当前位置: 文江博客话题详情

如何找到OpenSSL可信证书的路径?

发布于 2024-10-02 01:16:40 字数 98 浏览 0 评论 0原文

如何找出我的 OpenSSL 安装在哪里寻找已安装(受信任)的证书?

有时是 /etc/ssl/cert,但我有一个新系统,它无法使用此路径。

原文

How can I find out where my OpenSSL installation is looking for installed (trusted) certificates?

It is sometimes /etc/ssl/cert, but I have a new system and it is not working with this path.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

醉生梦死 2024-10-09 01:16:40

查找证书的默认路径在每个平台上可能有所不同。您可以使用以下命令查找系统配置:

$ openssl version -d

OPENSSLDIR: "/etc/pki/tls"

The default path where certificates are looked up might be different on each platform. You can lookup your system configuration using the following command:

$ openssl version -d

OPENSSLDIR: "/etc/pki/tls"
回复 原文
究竟谁懂我的在乎 2024-10-09 01:16:40

这个针对 OpenSSL 编译的 C 代码片段将告诉您:

#include <stdlib.h>
#include <stdio.h>
#include <openssl/x509.h>

int main()
{
    const char *dir;

    dir = getenv(X509_get_default_cert_dir_env());

    if (!dir)
        dir = X509_get_default_cert_dir();

    puts(dir);

    return 0;
}

This C snippet, compiled against OpenSSL, will tell you:

#include <stdlib.h>
#include <stdio.h>
#include <openssl/x509.h>

int main()
{
    const char *dir;

    dir = getenv(X509_get_default_cert_dir_env());

    if (!dir)
        dir = X509_get_default_cert_dir();

    puts(dir);

    return 0;
}
回复 原文
乖乖哒 2024-10-09 01:16:40

您正在寻找的路径是“OpenSSL 文件目录”。正如 @tnbt 回答openssl version -d (或 -a) 为您提供此目录的路径。 OpenSSL 在此查找名为 cert.pem 的文件和子目录 certs/。它找到的证书被 openssl s_clientopenssl verify 视为可信(来源:文章,OpenSSL 认可哪些证书颁发机构?)。

% openssl version -d
OPENSSLDIR: "/opt/local/etc/openssl"
% ls -l /opt/local/etc/openssl/cert*
lrwxr-xr-x  1 root  admin  40 29 Nov 02:05 /opt/local/etc/openssl/cert.pem -> /opt/local/share/curl/curl-ca-bundle.crt
% head -10 /opt/local/etc/openssl/cert.pem
##
## Bundle of CA Root Certificates
##
## Certificate data from Mozilla as of: Fri Nov 24 08:00:26 2017 GMT
##
## This is a bundle of X.509 certificates of public Certificate Authorities
## (CA). These were automatically extracted from Mozilla's root certificates
## file (certdata.txt).  This file can be found in the mozilla source tree:
## https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
##
...[rest of file omitted]...

事实证明,在我的系统上安装 OpenSSL 的安装程序还安装了 cert.pem 作为工具 cUrl 。这些又来自 Mozilla。

您可能没有在此文件或目录中安装任何内容,或者您​​可能拥有一组不同的证书。这将影响 OpenSSL 验证哪些服务器证书。

支持 s_client 等 OpenSSL 命令,我认为从 1.1 版本开始,选项 -no-CAfile-no-CApath。这些允许您在一个命令的持续时间内分别忽略此文件和目录中的证书。 (我无法重现这个,因为我仍在使用版本 1.0.2,并且它缺少这些选项。)

The path you are looking for is the "Directory for OpenSSL files". As @tnbt answered, openssl version -d (or -a) gives you the path to this directory. OpenSSL looks here for a file named cert.pem and a subdirectory certs/. Certificates it finds there are treated as trusted by openssl s_client and openssl verify (source: the article, What certificate authorities does OpenSSL recognize?).

% openssl version -d
OPENSSLDIR: "/opt/local/etc/openssl"
% ls -l /opt/local/etc/openssl/cert*
lrwxr-xr-x  1 root  admin  40 29 Nov 02:05 /opt/local/etc/openssl/cert.pem -> /opt/local/share/curl/curl-ca-bundle.crt
% head -10 /opt/local/etc/openssl/cert.pem
##
## Bundle of CA Root Certificates
##
## Certificate data from Mozilla as of: Fri Nov 24 08:00:26 2017 GMT
##
## This is a bundle of X.509 certificates of public Certificate Authorities
## (CA). These were automatically extracted from Mozilla's root certificates
## file (certdata.txt).  This file can be found in the mozilla source tree:
## https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
##
...[rest of file omitted]...

