Ssl-Certificate

openssl的verify和s_client的區別

  • May 22, 2017

openssl verify 給我一個 20 錯誤程式碼,而 s_client 給我一個 1 返回碼並正確獲取根證書。

誰能指出我如何驗證下載的證書?

ychaouche@ychaouche-PC 10:30:22 ~/TMP/CERTS $ openssl s_client -CApath /etc/ssl/certs/ -connect domain.tld:993 
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = domain.tld
verify return:1
---
Certificate chain
0 s:/CN=domain.tld
  i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
  i:/O=Digital Signature Trust Co./CN=DST Root CA X3

並驗證

ychaouche@ychaouche-PC 10:30:30 ~/TMP/CERTS $ openssl verify -CApath /etc/ssl/certs/ domaintld.crt 
domaintld.crt: CN = domain.tld
error 20 at 0 depth lookup:unable to get local issuer certificate
ychaouche@ychaouche-PC 10:31:21 ~/TMP/CERTS $ 

編輯:在 SO 上找到答案:https ://stackoverflow.com/questions/28072021/discrepancy-between-openssl-verify-and-s-client-command

我不知道什麼是最好的:簡單地刪除這個問題或關閉並添加一個重複的連結到 SO ?(對於在 SF 上搜尋的其他人)。

這已經在 SO 上得到了回答。來自https://stackoverflow.com/questions/28072021/discrepancy-between-openssl-verify-and-s-client-command

openssl verify不期望證書包含其鏈。鏈需要帶-untrusted參數傳遞。您可以在那里傳遞相同的文件,信任仍然是通過在-CAfile/-CApath.

openssl verify -CApath /etc/ssl/certs -untrusted google_chain.pem google_chain.pem

引用自:https://serverfault.com/questions/851513