我对OpenSSL很新,所以请在这里忍受我。我正在尝试使用s_client从各个网站检索根CA证书,但由于某种原因,它有时不会返回链中的最终证书,这是我最需要的证书。
我正在使用以下(在FreeBSD 10.0上):
openssl s_client -showcerts -connect www.facebook.com:443
要实现以下输出:
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=CA/L=Menlo Park/O=Facebook, Inc./CN=*.facebook.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
-----BEGIN CERTIFICATE-----
MIIGqTCCBZGgAwIBAgIQDssJObKxAVS4lXDHsit6RzANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNDA4MjgwMDAwMDBaFw0xNjEyMzAxMjAwMDBa
MGExCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTETMBEGA1UEBxMKTWVubG8gUGFy
azEXMBUGA1UEChMORmFjZWJvb2ssIEluYy4xFzAVBgNVBAMMDiouZmFjZWJvb2su
Y29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2NHdNb3iWbb7mx9UFYzbv05Y
vUe+uBD8IunSnpj4SSol+5RG5EKZhFAcXwH9FCUxXE7ZZP3FDLNG0qG8cLSHjqOC
BBcwggQTMB8GA1UdIwQYMBaAFFFo/5CvAgd1PMzZZWRiohK4WXI7MB0GA1UdDgQW
BBRDCZNA+hFLMDPs8odujXEYz4q8jjCBxwYDVR0RBIG/MIG8gg4qLmZhY2Vib29r
LmNvbYIOKi5mYWNlYm9vay5uZXSCCCouZmIuY29tggsqLmZiY2RuLm5ldIILKi5m
YnNieC5jb22CECoubS5mYWNlYm9vay5jb22CDyoubWVzc2VuZ2VyLmNvbYIOKi54
eC5mYmNkbi5uZXSCDioueHkuZmJjZG4ubmV0gg4qLnh6LmZiY2RuLm5ldIIMZmFj
ZWJvb2suY29tggZmYi5jb22CDW1lc3Nlbmdlci5jb20wDgYDVR0PAQH/BAQDAgeA
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB1BgNVHR8EbjBsMDSgMqAw
hi5odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzUuY3Js
MDSgMqAwhi5odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXIt
ZzUuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0
dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMIGDBggrBgEFBQcB
AQR3MHUwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBNBggr
BgEFBQcwAoZBaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hB
MkhpZ2hBc3N1cmFuY2VTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADCCAX0GCisG
AQQB1nkCBAIEggFtBIIBaQFnAHUApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fN
DsgN3BAAAAFRq3vp+wAABAMARjBEAiAoyH2GXfEUMp06UD4vwpmA7BPI+R9dn4oK
gfv56gKM9QIgKG9/l7MnAWa7iU3FqFM6NM72q0au8XC9uCctwgMo9iwAdgBo9pj4
H2SCvjqM7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAAAVGre+m9AAAEAwBHMEUCIQD7
e876HXRr63YgdxbjwFhysyE1msBDLaiQd+G3mtpfbQIgBKqLQtKsytGH33BUxx4i
IFM235NbuB9b/IAF0Zpaq7AAdgBWFAaaL9fC7NP14b1Esj7HRna5vJkRXMDvlJhV
1onQ3QAAAVGre+qPAAAEAwBHMEUCIQD+LLbU75X//M14cYGIrTqzoxIMgrLYtUzm
8Wb+1H40pQIgLSvV1ROEnJnZFmUVCNxZZcXALGqV5+mDn68mizkQJigwDQYJKoZI
hvcNAQELBQADggEBAKqRrlIBjGD2AraU669u6908yOFvF6u4KIDs3FSCViTBFgjh
wsg+PA9TGEB/30E2k5Vfsdk1Q16UYPnWp4Nqfce09guQdvi0CsExDRYYtctxXPmT
AiGqu0D97gobqfLDDiUTY2eiQut56l+P+9i7doxfYcosvgFECa82Hqn3QByks2V4
QmgE8EsMfx/ZE/YKOzV5c2nHPHDlXQaY6ojV3WvmZmJXz6/Q+2eb4MggOrm2Tzl6
X8T9oEaMvMdEp7OrUknbhpftLryAVpWf0mOEV+eSFTLkdcWBUss7JuFdS/3gOV6B
Bq/MfnfRnZoGb+/3/OKGWhZawgTegON4Hw/8f98=
-----END CERTIFICATE-----
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
-----BEGIN CERTIFICATE-----
MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy
YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2
4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC
Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1
itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn
4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X
sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft
bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA
MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t
L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG
BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ
UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D
aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd
aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH
E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly
/D6q1UEL2tU2ob8cbkdJf17ZSHwD2f2LSaCYJkJA69aSEaRkCldUxPUd1gJea6zu
xICaEnL6VpPX/78whQYwvwt/Tv9XBZ0k7YXDK/umdaisLRbvfXknsuvCnQsH6qqF
0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae
cPUeybQ=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=CA/L=Menlo Park/O=Facebook, Inc./CN=*.facebook.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3401 bytes and written 417 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES128-GCM-SHA256
Session-ID: 775663B26F3B0570F8B6BA08243E9079F2A36735BDCB39883D4D6C14A35ADC31
Session-ID-ctx:
Master-Key: 096644B949FBA333F6205CD76E4C38519D7413BC2BA20CD307199F40E9B1992EC4A6813B8C28295247C4B2E1B8FDD386
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 172800 (seconds)
TLS session ticket:
0000 - 5b d1 e2 4c bd 77 70 f6-0b ac 12 67 27 3f 80 b0 [..L.wp....g'?..
0010 - e9 1b 02 f7 cc 70 50 10-21 ee 0c a4 37 c2 d9 e1 .....pP.!...7...
0020 - a9 54 ef 74 c7 12 c9 d5-0f e7 3d e9 59 dc 1d ac .T.t......=.Y...
0030 - 8f bb a2 58 ad 92 56 24-dd 29 7b 65 01 53 f3 4d ...X..V$.){e.S.M
0040 - cd 05 19 cc dd 00 bc ff-2a bd 16 99 c0 59 2d 7d ........*....Y-}
0050 - dd 09 86 02 a1 f2 00 52-2c 84 88 d3 3d 03 93 81 .......R,...=...
0060 - a3 d2 b3 30 b1 b9 2a e3-fe 45 63 99 e7 3a 24 62 ...0..*..Ec..:$b
0070 - e4 6a 83 41 45 8c 08 2a-8d fb f1 96 0e c0 3e 26 .j.AE..*......>&
0080 - cc ad b4 75 3b c3 96 e5-a5 89 c5 3e fa 8d 7c 96 ...u;......>..|.
0090 - cf 70 b9 99 8a fc 65 5a-9a 34 7d f2 d7 db bb 25 .p....eZ.4}....%
00a0 - e9 b1 4c b4 3e 1b d6 d5-36 de c0 03 95 e3 93 ..L.>...6......
00b0 - <SPACES/NULS>
Start Time: 1468438138
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
closed
如您所见,它在第二个(DigiCert SHA2 High Assurance Server CA)之后停止返回证书,并且不返回根证书(DigiCert High Assurance EV Root CA)。
我做错了吗?有没有办法强迫它返还这个证书?
如果是这样,有没有办法强迫它返回 ONLY 那个,因为它是我唯一需要的那个?