SSL CA证书-LibCurl C语言(Linux) [英] SSL CA Certificates - LibCurl C Language (Linux)

问题描述

我正在使用Web服务，但仍无法验证对等证书. 我正在使用libCurl到C语言，这是输出:

Im working with a WebService and I still cannot authenticate peer certificates. Im using libCurl to C language, this is the output:

无法执行发布，错误:对等证书无法使用给定的CA证书进行身份验证

Cannot Perform Post, Err: Peer certificate cannot be authenticated with given CA certificates

所以我尝试通过openssl命令测试连接:

So I've tried to test connection through openssl command:

openssl s_client -connect homnfce.sefaz.am.gov.br:443 -cert cert.pem -key nfcek.pem

然后: Verify return code: 20 (unable to get local issuer certificate)

进一步，我环顾了服务器证书，发现它们具有证书链. 所以我已经下载了它们，并使用keytool添加了它:

Going further I looked around to server certificates, and noticed that they have a cert chain. So I've downloaded them and added using keytool:

keytool -import -trustcacerts -file cert1.cer -alias mykey
keytool -import -trustcacerts -file cert2.cer -alias mykey2
keytool -import -trustcacerts -file cert3.cer -alias mykey3

即使进行了这些更改，我仍然无法验证对等证书.

Even with these changes, I still can't authenticate peer certificates.

我认为它在设置CURLOPT时可能指示错误，这是一段代码摘录:

I think it can indicate an error while setting CURLOPTs, heres a extract of code:

 if (curl_easy_setopt(curl, CURLOPT_POST, 1) != CURLE_OK) {
    if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_POST, 1) failed");
    return -1;
  }
  if (curl_easy_setopt(curl, CURLOPT_URL, "https://homnfce.sefaz.am.gov.br/nfce-services-nac/services/NfeStatusServico2?wsdl") != CURLE_OK) {
    if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_URL) failed");
    return -1;
  }
  if (curl_easy_setopt(curl, CURLOPT_PORT, 443) != CURLE_OK) {
    if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_PORT, 443) failed");
    return -1;
  }
  if (curl_easy_setopt(curl, CURLOPT_SSLCERT, "cert.pem") != CURLE_OK) {
    if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_SSLCERT) failed");
    return -1;
  }
  if (curl_easy_setopt(curl, CURLOPT_SSLKEY, "nfcek.pem") != CURLE_OK) {
    if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_SSLKEY) failed");
    return -1;
  }
  sprintf(szCertPath, "%s","/home/CAcerts/");
  if (curl_easy_setopt(curl, CURLOPT_CAPATH, szCertPath) != CURLE_OK) {
    if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER) failed");
    return -1;
  }
  if (curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, iLen) != CURLE_OK) {
    if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE) failed");
    return -1;
  }
  if (curl_easy_setopt(curl, CURLOPT_SSLCERTPASSWD, szMyPw) != CURLE_OK ) {
    if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_TIMEOUT) failed");
    return -1;
  }
  if (curl_easy_setopt(curl, CURLOPT_READDATA, pfChk) != CURLE_OK ) {
    if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE) failed");
    return -1;
  }
  if (curl_easy_setopt(curl, CURLOPT_WRITEDATA, pfAnswer) != CURLE_OK ) {
    if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_WRITEDATA) failed");
    return -1;
  }
  if (curl_easy_setopt(curl, CURLOPT_TIMEOUT, iOnlineServerTimeout) != CURLE_OK ) {
    if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_TIMEOUT) failed");
    return -1;
  }
  if (curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1) != CURLE_OK) {
    if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1) failed");
    return __LINE__;
  }

  if ( (res = curl_easy_perform(curl)) != CURLE_OK ){
    if ( DEBUG_DETAILS ) vTraceStr("iNFCE_CurlReq(): Cannot Perform Post, Err: %s\n", (char *)curl_easy_strerror(res));
    return -1;
  }

重要的是我不能使用不安全模式选项忽略对等身份验证(CURLOPT_SSL_VERIFYPEER = 0).

Something important is the fact that I can't use insecure mode option ingnore peer authentication (CURLOPT_SSL_VERIFYPEER = 0 ).

有什么想法吗?有什么问题吗?

Any ideas? What can be wrong?

预先感谢

推荐答案

我已经完成了. 实际上，这是服务器CA的问题. 香港专业教育学院从主机下载证书链，然后香港专业教育学院使用openssl命令进行转换:

I've done it. Actually it was a problem with Servers CAs. Ive download a certificate chain from host, then ive used openssl commands to convert:

  openssl x509 -in raiz_v2.cer -out raiz_v2.pem
  openssl x509 -in ac_certsign_g6.cer -out ac_certsign_g6.pem
  openssl x509 -in ac_certsign_mult_g5.cer -out ac_certsign_mult_g5.pem

因此，我使用以下方法统一了它们:

So ive unified them using:

 cat raiz_v2.pem > cacert.pem
 cat ac_certsign_g6.pem >> cacert.pem
 cat ac_certsign_mult_g5.pem >> cacert.pem

然后我用CURLOPT_CAINFO选项指向cacert.pem.

And then ive pointed to cacert.pem using CURLOPT_CAINFO option.

这篇关于SSL CA证书-LibCurl C语言(Linux)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！