Ssl-Certificate
openssl的verify和s_client的區別
openssl verify 給我一個 20 錯誤程式碼,而 s_client 給我一個 1 返回碼並正確獲取根證書。
誰能指出我如何驗證下載的證書?
ychaouche@ychaouche-PC 10:30:22 ~/TMP/CERTS $ openssl s_client -CApath /etc/ssl/certs/ -connect domain.tld:993 CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = domain.tld verify return:1 --- Certificate chain 0 s:/CN=domain.tld i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3
並驗證
ychaouche@ychaouche-PC 10:30:30 ~/TMP/CERTS $ openssl verify -CApath /etc/ssl/certs/ domaintld.crt domaintld.crt: CN = domain.tld error 20 at 0 depth lookup:unable to get local issuer certificate ychaouche@ychaouche-PC 10:31:21 ~/TMP/CERTS $
編輯:在 SO 上找到答案:https ://stackoverflow.com/questions/28072021/discrepancy-between-openssl-verify-and-s-client-command
我不知道什麼是最好的:簡單地刪除這個問題或關閉並添加一個重複的連結到 SO ?(對於在 SF 上搜尋的其他人)。
這已經在 SO 上得到了回答。來自https://stackoverflow.com/questions/28072021/discrepancy-between-openssl-verify-and-s-client-command
openssl verify
不期望證書包含其鏈。鏈需要帶-untrusted
參數傳遞。您可以在那里傳遞相同的文件,信任仍然是通過在-CAfile/-CApath
.openssl verify -CApath /etc/ssl/certs -untrusted google_chain.pem google_chain.pem