Boost.Asio SSL上下文未验证证书

这是我的上一个问题Boost.Asio SSL context load_verify_paths not loading certificate的延续。Boost.Asio SSL上下文未验证证书

我有一个从Windows上的系统CA存储生成的CA文件。生成的文件中不包含任何无效/过期的证书。

My Boost Asio代码不想使用此CA存储进行验证。该文件加载得很好，ssl::context::load_verify_file返回没有错误，但验证回调不断被调用preverified设置为false。

下面是使用证书文件的OpenSSL运行一个例子：

Loading 'screen' into random state - done 
CONNECTED(00000178) 
depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 
verify return:1 
depth=2 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA 
Certification Authority 
verify return:1 
depth=1 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA 
Domain Validation Secure Server CA 
verify return:1 
depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=example.org 
verify return:1 
--- 
Certificate chain 
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=example.org 
    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 
    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 
    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 
--- 
Server certificate 
-----BEGIN CERTIFICATE----- 
...snipped... 
-----END CERTIFICATE----- 
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=example.org 
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 
--- 
Acceptable client certificate CA names 
/OU=Domain Control Validated/OU=PositiveSSL/CN=example.org 
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 
--- 
SSL handshake has read 5399 bytes and written 334 bytes 
--- 
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA 
Server public key is 2048 bit 
Compression: NONE 
Expansion: NONE 
SSL-Session: 
    Protocol : TLSv1 
    Cipher : DHE-RSA-AES256-SHA 
    Session-ID: 8C04CCAE22F4B111AD13F10448ACDAD0C7F567F22C0D05829BDAE1DF9F29A005 

    Session-ID-ctx: 
    Master-Key: B99A5E1D0C3CF5421C41CDE88B6F21FD9816800409775C497859FAFCAE3A8942 
1A670D72808C804A33A10BF9A26B22AB 
    Key-Arg : None 
    Start Time: 1477664766 
    Timeout : 300 (sec) 
    Verify return code: 0 (ok)

而且没有证书文件的OpenSSL的另一个运行：

Loading 'screen' into random state - done 
CONNECTED(00000178) 
depth=2 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 
verify error:num=20:unable to get local issuer certificate 
verify return:0 
--- 
Certificate chain 
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=example.org 
    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 
    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 
    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 
--- 
Server certificate 
-----BEGIN CERTIFICATE----- 
...snipped... 
-----END CERTIFICATE----- 
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=example.org 
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 
--- 
Acceptable client certificate CA names 
/OU=Domain Control Validated/OU=PositiveSSL/CN=example.org 
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 
--- 
SSL handshake has read 5399 bytes and written 334 bytes 
--- 
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA 
Server public key is 2048 bit 
Compression: NONE 
Expansion: NONE 
SSL-Session: 
    Protocol : TLSv1 
    Cipher : DHE-RSA-AES256-SHA 
    Session-ID: 18036DF0E136729F9FE1BD8F51AA2FEF687D84D43918895B3F5847A2EB8C7109 

    Session-ID-ctx: 
    Master-Key: DA4BCC28FB9F4F5BCD9C9FBB51AA02B8A380F0580258A0F67E56BA2BFD627C54 
AB700C343F0741A77AC037E54272EB1E 
    Key-Arg : None 
    Start Time: 1477665097 
    Timeout : 300 (sec) 
    Verify return code: 20 (unable to get local issuer certificate)

正如你可以看到，该证书文件包含适当的根证书，因为openssl只在使用该文件时连接。

我的问题是，为什么openssl使用此文件进行验证，但Boost Asio不？如何纠正问题，因此Boost Asio使用生成的CA商店进行验证？

来源

2016-10-28 owacoder

的问题是，没有装载体系证书，而不是另一个boost::asio::ssl::context创建，它是使用set_default_verify_paths，这适用于Linux，但不适用于Windows。它在Linux上工作，因为系统证书在默认的验证路径中，但在Windows上，它是一个空目录（我没有用任何证书设置我的OpenSSL安装）。

对于其他人被类似问题困扰的人，请确保您实际使用的是您正在加载证书的boost::asio::ssl::context，所以您不会像我那样浪费太多时间。

来源

2016-11-23 22:11:40 owacoder

如果你的目标是使用Windows CA与升压ASIO商店，你可以从商店“附加”的证书，以提振SSL上下文有这样的事情：

#include <boost/asio/ssl/context.hpp> 
#include <wincrypt.h> 

void add_windows_root_certs(boost::asio::ssl::context &ctx) 
{ 
    HCERTSTORE hStore = CertOpenSystemStore(0, "ROOT"); 
    if (hStore == NULL) { 
     return; 
    } 

    X509_STORE *store = X509_STORE_new(); 
    PCCERT_CONTEXT pContext = NULL; 
    while ((pContext = CertEnumCertificatesInStore(hStore, pContext)) != NULL) { 
     // convert from DER to internal format 
     X509 *x509 = d2i_X509(NULL, 
           (const unsigned char **)&pContext->pbCertEncoded, 
           pContext->cbCertEncoded); 
     if(x509 != NULL) { 
      X509_STORE_add_cert(store, x509); 
      X509_free(x509); 
     } 
    } 

    CertFreeCertificateContext(pContext); 
    CertCloseStore(hStore, 0); 

    // attach X509_STORE to boost ssl context 
    SSL_CTX_set_cert_store(ctx.native_handle(), store); 
}

这将加载证书来自windows ca store（类似于你链接的问题）。但不是将证书转换为base64，而是使用d2i_X509将它们转换为内部OpenSSL格式，并将它们添加到OpenSSL X509_STORE。然后，SSL_CTX_set_cert_store将该存储附加到boost ssl上下文。你可以用它来建立你的SSL环境，然后利用它来进行SSL套接字：

namespace ssl = boost::asio::ssl; 
ssl::context ctx(ssl::context::tlsv12_client); 
ctx.set_options(ssl::context::default_workarounds 
          | ssl::context::no_sslv2 
          | ssl::context::no_sslv3 
          | ssl::context::tlsv12_client); 

add_windows_root_certs(ctx); 
ctx.set_verify_mode(ssl::verify_peer | ssl::verify_fail_if_no_peer_cert); 

// use custom verify_callback here for debugging purposes 
ctx.set_verify_callback(ssl::rfc2818_verification(address)); 

ssl::stream<boost::asio::ip::tcp::socket> socket(io, ctx); 
// socket ready to connect to ssl host

来源

2016-11-20 23:08:43 rbr

我可能不得不这样做，但为什么不使用加载的证书预先验证？这个额外的代码不应该是必需的。 – owacoder

请看我的答案。代码现在正常工作。 – owacoder

Boost.Asio SSL上下文未验证证书

回答

相关问题