1. 首頁
  2. 問答
  3. Boost.Asio SSL上下文未驗證證書

Boost.Asio SSL上下文未驗證證書

2016-10-28 98 views
2

這是我的上一個問題Boost.Asio SSL context load_verify_paths not loading certificate的延續。Boost.Asio SSL上下文未驗證證書

我有一個從Windows上的系統CA存儲生成的CA文件。生成的文件中不包含任何無效/過期的證書。

My Boost Asio代碼不想使用此CA存儲進行驗證。該文件加載得很好,ssl::context::load_verify_file返回沒有錯誤,但驗證回調不斷被調用preverified設置爲false

下面是使用證書文件的OpenSSL運行一個例子:

Loading 'screen' into random state - done 
CONNECTED(00000178) 
depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 
verify return:1 
depth=2 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA 
Certification Authority 
verify return:1 
depth=1 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA 
Domain Validation Secure Server CA 
verify return:1 
depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=example.org 
verify return:1 
--- 
Certificate chain 
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=example.org 
    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 
    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 
    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 
--- 
Server certificate 
-----BEGIN CERTIFICATE----- 
...snipped... 
-----END CERTIFICATE----- 
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=example.org 
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 
--- 
Acceptable client certificate CA names 
/OU=Domain Control Validated/OU=PositiveSSL/CN=example.org 
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 
--- 
SSL handshake has read 5399 bytes and written 334 bytes 
--- 
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA 
Server public key is 2048 bit 
Compression: NONE 
Expansion: NONE 
SSL-Session: 
    Protocol : TLSv1 
    Cipher : DHE-RSA-AES256-SHA 
    Session-ID: 8C04CCAE22F4B111AD13F10448ACDAD0C7F567F22C0D05829BDAE1DF9F29A005 

    Session-ID-ctx: 
    Master-Key: B99A5E1D0C3CF5421C41CDE88B6F21FD9816800409775C497859FAFCAE3A8942 
1A670D72808C804A33A10BF9A26B22AB 
    Key-Arg : None 
    Start Time: 1477664766 
    Timeout : 300 (sec) 
    Verify return code: 0 (ok)

而且沒有證書文件的OpenSSL的另一個運行:

Loading 'screen' into random state - done 
CONNECTED(00000178) 
depth=2 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 
verify error:num=20:unable to get local issuer certificate 
verify return:0 
--- 
Certificate chain 
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=example.org 
    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 
    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 
    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 
--- 
Server certificate 
-----BEGIN CERTIFICATE----- 
...snipped... 
-----END CERTIFICATE----- 
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=example.org 
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 
--- 
Acceptable client certificate CA names 
/OU=Domain Control Validated/OU=PositiveSSL/CN=example.org 
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 
--- 
SSL handshake has read 5399 bytes and written 334 bytes 
--- 
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA 
Server public key is 2048 bit 
Compression: NONE 
Expansion: NONE 
SSL-Session: 
    Protocol : TLSv1 
    Cipher : DHE-RSA-AES256-SHA 
    Session-ID: 18036DF0E136729F9FE1BD8F51AA2FEF687D84D43918895B3F5847A2EB8C7109 

    Session-ID-ctx: 
    Master-Key: DA4BCC28FB9F4F5BCD9C9FBB51AA02B8A380F0580258A0F67E56BA2BFD627C54 
AB700C343F0741A77AC037E54272EB1E 
    Key-Arg : None 
    Start Time: 1477665097 
    Timeout : 300 (sec) 
    Verify return code: 20 (unable to get local issuer certificate)

正如你可以看到,該證書文件包含適當的根證書,因爲openssl只在使用該文件時連接。

我的問題是,爲什麼openssl使用此文件進行驗證,但Boost Asio不?如何糾正問題,因此Boost Asio使用生成的CA商店進行驗證?

來源

2016-10-28 owacoder

回答

0

的問題是,沒有裝載體系證書,而不是另一個boost::asio::ssl::context創建,它是使用set_default_verify_paths,這適用於Linux,但不適用於Windows。它在Linux上工作,因爲系統證書在默認的驗證路徑中,但在Windows上,它是一個空目錄(我沒有用任何證書設置我的OpenSSL安裝)。

對於其他人被類似問題困擾的人,請確保您實際使用的是您正在加載證書的boost::asio::ssl::context,所以您不會像我那樣浪費太多時間。

來源

2016-11-23 22:11:40 owacoder

2

如果你的目標是使用Windows CA與升壓ASIO商店,你可以從商店「附加」的證書,以提振SSL上下文有這樣的事情:

#include <boost/asio/ssl/context.hpp> 
#include <wincrypt.h> 

void add_windows_root_certs(boost::asio::ssl::context &ctx) 
{ 
    HCERTSTORE hStore = CertOpenSystemStore(0, "ROOT"); 
    if (hStore == NULL) { 
     return; 
    } 

    X509_STORE *store = X509_STORE_new(); 
    PCCERT_CONTEXT pContext = NULL; 
    while ((pContext = CertEnumCertificatesInStore(hStore, pContext)) != NULL) { 
     // convert from DER to internal format 
     X509 *x509 = d2i_X509(NULL, 
           (const unsigned char **)&pContext->pbCertEncoded, 
           pContext->cbCertEncoded); 
     if(x509 != NULL) { 
      X509_STORE_add_cert(store, x509); 
      X509_free(x509); 
     } 
    } 

    CertFreeCertificateContext(pContext); 
    CertCloseStore(hStore, 0); 

    // attach X509_STORE to boost ssl context 
    SSL_CTX_set_cert_store(ctx.native_handle(), store); 
}

這將加載證書來自windows ca store(類似於你鏈接的問題)。但不是將證書轉換爲base64,而是使用d2i_X509將它們轉換爲內部OpenSSL格式,並將它們添加到OpenSSL X509_STORE。然後,SSL_CTX_set_cert_store將該存儲附加到boost ssl上下文。你可以用它來建立你的SSL環境,然後利用它來進行SSL套接字:

namespace ssl = boost::asio::ssl; 
ssl::context ctx(ssl::context::tlsv12_client); 
ctx.set_options(ssl::context::default_workarounds 
          | ssl::context::no_sslv2 
          | ssl::context::no_sslv3 
          | ssl::context::tlsv12_client); 

add_windows_root_certs(ctx); 
ctx.set_verify_mode(ssl::verify_peer | ssl::verify_fail_if_no_peer_cert); 

// use custom verify_callback here for debugging purposes 
ctx.set_verify_callback(ssl::rfc2818_verification(address)); 

ssl::stream<boost::asio::ip::tcp::socket> socket(io, ctx); 
// socket ready to connect to ssl host

來源

2016-11-20 23:08:43 rbr

+0

我可能不得不這樣做,但爲什麼不使用加載的證書預先驗證?這個額外的代碼不應該是必需的。 – owacoder

+0

請看我的答案。代碼現在正常工作。 – owacoder

相關問題

 相關問題