制作 OpenSSL 密钥时应为 commonName 添加什么内容?
我有一个应用程序框架,它在网络上的未命名主机之间以对等方式工作。我希望对流量进行加密,因此我使用 M2Crypto 实现了设置,但遇到了障碍。我不知道创建证书时要为“commonName”填写什么。它似乎需要一个域名,但运行它的计算机都没有域名。我只是将“temphost”作为 commonName,但显然这是一个重要的参数。我在尝试测试它时得到了这个:
M2Crypto.SSL.Checker.WrongHost:对等 证书 commonName 不匹配 主机,预期 127.0.0.1,已获得临时主机
有没有办法概括 commonName?
I have an application application framework that works in a peer-to-peer manner between unnamed hosts on a network. I want to have the traffic be encrypted, so I've implemented a setup with M2Crypto, but I've run into a snag. I have no idea what to put down for 'commonName' when creating the cert. It seems to want a domain name, but none of the computers running this will have one. I just put 'temphost' for the commonName, but apparently this an important parameter. I got this when trying to test it:
M2Crypto.SSL.Checker.WrongHost: Peer
certificate commonName does not match
host, expected 127.0.0.1, got temphost
Is there a way to generalize the commonName?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
因此,根据您对我的第一个答案的评论,我决定提供另一种可能适合您的情况的解决方案。创建您自己的 CA 证书和密钥。然后在您的同级中告诉 M2Crypto 仅接受由此 CA 签名的证书(请参阅此旧的 stackoverflow 问题以了解要使用的 API:M2Crypto 的 set_client_CA_list_from_file() 和 load_verify_info() 之间有什么区别以及何时使用它们?)。
然后在脚本的早期执行此操作:
或者如果您需要能够建立其他类型的 SSL 连接,请查看是否可以控制 SSL.Connection 对象的创建并使用合适的检查器调用它们的 set_post_connection_check_callback() 。
此后,您的对等点应该接受任何其他对等点,只要该对等点的证书仅由您的 CA 签名即可。
如果您能想到可以在连接后检查中验证的任何额外信息,您可以将该信息放入证书中(可能在 commonName 中)并编写自己的检查器来使用(而不是上面的“无”)。
So based on your comment to my first answer I decided to offer another solution that might work for your case. Create your own CA cert and key. Then in your peers tell M2Crypto to accept only certificates that were signed by this CA (see this older stackoverflow question for APIs to use: What is the difference between M2Crypto's set_client_CA_list_from_file() and load_verify_info() and when would you use each?).
Then early on in your scripts do this:
or if you need to be able to make other kinds of SSL connections, see if you can control the creation of SSL.Connection objects and call their set_post_connection_check_callback() with suitable checker.
After this your peers should accept any other peer as long as the peer's certificate was signed with your CA only.
If you can think of any extra information you could verify in a post connection check, you could put that info in the certs (maybe in commonName) and write your own checker to use (instead of None above).
在您的用例中,默认主机名检查不合适。您可能想尝试仅进行证书指纹检查。首先,获取每个证书的指纹(openssl x509 -fingerprint)。假设您有对等点 A 和对等点 B,分别具有指纹 A 和指纹 B。
在对等 A 端,您将在脚本的早期进行以下调用:
在对等 B 端,您执行相同的操作,但使用指纹 A。现在,证书检查器将仅检查以确保指纹匹配,而不会做进一步的检查。
此方法确实意味着它将覆盖所有 SSL 连接的连接后检查,因此它并不适合所有用例。如果您可以控制 SSL.Connection 对象的创建,您还可以为每个实例调用 set_post_connection_check_callback() ,这将允许在需要时使用不同的检查器。
In your use case the default host name checking is not appropriate. You might want to try just doing certificate fingerprint checking. First, get the fingerprints of each certificate (openssl x509 -fingerprint). Let's say you have peer A and peer B, with fingerprint A and fingerprint B, respectively.
On peer A side, you will make the following calls early on in your script:
On peer B side you do the same, except use fingerprint A. Now the certificate checker will only check to make sure that the fingerprints match, and won't do further checks.
This approach does mean that it will override the post connection check for ALL SSL connections, so it is not suitable in all use cases. If you can control the creation of the SSL.Connection object, you could also call set_post_connection_check_callback() per instance, which would allow different checker to be used when needed.