可信CA证书的OpenSSL合理默认值吗? [英] OpenSSL reasonable default for trusted CA certificates?

问题描述

是否可以使用合理的一组受信任的CA证书而无需自行分发来设置OpenSSL上下文(SSL_CTX)?我不想让他们保持最新状态. IMO的任何现代操作系统都应提供让我获得受信任的CA证书"作为服务，但我不知道是否确实如此.

Is there a way to set up an OpenSSL context (SSL_CTX) with a reasonable set of trusted CA certificates without distributing them myself? I don't want the responsibility of keeping them up to date. IMO any modern operating system should provide "get me the trusted CA certs" as a service, but I don't know if that's actually the case.

我不介意编写此代码3次(一次用于Windows，一次用于Mac OS X，一次用于Linux)，但是我希望以此为上限.特别是，我宁愿不要尝试编写代码来寻找安装了哪些浏览器并尝试提取其受信任证书. (显然，很容易弄错这个错误.)

I don't mind writing this code three times (once for Windows, once for Mac OS X, and once for Linux), but I'd prefer to cap it at that. In particular, I'd rather not try to write code that snoops around looking for what browsers are installed and trying to extract their trusted certificates. (Apparently it's easy to get this very wrong.)

对于最新版本的Linux，答案似乎是使用/etc/ssl/certs/ca-certificates.crt调用SSL_CTX_load_verify_locations(如果该文件存在).

The answer for recent versions of Linux seems to be to call SSL_CTX_load_verify_locations with /etc/ssl/certs/ca-certificates.crt (if that file exists).

对于Windows和Mac OS X，有简单的答案吗?

Are there simple answers for Windows and Mac OS X?

推荐答案

您可以使用 的脚本，从Mozilla转换列表(来自 Curl的维护者的答案).根据其代码，在添加证书之前，请先检查该证书是否受信任.

You could use curl's script that converts the list from Mozilla (from Curl's maintainer's answer). According to its code, it seems to check whether the certificate is trusted or not before including it.

这篇关于可信CA证书的OpenSSL合理默认值吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！