OpenSSL Doc说:client_cert_cb()无法返回完整的证书链,它只能返回一个客户端证书。
在我的情况下,我想返回/设置证书链,但不知道它是如何可行的。如何做的任何例子将不胜感激???
答案 0 :(得分:1)
在OpenSSL SSL_CTX_set_client_cert_cb命令的Man Page中,正如您在问题中所说的那样client_cert_cb() cannot return a complete certificate chain,但它也说明了问题的解决方法:
<强> BUGS
client_cert_cb()无法返回完整的证书链 只能返回一个客户端证书。如果链只有一个长度 如图2所示,根据TLS可以省略根CA证书 标准,因此符合标准的答案可以发送到 服务器。对于更长的链,客户端必须发送完整的链 (可以选择省略根CA证书)。这只能 由
adding the intermediate CA certificates into the trusted certificate store for the SSL_CTX object (resulting in having to add CA certificates that otherwise maybe would not be trusted), or by adding the chain certificates using the SSL_CTX_add_extra_chain_cert function完成,只有<!DOCTYPE HTML> <html> <head> <link rel="stylesheet" href="css/admin_style.css"> <body> <div id="login_style"> <div class="login_head"> <img src="images/admin_logo.png" alt="Parlour Products"> <img src="images/admin_panel.png" width="200" height="75" alt="Admin Panel" class="adminPanel"> </div> <br><br> <h3> <?php echo @$_GET['false_admin']; ?> </h3> <h3> <?php echo @$_GET['logged_out']; ?> </h3> <h1> Admin Section</h1><br> <form method="post"> User Id: <input type="text" name="name" placeholder="Enter User ID" required="required" /> Password: <input type="password" name="pass" placeholder="Password" required="required" /><br><br> <button type="submit" name="login">Log In</button> </form> </div> </body> </html> <?php session_start(); include ("includes/db.php"); if(isset($_POST['login'])){ $name = mysql_real_escape_string($_POST['name']); $pass = mysql_real_escape_string($_POST['pass']); $sel_user = "select * from admin where admin_name='$email' AND admin_pass='$pass'"; $run_user = mysqli_query($con, $sel_user); $check_user = mysqli_num_rows($run_user); if($check_user==0 ){ echo "<script>alert('Login Failed. Please Try Again!')</script>"; } else { $_SESSION['user_email']=$email; echo "<script>window.open('index.php?logged_in=Sucessfully Logged In!','_self')</script>"; } } ?>可用 SSL_CTX对象作为一个整体,因此可能只适用 对于一个客户端证书,制作回调的概念 功能(允许从多个证书中选择)有问题。
这是否适用于您的情况?
修改
您可以使用SSL_CTX_add_extra_chain_cert功能添加链证书。请注意,正如报价中所述,您不必发送根CA证书。