It turns out that the installer which installed OpenSSL on my system also installed cert.pem as a symlink to a bundle of Certificate Authority certificates from the tool cUrl . Those in turn came from Mozilla.

You might have nothing installed in this file or directory, or you might have a different set of certificates. This will affect which server certificates OpenSSL verifies.

OpenSSL commands like s_client support, I think since version 1.1, options -no-CAfile and -no-CApath. These let you ignore the certificates in this file and directory respectively, for the duration of one command. (I can't reproduce this because I am still using version 1.0.2, and it lacks those options.)

回复 原文
谷夏 2024-10-09 01:16:40

我怎样才能知道我安装的 openssl 在哪里寻找已安装的证书(可信)?

你不能。默认情况下,OpenSSL 不信任任何内容,并且它不会寻找证书。你必须指示它信任什么。甚至还有一个常见问题解答主题涵盖了它:为什么 因证书验证错误而失败?

此问题通常由日志消息表明
例如“无法获取本地颁发者证书”或“自签名
证书”。验证证书时,其根 CA 必须是
OpenSSL “信任”这通常意味着 CA 证书必须
放置在目录或文件中并配置相关程序
阅读它。 OpenSSL 程序“验证”的行为方式类似,并且
发出类似的错误消息:检查 verify(1) 程序手册页
了解更多信息。

Caf 的答案是正确的,但 OpenSSL 不使用它,并且那里什么也没有...

$ grep -R X509_get_default_cert_dir *
...
crypto/x509/x509_def.c:const char *X509_get_default_cert_dir(void)
...

在上面,请注意它没有命中 apps/ 目录中的任何内容。 apps/ 是所有 OpenSSL 示例和实用程序所在的位置,例如 openssl reqopenssl rsaopenssl dsaopenssl x509openssl signopenssl verify等。

然后:

$ cat crypto/x509/x509_def.c
...
const char *X509_get_default_cert_dir(void)
    { return(X509_CERT_DIR); }
...

$ grep -R X509_CERT_DIR *
crypto/cryptlib.h:#define X509_CERT_DIR     OPENSSLDIR "/certs"

最后:

$ ls /usr/local/ssl/certs/
$

就像我说的,它没有被使用,那里什么也没有。

How can I find out, where my openssl installed is looking for installed certificates (trusted)?

You can't. OpenSSL trusts nothing by default, and it does not go looking for certs. You have to instruct it what to trust. There's even a FAQ topic covering it: Why does <SSL program> fail with a certificate verify error?:

This problem is usually indicated by log messages saying something
like "unable to get local issuer certificate" or "self signed
certificate". When a certificate is verified its root CA must be
"trusted" by OpenSSL this typically means that the CA certificate must
be placed in a directory or file and the relevant program configured
to read it. The OpenSSL program 'verify' behaves in a similar way and
issues similar error messages: check the verify(1) program manual page
for more information.

Caf's answer is kind of correct, but OpenSSL does not use it and there's nothing there...

$ grep -R X509_get_default_cert_dir *
...
crypto/x509/x509_def.c:const char *X509_get_default_cert_dir(void)
...

In the above, notice it does not hit on anything in the apps/ directory. apps/ is where all the OpenSSL samples and utilities are, like openssl req, openssl rsa, openssl dsa, openssl x509, openssl sign, openssl verify, etc.

Then:

$ cat crypto/x509/x509_def.c
...
const char *X509_get_default_cert_dir(void)
    { return(X509_CERT_DIR); }
...

$ grep -R X509_CERT_DIR *
crypto/cryptlib.h:#define X509_CERT_DIR     OPENSSLDIR "/certs"

And finally:

$ ls /usr/local/ssl/certs/
$

Like I said, its not used and there's nothing there.

回复 原文
~没有更多了~

关于作者

匿名的好友

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

1CH1MKgiKxn9p

文章 0 评论 0

ゞ记忆︶ㄣ

文章 0 评论 0

JackDx

文章 0 评论 0

信远

文章 0 评论 0

yaoduoduo1995

文章 0 评论 0

霞映澄塘

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文