我正在使用WebService,但仍無法驗證對等證書。 即時通訊使用libcurl的C語言,這是輸出:SSL CA證書 - LibCurl C語言(Linux)
不能執行後,錯誤:同等證書不能與我試圖測試通過OpenSSL的連接給CA證書
所以認證命令:
openssl s_client -connect homnfce.sefaz.am.gov.br:443 -cert cert.pem -key nfcek.pem
然後: Verify return code: 20 (unable to get local issuer certificate)
走得更遠我環顧服務器證書,並注意到他們有一個證書鏈。 所以我已經下載了他們並使用密鑰工具補充:即使有這些變化
keytool -import -trustcacerts -file cert1.cer -alias mykey
keytool -import -trustcacerts -file cert2.cer -alias mykey2
keytool -import -trustcacerts -file cert3.cer -alias mykey3
,我仍然無法驗證等證書。
我認爲它可以指示錯誤,同時設置CURLOPTs,繼承人的代碼片段:
if (curl_easy_setopt(curl, CURLOPT_POST, 1) != CURLE_OK) {
if (DEBUG_DETAILS) vTrace("curl_easy_setopt(curl, CURLOPT_POST, 1) failed");
return -1;
}
if (curl_easy_setopt(curl, CURLOPT_URL, "https://homnfce.sefaz.am.gov.br/nfce-services-nac/services/NfeStatusServico2?wsdl") != CURLE_OK) {
if (DEBUG_DETAILS) vTrace("curl_easy_setopt(curl, CURLOPT_URL) failed");
return -1;
}
if (curl_easy_setopt(curl, CURLOPT_PORT, 443) != CURLE_OK) {
if (DEBUG_DETAILS) vTrace("curl_easy_setopt(curl, CURLOPT_PORT, 443) failed");
return -1;
}
if (curl_easy_setopt(curl, CURLOPT_SSLCERT, "cert.pem") != CURLE_OK) {
if (DEBUG_DETAILS) vTrace("curl_easy_setopt(curl, CURLOPT_SSLCERT) failed");
return -1;
}
if (curl_easy_setopt(curl, CURLOPT_SSLKEY, "nfcek.pem") != CURLE_OK) {
if (DEBUG_DETAILS) vTrace("curl_easy_setopt(curl, CURLOPT_SSLKEY) failed");
return -1;
}
sprintf(szCertPath, "%s","/home/CAcerts/");
if (curl_easy_setopt(curl, CURLOPT_CAPATH, szCertPath) != CURLE_OK) {
if (DEBUG_DETAILS) vTrace("curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER) failed");
return -1;
}
if (curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, iLen) != CURLE_OK) {
if (DEBUG_DETAILS) vTrace("curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE) failed");
return -1;
}
if (curl_easy_setopt(curl, CURLOPT_SSLCERTPASSWD, szMyPw) != CURLE_OK) {
if (DEBUG_DETAILS) vTrace("curl_easy_setopt(curl, CURLOPT_TIMEOUT) failed");
return -1;
}
if (curl_easy_setopt(curl, CURLOPT_READDATA, pfChk) != CURLE_OK) {
if (DEBUG_DETAILS) vTrace("curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE) failed");
return -1;
}
if (curl_easy_setopt(curl, CURLOPT_WRITEDATA, pfAnswer) != CURLE_OK) {
if (DEBUG_DETAILS) vTrace("curl_easy_setopt(curl, CURLOPT_WRITEDATA) failed");
return -1;
}
if (curl_easy_setopt(curl, CURLOPT_TIMEOUT, iOnlineServerTimeout) != CURLE_OK) {
if (DEBUG_DETAILS) vTrace("curl_easy_setopt(curl, CURLOPT_TIMEOUT) failed");
return -1;
}
if (curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1) != CURLE_OK) {
if (DEBUG_DETAILS) vTrace("curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1) failed");
return __LINE__;
}
if ((res = curl_easy_perform(curl)) != CURLE_OK){
if (DEBUG_DETAILS) vTraceStr("iNFCE_CurlReq(): Cannot Perform Post, Err: %s\n", (char *)curl_easy_strerror(res));
return -1;
}
一些很重要的事實是,我不能使用不安全模式選項ingnore對等身份驗證(CURLOPT_SSL_VERIFYPEER = 0)。
任何想法?什麼可能是錯誤的?
在此先感謝
你能告訴我們你的curl使用的是什麼SSL庫嗎?我認爲'keytool'是用於Java的關鍵商店? – lmz 2014-11-03 17:54:10
我怎樣才能發現哪個SSL lib捲曲正在使用?我**認爲它使用OpenSSL默認。 – rfermi 2014-11-03 18:00:03
嘗試''libcurl.so'上的'ldd'。您是否曾嘗試將這三個證書添加到'CURLOPT_CAPATH'(在您的示例中爲'/ home/CAcerts /')並運行OpenSSL c_rehash,如http://curl.haxx.se/libcurl/c/CURLOPT_CAPATH.html中所述。 – lmz 2014-11-03 18:08:04