OpenSSL:在SSL_CTX_load_verify_locations API中使用CApath参数时,证书验证失败 [英] Openssl: certificate verification fails when CApath argument is used in SSL_CTX_load_verify_locations API
问题描述
我正在尝试建立与服务器计算机的TLS连接.我已经使用openssl CLI命令创建了根CA证书和服务器证书.我创建的服务器证书的通用名称与其IP地址相同.根CA证书的通用名称是服务器的FQDN.
I am trying to establish a TLS connection to a server machine. I have created the root CA certificate and the server certificate using openssl CLI commands. I created the server certificate with common name same as its IP address. The common name of the root CA certificate is the FQDN of the server.
我正在使用openssl库API建立与服务器的连接. 我正在使用API
I am using openssl library APIs to establish connection to the server. I am using the API
int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath)
用于设置CA文件查找路径.
for setting the CA file look up path.
当我使用CAfile参数指定我的CA文件的路径,而将CApath参数保留为NULL时,一切正常.
Everything works fine when I use the CAfile argument to specify the path of my CA file, leaving the CApath argument as NULL.
但是,如果我使用CApath参数指定包含CA文件的目录的路径,而将CAfile参数保留为NULL,则由于证书验证错误而导致连接失败.
But if I use the CApath argument to specify the path to the directory containing the CA files, leaving the CAfile argument as NULL, the connection fails due to certificate verification error.
当我使用Wireshark捕获数据包时,我发现我的客户端代码正在从服务器发送服务器问候"的TLS响应"Unknown CA".我使用了与成功连接相同的CA证书文件.
When I captured the packets using wireshark, I found that my client code is sending TLS response "Unknown CA" for the "server hello" from the server. I have used the same CA certificate file that I have used in the successful connection.
根据我在探索openssl库源代码时的观察,我推断在我的情况下,由于某些未知原因,CA文件未被认为是有效的,因此库API也未加载CA文件.
From my observation while exploring the openssl library source code, I infer that, in my case, the CA files are not being considered valid and hence not being loaded by the library APIs due to some unknown reason.
有人可以告诉我原因,如果可能的话,可以解决此问题?
Can someone tell me the reason and, if possible, a solution for this issue?
推荐答案
我要为自己的问题发布答案,因为我花了很多时间来找到该问题的解决方案,因为我没有得到太多信息从互联网上解决这个问题.我希望这可以帮助面临类似问题的其他人.
I'm posting answer for my own question, because I spent a lot of time for finding a solution for this problem since I didn't get too much information regarding this issue from the internet. And I hope this will help someone else facing the similar issue.
如果CApath不为空,则CApath指向的目录应包含有效的CA证书.最重要的是,CA文件名应该是使用者名称哈希值.
If the CApath is not null, the directory pointed by CApath should contain valid CA certificates. And the most important thing is that the CA file name should be the subject name hash value.
可以将CA文件重命名为其主题名称哈希值,也可以使用与CA文件的CA主题名称哈希相同的名称来创建指向CA文件的软链接.
Either the CA files can be renamed to their subject name hash values or softlinks to the CA files can be created with the name same as the CA subject name hash of the CA files.
c_rehash实用程序可用于在CApath中创建必要的链接.该命令的语法非常简单.
c_rehash utility can be used to create the necessary links in the CApath. The syntax of this command is quite simple.
c_rehash <CApath>
c_rehash实用程序可能并非在所有Linux发行版中都可用.在这种情况下
c_rehash utility may not be available in all linux distros. In that case
openssl x509 -in <CA file name> -noout -subject_hash
可用于生成主题名称哈希(例如e5d93f80).只需将".0"附加到此值,然后将具有此名称(e5d93f80.0)的软链接创建到CA文件.如果有多个具有相同主题名称哈希值的CA文件,则其扩展名应该不同(例如e5d93f80.1).搜索是按分机号的顺序进行的.
can be used to generate the subject name hash(e.g. e5d93f80). Just append ".0" to this value and create a softlink with this name(e5d93f80.0) to the CA file. If there are more than one CA files with same the subject name hash value, their extensions should be different(e.g. e5d93f80.1). The search is performed in the ordering of the extension number.
opensssl引入了此技术,以减少CA文件的查找时间.否则,openssl可能必须读取CApath中的所有文件才能找到匹配的CA文件.
opensssl has introduced this technique to reduce the the CA file look up time. Otherwise openssl may have to read all files in the CApath to find the matching CA file.
这篇关于OpenSSL:在SSL_CTX_load_verify_locations API中使用CApath参数时,证书验证失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
