OpenSSL 忽略自签名证书错误
我正在使用 OpenSSL 库编写一个小程序,该库假设与 SSLv3 服务器建立连接.此服务器分发自签名证书,导致握手失败并显示以下消息:sslv3 alert handshake failure, self-signed certificate in certificate chain."
I'm writing a small program with the OpenSSL library that is suppose to establish a connection with an SSLv3 server. This server dispenses a self-signed certificate, which causes the handshake to fail with this message: "sslv3 alert handshake failure, self signed certificate in certificate chain."
有没有办法强制连接继续?我试过这样调用 SSL_CTX_set_verify:
Is there a way I can force the connection to proceed? I've tried calling SSL_CTX_set_verify like so:
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
但它似乎并没有改变任何东西.
But it does not seem to change anything.
有什么建议吗?
推荐答案
默认情况下,OpenSSL 会遍历证书链并尝试在每一步进行验证,SSL_set_verify() 不会改变这一点,请参阅页.引用它:
By default OpenSSL walks the certificate chain and tries to verify on each step, SSL_set_verify() does not change that, see tha man page. Quoting it:
实际的验证过程是使用内置验证程序或使用提供的其他应用程序使用 SSL_CTX_set_cert_verify_callback(3) 设置的验证函数.
The actual verification procedure is performed either using the built-in verification procedure or using another application provided verification function set with SSL_CTX_set_cert_verify_callback(3).
因此解决方案是创建一个简单的回调并设置它,以便您覆盖所有证书链遍历:
So the solution is to create a simple callback and set that one, so that you override all certificate-chain walking:
static int always_true_callback(X509_STORE_CTX *ctx, void *arg)
{
return 1;
}
SSL_CTX_set_cert_verify_callback(CTX, always_true_callback);
相关文章