确定是否从命令行“信任" TLS/SSL证书? [英] Determining if a TLS/SSL certificate is 'trusted' from the command line?

问题描述

我希望能够从命令行确定是否信任"远程域的TLS/SSL证书.

I would like to be able to determine if a remote domain's TLS/SSL certificate is 'trusted' from the command line.

这是几周前我玩过的openssl示例，在这里我使用openssl来获取证书，然后将其通过管道传递给openssl的验证"命令.我以为'verify'命令会验证证书，但是，我现在对它的了解是，'verify'命令只是验证证书链(我认为). (cdn.pubnub.com只是我在快速的Twitter搜索中找到的一个域，以作为示例使用)

Here is an openssl example I was playing with a few weeks back, here I use openssl to acquire the certificate and then pipe it to openssl's 'verify' command. I assumed that the 'verify' command would verify the certificate, however, how I understand it now is that the 'verify' command just verifies the certificate chain (I think). (cdn.pubnub.com is just a domain I found from a quick Twitter search as an example to use)

echo "GET /" | openssl s_client -connect cdn.pubnub.com:443 | openssl x509 -text | openssl verify

从 cdn.pubnub.com 域(在撰写本文时)可以看到，浏览器(至少是Chrome)不信任证书(因为证书域不匹配)，但是，openssl的验证"命令不会输出可信"或不可信"，否则我们可以从中扣除该信息

As you can see from the cdn.pubnub.com domain (at the time of writing), the browser (Chrome at least) does not trust the certificate (because the certificate domain doesn't match), however, the openssl 'verify' command does not output 'trusted' or 'not trusted' or something else we can deduct that information from.

我想到的另一种方法是使用无头浏览器(例如 PhantomJS )并解析任何错误他们回来了.事实证明，PhantomJS只是错误，但没有提供任何细节，因此不能使用此错误，因为该错误可能是由其他原因引起的.

Another way I thought of doing this, is by using a headless browser (such as PhantomJS) and parsing any errors they return. It turns out that PhantomJS just errors but does not give any details, so this can not be used as the error could have been caused by something else.

我不认为很难从命令行中找出证书是否受信任，而不必解析并检查所有使证书成为自己信任的数据，我认为这不会明智.

I didn't think it would be this hard to find out that a certificate was trusted or not from the command line, without having to parse and check all the data that makes a certificate trusted myself which I don't think would be wise.

是否有一个库或其他方法可以确定命令行是否信任远程域的证书?

Is there a library or some other way I can tell if a remote domain's certificate is trusted from the command line?

推荐答案

curl(和libcurl)将OpenSSL用于https URL，并检查证书的有效性，除非启用了-k, --insecure选项.

curl (and libcurl) uses OpenSSL for https URLs, and checks certificate validity unless -k, --insecure option is enabled.

zsh 29354 % curl https://cdn.pubnub.com/
curl: (51) SSL peer certificate or SSH remote key was not OK

如您所见，它没有详细说明证书为何无效，但是在其他方面，它应与无头浏览器一样好，而且要轻巧得多.

As you see, it doesn't give much details on why the certificate is invalid, but otherwise it should be as good as a headless browser, and much lighter.

这篇关于确定是否从命令行“信任" TLS/SSL证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！