extract the CA cert for a particular server
2016-09-03 05:16 三犬风 阅读(277) 评论(0) 编辑 收藏 举报Ignore Peer SSL certificate verification
libcurl performs peer SSL certificate verification by default. This is done by using a CA certificate store that the SSL library can use to make sure the peer's server certificate is valid.
If you communicate with HTTPS, FTPS or other TLS-using servers using certificates that are signed by CAs present in the store, you can be sure that the remote server really is the one it claims to be.
If the remote server uses a self-signed certificate, if you don't install a CA cert store, if the server uses a certificate signed by a CA that isn't included in the store you use or if the remote host is an impostor impersonating your favorite site, and you want to transfer files from this server, do one of the following:
-
Tell libcurl to not verify the peer. With libcurl you disable this with
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);
With the curl command line tool, you disable this with -k/--insecure.
-
Get a CA certificate that can verify the remote server and use the proper option to point out this CA cert for verification when connecting. For libcurl hackers:
curl_easy_setopt(curl, CURLOPT_CAPATH, capath);
With the curl command line tool: --cacert [file]
Get cert:
openssl s_client -connect xxxxx.com:443 |tee logfile
type "QUIT", followed by the "ENTER" key
The certificate will have "BEGIN CERTIFICATE" and "END CERTIFICATE" markers.
-
-----BEGIN CERTIFICATE-----
fiQffffpAsiHZ0qZm+ixhTxgkasCKeff5CavSWAvqD7SnpHQ==f
-----END CERTIFICATE-----
If you want to see the data in the certificate, you can do: "openssl x509 -inform PEM -in certfile -text -out certdata" where certfile is the cert you extracted from logfile. Look in certdata.
If you want to trust the certificate, you can add it to your CA certificate store or use it stand-alone as described. Just remember that the security is no better than the way you obtained the certificate.