我怎样才能找到我安装的openssl在哪里寻找已安装的证书(可信)? 它有时是/ etc / ssl / cert但是我在这里有一个新的系统,它不能使用这条路径。
THX! 的问候,克里斯
答案 0 :(得分:20)
在每个平台上查找证书的默认路径可能不同。您可以使用以下命令查找系统配置:
$ openssl version -d
OPENSSLDIR: "/etc/pki/tls"
答案 1 :(得分:11)
这个针对OpenSSL编译的C片段会告诉你:
#include <stdlib.h>
#include <stdio.h>
#include <openssl/x509.h>
int main()
{
const char *dir;
dir = getenv(X509_get_default_cert_dir_env());
if (!dir)
dir = X509_get_default_cert_dir();
puts(dir);
return 0;
}
答案 2 :(得分:3)
我怎样才能找到我安装的openssl在哪里寻找已安装的证书(可信)?
你不能。默认情况下,OpenSSL不信任任何内容,并且它不会寻找证书。你必须指导它信任什么。甚至有一个FAQ主题涵盖它:Why does <SSL program> fail with a certificate verify error?:
此问题通常由日志消息说明 喜欢&#34;无法获得本地发行人证书&#34;或者&#34;自签名 证书&#34 ;.验证证书时,其根CA必须是 &#34;可信&#34;通过OpenSSL,这通常意味着CA证书必须 放在目录或文件中并配置相关程序 阅读它。 OpenSSL计划&#39;验证&#39;表现得与此类似 发出类似的错误消息:检查verify(1)程序手册页 了解更多信息。
Caf的答案是正确的,但OpenSSL不使用它,那里什么也没有...
$ grep -R X509_get_default_cert_dir *
...
crypto/x509/x509_def.c:const char *X509_get_default_cert_dir(void)
...
在上面的内容中,请注意 命中apps/目录中的任何内容。 apps/是所有OpenSSL示例和实用程序的所在地,例如openssl req,openssl rsa,openssl dsa,openssl x509,openssl sign,{{1}等等。
然后:
openssl verify最后:
$ cat crypto/x509/x509_def.c
...
const char *X509_get_default_cert_dir(void)
{ return(X509_CERT_DIR); }
...
$ grep -R X509_CERT_DIR *
crypto/cryptlib.h:#define X509_CERT_DIR OPENSSLDIR "/certs"
就像我说的那样,它没有被使用,那里什么都没有。
答案 3 :(得分:0)
The path you are looking for is the "Directory for OpenSSL files". As @tnbt answered, B = image[0:h,0:w,0].astype(int)
G = image[0:h,0:w,1].astype(int)
R = image[0:h,0:w,2].astype(int)
mask = np.zeros((h,w))
mask[np.where( max(R,G,B) > threshold )] = 1
(or openssl version -d) gives you the path to this directory. OpenSSL looks here for a file named -a and a subdirectory cert.pem. Certificates it finds there are treated as trusted by certs/ and openssl s_client (source: the article, What certificate authorities does OpenSSL recognize?).
openssl verifyIt turns out that the installer which installed OpenSSL on my system also installed % openssl version -d
OPENSSLDIR: "/opt/local/etc/openssl"
% ls -l /opt/local/etc/openssl/cert*
lrwxr-xr-x 1 root admin 40 29 Nov 02:05 /opt/local/etc/openssl/cert.pem -> /opt/local/share/curl/curl-ca-bundle.crt
% head -10 /opt/local/etc/openssl/cert.pem
##
## Bundle of CA Root Certificates
##
## Certificate data from Mozilla as of: Fri Nov 24 08:00:26 2017 GMT
##
## This is a bundle of X.509 certificates of public Certificate Authorities
## (CA). These were automatically extracted from Mozilla's root certificates
## file (certdata.txt). This file can be found in the mozilla source tree:
## https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
##
...[rest of file omitted]...
as a symlink to a bundle of Certificate Authority certificates from the tool cUrl . Those in turn came from Mozilla.
You might have nothing installed in this file or directory, or you might have a different set of certificates. This will affect which server certificates OpenSSL verifies.
OpenSSL commands like s_client support, I think since version 1.1, options cert.pem and -no-CAfile. These let you ignore the certificates in this file and directory respectively, for the duration of one command. (I can't reproduce this because I am still using version 1.0.2, and it lacks those options.)