OpenSSL忽略自签名证书错误
我正在使用OpenSSL库编写一个小程序,假定它与SSLv3服务器建立连接。此服务器分发自签名证书,导致握手失败,并显示以下消息:sslv3警报握手失败,证书链中的自签名证书。
I'm writing a small program with the OpenSSL library that is suppose to establish a connection with an SSLv3 server. This server dispenses a self-signed certificate, which causes the handshake to fail with this message: "sslv3 alert handshake failure, self signed certificate in certificate chain."
一种方式,我可以强制连接继续?我已尝试调用SSL_CTX_set_verify,如下所示:
Is there a way I can force the connection to proceed? I've tried calling SSL_CTX_set_verify like so:
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
但它似乎没有任何改变。
But it does not seem to change anything.
任何建议?
默认情况下,OpenSSL遍历证书链并尝试在每个步骤上验证 SSL_set_verify()不会更改,请参阅手册页。引用:
By default OpenSSL walks the certificate chain and tries to verify on each step, SSL_set_verify() does not change that, see tha man page. Quoting it:
实际的验证程序是使用
内置验证程序或使用另一个提供的应用程序
验证函数设置为SSL_CTX_set_cert_verify_callback(3)。
The actual verification procedure is performed either using the built-in verification procedure or using another application provided verification function set with SSL_CTX_set_cert_verify_callback(3).
因此,解决方案是创建一个简单的回调并设置一个,您覆盖所有证书链行走:
So the solution is to create a simple callback and set that one, so that you override all certificate-chain walking:
static int always_true_callback(X509_STORE_CTX *ctx, void *arg)
{
return 1;
}
SSL_CTX_set_cert_verify_callback(CTX, always_true_callback);