如何获取正在SSL握手中使用的证书?
问题描述:
有没有办法将某种HTTP方法发送到特定的端点并获取端点正在使用的证书?如何获取正在SSL握手中使用的证书?
假设我有端点https://myendpoint.mydomain.com/mycontext/myservice
我想获得这个端点服务我试图消耗它的证书信息。
答
这里是典型openssl s_client
例如:
$ openssl s_client -connect github.com:443 -servername github.com
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com,
CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com,
CN = DigiCert SHA2 Extended Validation Server CA
verify return:1
depth=0 businessCategory = Private Organization,
jurisdictionC = US, jurisdictionST = Delaware,
serialNumber = 5157550, street = "88 Colin P Kelly, Jr Street",
postalCode = 94107, C = US, ST = California, L = San Francisco,
O = "GitHub, Inc.", CN = github.com
verify return:1
---
Certificate chain
0 s:/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=5157550/street=88 Colin P Kelly, Jr Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHeTCCB[...]
-----END CERTIFICATE-------
[...a bunch more stuff...]
现代编程语言在那里有你可以用它来提取证书信息一TLS库。如果他们不这样做,他们肯定有一个OpenSSL包装器可以让你在那里。
在走,你应该使用crypto/tls
包:
// PeerCertificate is of x509.Certificate type
conn.ConnectionState().PeerCertificates[0].Subject.CommonName
这里的Python(与M2Crypto):
>>> import ssl
>>> import M2Crypto
>>> cert = ssl.get_server_certificate(('github.com', 443))
>>> x509.get_subject().as_text()>>> x509 = M2Crypto.X509.load_cert_string(cert)
>>> x509.get_subject().as_text()
'businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/
serialNumber=5157550/street=88 Colin P Kelly,
Jr Street/postalCode=94107, C=US, ST=California, L=San Francisco,
O=GitHub, Inc., CN=github.com'
>>> x509.get_issuer().as_text()
'C=US, O=DigiCert Inc, OU=www.digicert.com,
CN=DigiCert SHA2 Extended Validation Server CA'
>>> x509.get_fingerprint()
'B890FABE8BB63625899E1E0049814797'
# raw cert dump
>>> str(cert)
'-----BEGIN CERTIFICATE-----\n
MIIHeTCCBmGgAwIBAgIQC/20CQrXteZAwwsW[...]\n
-----END CERTIFICATE-----\n'
从根本上,这取决于。结论是TLS根本不绑定HTTP(HTTP是应用层),TLS在OSI堆栈中较低。 HTTP在TLS握手完成后开始发生,因此您不必执行HTTPS呼叫即可获得对等证书,只需握手TLS即可。
您是否在寻找一个通用的方法(即CLI工具)或特定的一种语言? – evilSnobu
一个通用的解决方案 –