OpenSSL Ignore Self-signed certificate error

后端 未结 6 1871
独厮守ぢ
独厮守ぢ 2021-02-19 07:42

I\'m writing a small program with the OpenSSL library that is suppose to establish a connection with an SSLv3 server. This server dispenses a self-signed certificate, which caus

相关标签:
6条回答
  • 2021-02-19 08:22

    My sample client code (link) works fine with self signed server cert. I have the below code after SSL_connect and have full control over self signed certificates acceptability in my client

    SSL_CTX* ctx = SSL_CTX_new(SSLv3_method());
    
    // TCP connection and SSL handshake ...
    
    /* Check the certificate */
    
    rc = SSL_get_verify_result(ssl);
    if(rc != X509_V_OK) {
      if (rc == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT || rc == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) {
        fprintf(stderr, "self signed certificate\n");
      }
      else {
        fprintf(stderr, "Certificate verification error: %ld\n", SSL_get_verify_result(ssl));
        SSL_CTX_free(ctx);
        return 0;
      }
    }
    
    0 讨论(0)
  • 2021-02-19 08:23

    You could try passing your own callback to SSL_set_verify() and then doing your own verification. It's less than ideal as I think you then need to do all of the verification and then allow the self signed error to be ignored, but you should be able to work out what the standard verify code does from the OpenSSL source and then simply pull it into your own verification callback and allow the specific error code...

    0 讨论(0)
  • 2021-02-19 08:28

    Have you tried giving your app the server's CA certificate so that your app can verify the certificate chain?

    0 讨论(0)
  • 2021-02-19 08:37

    Have you tried setting SSL_set_verify?

    SSL_set_verify(s, SSL_VERIFY_NONE, NULL);
    
    0 讨论(0)
  • 2021-02-19 08:38

    Check these OpenSSL Examples: http://www.rtfm.com/openssl-examples/

    The wclient.c connects to any https page, for example:

    wclient -h www.yahoo.com -p 443
    

    If you run that with the default installation, you'll get a certificate error (you can use the -i flag to bypass the certificate check though).

    To verify the certificate, you'll need to download the CA certificates (Verisign, Thawte, Equifax, etc), so google this file cacert.pem, download and rename it to root.pem and you'll be able to connect to a web server and validate its certificate.

    0 讨论(0)
  • 2021-02-19 08:44

    By default OpenSSL walks the certificate chain and tries to verify on each step, SSL_set_verify() does not change that, see tha man page. Quoting it:

    The actual verification procedure is performed either using the built-in verification procedure or using another application provided verification function set with SSL_CTX_set_cert_verify_callback(3).

    So the solution is to create a simple callback and set that one, so that you override all certificate-chain walking:

    static int always_true_callback(X509_STORE_CTX *ctx, void *arg)
    {
        return 1;
    }
    
    SSL_CTX_set_cert_verify_callback(CTX, always_true_callback);
    
    0 讨论(0)
提交回复
热议问题