我的 openssl 和 ssl 默認 CA 證書路徑是什麼？ (what is my openssl and ssl Default CA Certs Path?)

問題描述

我的 openssl 和 ssl 默認 CA 證書路徑是什麼？ (what is my openssl and ssl Default CA Certs Path?)

背景：

我正在嘗試與外部供應商創建 SSL 上下文連接以進行握手，然後通過該連接使用 xml 進行通信。

clientCert = path["cert_path"]
clientKey = path["key_path"]
PROTOCOL = ssl.PROTOCOL_TLSv1
context = ssl.SSLContext(PROTOCOL)
context.load_default_certs()
context.load_cert_chain(clientCert, clientKey)
conn = httplib.HTTPSConnection(uri, 443, context=context) 
conn.request("POST", '/', headers=headers, body=signedRequest) # code breaks here
response = conn.getresponse()

但是這段代碼中斷了：

SSLError(1, u'[SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:590)

現在，我知道 CA 證書已正確放置在服務器上，但路徑被弄亂了。

問題

我如何查看此 ssl 和 openssl 從中選擇 CA 證書的 CA 路徑。
Openssl似乎正在建立正確的連接，所以我需要在這裡明確提供 ssl 的路徑。

requests.utils 路徑可以找到如下，尋找類似的東西來理解 context.load_default_certs()

In [1]: from requests.utils import DEFAULT_CA_BUNDLE_PATH

In [2]: print(DEFAULT_CA_BUNDLE_PATH)
/usr/local/python/path/site‑packages/certifi/cacert.pem

參考解法

方法 1:

ok...found it :

command would be openssl version ‑a

[someone@somewhere ~]$ openssl  version ‑a
OpenSSL 1.0.1e‑fips 11 Feb 2013
built on: Thu Jul 23 19:06:35 UTC 2015
platform: linux‑x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc ‑fPIC ‑DOPENSSL_PIC ‑DZLIB ‑DOPENSSL_THREADS ‑D_REENTRANT ‑DDSO_DLFCN ‑DHAVE_DLFCN_H ‑DKRB5_MIT ‑m64 ‑DL_ENDIAN ‑DTERMIO ‑Wall ‑O2 ‑g ‑pipe ‑Wall ‑Wp,‑D_FORTIFY_SOURCE=2 ‑fexceptions ‑fstack‑protector ‑‑param=ssp‑buffer‑size=4 ‑m64 ‑mtune=generic ‑Wa,‑‑noexecstack ‑DPURIFY ‑DOPENSSL_IA32_SSE2 ‑DOPENSSL_BN_ASM_MONT ‑DOPENSSL_BN_ASM_MONT5 ‑DOPENSSL_BN_ASM_GF2m ‑DSHA1_ASM ‑DSHA256_ASM ‑DSHA512_ASM ‑DMD5_ASM ‑DAES_ASM ‑DVPAES_ASM ‑DBSAES_ASM ‑DWHIRLPOOL_ASM ‑DGHASH_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  rdrand dynamic

There would be a value OPENSSLDIR in output, this would be the base path

OPENSSLDIR: "/etc/pki/tls"

Most of the cases, this would be a symlink, use ls ‑la to this OPENSSLDIR path

[someone@somewhere ~]$ ls ‑la /etc/pki/tls
total 32
drwxr‑xr‑x.  5 root root  4096 Apr  6 10:09 .
drwxr‑xr‑x. 11 root root  4096 Apr  4 08:47 ..
lrwxrwxrwx   1 root root    19 Apr  6 10:09 cert.pem ‑> certs/ca‑bundle.crt
drwxr‑xr‑x.  4 root root  4096 Mar 22 18:15 certs

Further ls ‑la

[someone@somewhere ~]$ ls ‑la /etc/pki/tls/certs/
total 1908
drwxr‑xr‑x. 4 root   root      4096 Mar 22 18:15 .
drwxr‑xr‑x. 5 root   root      4096 Apr  6 10:09 ..
lrwxrwxrwx  1 root   root        49 Apr  6 09:54 ca‑bundle.crt ‑> /etc/pki/ca‑trust/some/path/of/cert/tls‑ca‑bundle.pem

and you get the actual path :

/etc/pki/ca‑trust/some/path/of/cert/tls‑ca‑bundle.pem

(by NoobEditor、NoobEditor)

參考文件

1. what is my openssl and ssl Default CA Certs Path? (CC BY‑SA 2.5/3.0/4.0)