我有大量网站需要测试 SSL/TLS 设置。我需要执行的一些测试是:
我觉得这可以通过 Bash、cURL 甚至 OpenSSL 来实现。我已经使用 cURL 做了一些测试,但在某些情况下解释输出会令人困惑。另外,我无法使用这些方法中的任何一种来检测链的根证书是否已过期,这是我试图追查的一个常见问题。
示例:
curl -v --cert-status https://someserver.somedomain.com/
* Trying xx.yy.zz.aa:443...
* Connected to someserver.somedomain.com (xx.yy.zz.aa) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.**
这是已知缺少中间证书的服务器。我可以从
"TLSv1.2 (OUT), TLS alert, unknown CA (560)" or "SSL certificate problem: unable to get local issuer certificate"
行安全地推断出这一点吗?如果是这样,我可以使用此输出来确定缺少哪个中间证书吗?
此外,上述方法似乎并没有告诉我链的根证书何时过期,除非它被埋在某个地方。
使用
openssl
可能会对您有帮助
openssl s_client -connect -showcerts server:port
通过这种方式,您可以下载证书,然后处理证书以获取您想要获取的信息