您的位置: 首页  >  技术问答  >  如何获取正在SSL握手中使用的证书?

如何获取正在SSL握手中使用的证书?

分类: 技术问答 2022-08-15 11:46:11
问题描述:

有没有办法将某种HTTP方法发送到特定的端点并获取端点正在使用的证书?如何获取正在SSL握手中使用的证书?

假设我有端点https://myendpoint.mydomain.com/mycontext/myservice

我想获得这个端点服务我试图消耗它的证书信息。

+0

您是否在寻找一个通用的方法(即CLI工具)或特定的一种语言? – evilSnobu

+0

一个通用的解决方案 –

这里是典型openssl s_client例如:

$ openssl s_client -connect github.com:443 -servername github.com 

CONNECTED(00000003) 
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, 
     CN = DigiCert High Assurance EV Root CA 
verify return:1 
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, 
     CN = DigiCert SHA2 Extended Validation Server CA 
verify return:1 
depth=0 businessCategory = Private Organization, 
     jurisdictionC = US, jurisdictionST = Delaware, 
     serialNumber = 5157550, street = "88 Colin P Kelly, Jr Street", 
     postalCode = 94107, C = US, ST = California, L = San Francisco, 
     O = "GitHub, Inc.", CN = github.com 
verify return:1 
--- 
Certificate chain 
0 s:/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=5157550/street=88 Colin P Kelly, Jr Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com 
    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA 
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA 
    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA 
--- 
Server certificate 
-----BEGIN CERTIFICATE----- 
MIIHeTCCB[...] 
-----END CERTIFICATE------- 

[...a bunch more stuff...]

现代编程语言在那里有你可以用它来提取证书信息一TLS库。如果他们不这样做,他们肯定有一个OpenSSL包装器可以让你在那里。

在走,你应该使用crypto/tls包:

// PeerCertificate is of x509.Certificate type 
conn.ConnectionState().PeerCertificates[0].Subject.CommonName

这里的Python(与M2Crypto):

>>> import ssl 
>>> import M2Crypto 
>>> cert = ssl.get_server_certificate(('github.com', 443)) 
>>> x509.get_subject().as_text()>>> x509 = M2Crypto.X509.load_cert_string(cert) 
>>> x509.get_subject().as_text() 
'businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/ 
serialNumber=5157550/street=88 Colin P Kelly, 
Jr Street/postalCode=94107, C=US, ST=California, L=San Francisco, 
O=GitHub, Inc., CN=github.com' 

>>> x509.get_issuer().as_text() 
'C=US, O=DigiCert Inc, OU=www.digicert.com, 
CN=DigiCert SHA2 Extended Validation Server CA' 

>>> x509.get_fingerprint() 
'B890FABE8BB63625899E1E0049814797' 

# raw cert dump 
>>> str(cert) 
'-----BEGIN CERTIFICATE-----\n 
MIIHeTCCBmGgAwIBAgIQC/20CQrXteZAwwsW[...]\n 
-----END CERTIFICATE-----\n'

从根本上,这取决于。结论是TLS根本不绑定HTTP(HTTP是应用层),TLS在OSI堆栈中较低。 HTTP在TLS握手完成后开始发生,因此您不必执行HTTPS呼叫即可获得对等证书,只需握手TLS即可。

OSI model

Click for image source

相关推荐