問題描述
我的 openssl 和 ssl 默認 CA 證書路徑是什麼? (what is my openssl and ssl Default CA Certs Path?)
背景:
我正在嘗試與外部供應商創建 SSL 上下文連接以進行握手,然後通過該連接使用 xml 進行通信。
clientCert = path["cert_path"]
clientKey = path["key_path"]
PROTOCOL = ssl.PROTOCOL_TLSv1
context = ssl.SSLContext(PROTOCOL)
context.load_default_certs()
context.load_cert_chain(clientCert, clientKey)
conn = httplib.HTTPSConnection(uri, 443, context=context)
conn.request("POST", '/', headers=headers, body=signedRequest) # code breaks here
response = conn.getresponse()
但是這段代碼中斷了:
SSLError(1, u'[SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:590)
現在,我知道 CA 證書已正確放置在服務器上,但路徑被弄亂了。
問題
我如何查看此 ssl
和 openssl
從中選擇 CA 證書的 CA 路徑。
Openssl似乎正在建立正確的連接,所以我需要在這裡明確提供 ssl 的路徑。
requests.utils
路徑可以找到如下,尋找類似的東西來理解 context.load_default_certs()
In [1]: from requests.utils import DEFAULT_CA_BUNDLE_PATH
In [2]: print(DEFAULT_CA_BUNDLE_PATH)
/usr/local/python/path/site‑packages/certifi/cacert.pem
參考解法
方法 1:
ok...found it :
command would be openssl version ‑a
[someone@somewhere ~]$ openssl version ‑a
OpenSSL 1.0.1e‑fips 11 Feb 2013
built on: Thu Jul 23 19:06:35 UTC 2015
platform: linux‑x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc ‑fPIC ‑DOPENSSL_PIC ‑DZLIB ‑DOPENSSL_THREADS ‑D_REENTRANT ‑DDSO_DLFCN ‑DHAVE_DLFCN_H ‑DKRB5_MIT ‑m64 ‑DL_ENDIAN ‑DTERMIO ‑Wall ‑O2 ‑g ‑pipe ‑Wall ‑Wp,‑D_FORTIFY_SOURCE=2 ‑fexceptions ‑fstack‑protector ‑‑param=ssp‑buffer‑size=4 ‑m64 ‑mtune=generic ‑Wa,‑‑noexecstack ‑DPURIFY ‑DOPENSSL_IA32_SSE2 ‑DOPENSSL_BN_ASM_MONT ‑DOPENSSL_BN_ASM_MONT5 ‑DOPENSSL_BN_ASM_GF2m ‑DSHA1_ASM ‑DSHA256_ASM ‑DSHA512_ASM ‑DMD5_ASM ‑DAES_ASM ‑DVPAES_ASM ‑DBSAES_ASM ‑DWHIRLPOOL_ASM ‑DGHASH_ASM
OPENSSLDIR: "/etc/pki/tls"
engines: rdrand dynamic
There would be a value OPENSSLDIR
in output, this would be the base path
OPENSSLDIR: "/etc/pki/tls"
Most of the cases, this would be a symlink, use ls ‑la
to this OPENSSLDIR
path
[someone@somewhere ~]$ ls ‑la /etc/pki/tls
total 32
drwxr‑xr‑x. 5 root root 4096 Apr 6 10:09 .
drwxr‑xr‑x. 11 root root 4096 Apr 4 08:47 ..
lrwxrwxrwx 1 root root 19 Apr 6 10:09 cert.pem ‑> certs/ca‑bundle.crt
drwxr‑xr‑x. 4 root root 4096 Mar 22 18:15 certs
Further ls ‑la
[someone@somewhere ~]$ ls ‑la /etc/pki/tls/certs/
total 1908
drwxr‑xr‑x. 4 root root 4096 Mar 22 18:15 .
drwxr‑xr‑x. 5 root root 4096 Apr 6 10:09 ..
lrwxrwxrwx 1 root root 49 Apr 6 09:54 ca‑bundle.crt ‑> /etc/pki/ca‑trust/some/path/of/cert/tls‑ca‑bundle.pem
and you get the actual path :
/etc/pki/ca‑trust/some/path/of/cert/tls‑ca‑bundle.pem
(by NoobEditor、NoobEditor)