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate
我已经读了一些OpenSSL文档的功能,但它不是特别用户友好。我看了很多网络教程,我看不到我做错了。我的软件工作完美之前,我试图实现证书检查,但我看不到我需要做什么。我需要在我的机器上配置设置吗?服务器是betfair,据说是非常安全的,我发现很难相信他们没有有效的SSL证书。如果有人能告诉我我做错了什么,我会非常感激。
I have read some of the OpenSSL documentation for their functions but it is not particularly user friendly. I have looked at a number of web tutorials and I cannot see what I am doing wrong. My software worked perfectly before I tried to implement the certificate checking but I cannot see what I need to do. Do I need to configure settings on my machine? The server is betfair which is supposedly very secure and I find it hard to believe that they do not have valid SSL certificates. If anyone can tell me what I am doing wrong I would be very grateful.
推荐答案
这取决于服务器的证书。
It depends on the certificates of the server.
- 如果它是公共有效证书,您可以将CA certs文件包括在SSL_CTX中。
代码:
ctx = SSL_CTX_new(SSLv23_client_method());
// You can load CA certs into SSL_CTX
SSL_CTX_load_verify_locations(ctx, cafile, NULL); // cafile: CA PEM certs file
您可以从cURL网站下载公共CA certs文件来自mozilla.org的CA Certs
You can download the public CA certs file from cURL website CA Certs from mozilla.org
- 如果是私人证书,并且您有证书文件,则可以使用
SSL_CTX_use_certificate_file
,而不是SSL_CTX_load_verify_locations
。
- If it is a private certs, and you have the certificate file, you can use
SSL_CTX_use_certificate_file
instead ofSSL_CTX_load_verify_locations
.
这篇关于未能使用OpenSSL验证服务器证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!