1

我有一个客户希望对其证书进行非常严格的验证。

我建议他们使用“openssl verify”,但似乎这不像“s_client”那么严格。

例如:假设我有一个中间链 A、B、C(其中 A 是站点,C 指向根目录,B 是中间节点),但是一些根本没有连接的中间节点会渗透到证书中。让我们称之为 X - 证书现在包含 A、B、X、C。

s_client 将失败,而 verify 不会。我还检查了一些在线服务——大多数都不会失败。例如, digicert将失败 - 说明链已损坏。

我尝试寻找一个 openssl 验证标志,我什至尝试运行 s_server 然后使用 s_client 验证无济于事。

有没有办法对此进行验证?

4

1 回答 1

0

使用 gnutls 包中的“certtool”,而不是 openssl。

好链条:

$ cat A B C | certtool -e
Certificate[0]: <subject for A>
    Issued by: <subject for B>
    Verifying against certificate[1].
    Verification output: Verified.

Certificate[1]: <subject for B>
    Issued by: <subject for C>
    Verifying against certificate[2].
    Verification output: Verified.

Certificate[2]: <subject for C>
    Issued by: <subject for C>
    Verification output: Verified.

Chain verification output: Verified.

坏链:

$ cat A B X C | certtool -e
Certificate[0]: <subject for A>
    Issued by: <subject for B>
    Verifying against certificate[1].
    Verification output: Verified.

Certificate[1]: <subject for B>
    Issued by: <subject for C>
    Verifying against certificate[2].
Error: Issuer's name: <subject for X>
certtool: issuer name does not match the next certificate
于 2014-05-02T17:14:03.180 回答