CURL库怎样验证服务器证书

alexhappy

我使用curl库怎样验证服务器证书，这里不必去验证客户证书。。。望大家指点（我英文不太好，翻半天文档也是一知半解）

alexhappy

比如我用curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,0);那就是说不验证对方的证书或者说验证肯定能通过，那么我应该怎样做才能验证对方服务器证书的有效性呢

逆水寒星麦兜

默认的好像是认证服务器的，客户端的不知道

seamine_cu

去看看curl官方的例子http://curl.haxx.se/libcurl/c/cacertinmem.html
我把他的改了，改成从cacert.pem加载多个根证书列表，cacert.pem是根据http://curl.haxx.se/docs/caextract.html的方法下载或自己生成的

1. /***************************************************************************
   
2. *                                  _   _ ____  _
   
3. *  Project                     ___| | | |  _ \| |
   
4. *                             / __| | | | |_) | |
   
5. *                            | (__| |_| |  _ <| |___
   
6. *                             \___|\___/|_| \_\_____|
   
7. *
   
8. * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
   
9. *
   
10. * This software is licensed as described in the file COPYING, which
    
11. * you should have received as part of this distribution. The terms
    
12. * are also available at http://curl.haxx.se/docs/copyright.html.
    
13. *
    
14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
    
15. * copies of the Software, and permit persons to whom the Software is
    
16. * furnished to do so, under the terms of the COPYING file.
    
17. *
    
18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
    
19. * KIND, either express or implied.
    
20. *
    
21. ***************************************************************************/
    
22. /* Example using a "in core" PEM certificate to retrieve a https page.
    
23. * Written by Theo Borm
    
24. */
    
25. 
    
26. /* on a netBSD system with OPENSSL& LIBCURL installed from
    
27. * pkgsrc (using default paths) this program can be compiled using:
    
28. * gcc -I/usr/pkg/include -L/usr/pkg/lib -lcurl -Wl,-R/usr/pkg/lib -lssl
    
29. * -lcrypto -lz -o curlcacerttest curlcacerttest.c
    
30. * on other operating systems you may want to change paths to headers
    
31. * and libraries
    
32. */
    
33. #include <openssl/ssl.h>
    
34. #include <curl/curl.h>
    
35. #include <stdio.h>
    
36. #include <string>
    
37. #include <iostream>
    
38. #include <fstream>
    
39. #include <list>
    
40. 
    
41. size_t writefunction( void *ptr, size_t size, size_t nmemb, void *stream)
    
42. {
    
43.   fwrite(ptr,size,nmemb,(FILE*)stream);
    
44.   return(nmemb*size);
    
45. }
    
46. 
    
47. static CURLcode sslctx2_function(CURL * curl, void * sslctx, void * parm)
    
48. {
    
49.         char pem[65536] = {0};
    
50.         X509_STORE * store;
    
51.         X509 * cert=NULL;
    
52.         BIO * bio = NULL;
    
53. 
    
54.         std::fstream fs("D:\\cacert.pem");
    
55.         std::string cert_text;
    
56.         bool is_cert_begin = false;
    
57.         std::list<std::string> certs;
    
58.         const char cert_begin_text[] = "-----BEGIN CERTIFICATE-----";
    
59.         const char cert_end_text[] = "-----END CERTIFICATE-----";
    
60. 
    
61.         while (!fs.eof()) {
    
62.                 memset(pem, 0, sizeof(pem));
    
63.                 fs.getline(pem, sizeof(pem)-1);
    
64. 
    
65.                 // ignore comment
    
66.                 if (strncmp(pem, "#", 1) == 0) {
    
67.                         continue;
    
68.                 }
    
69.                 if (strncmp(pem, cert_begin_text, sizeof(cert_begin_text)) == 0) {
    
70.                         cert_text.clear();
    
71.                         cert_text.append(pem);
    
72.                         cert_text.append("\n");
    
73.                         is_cert_begin = true;
    
74.                         continue;
    
75.                 }
    
76.                 if (strncmp(pem, cert_end_text, sizeof(cert_end_text)) == 0) {
    
77.                         cert_text.append(pem);
    
78.                         cert_text.append("\n");
    
79.                         certs.push_back(cert_text);
    
80.                         cert_text.clear();
    
81.                         is_cert_begin = false;
    
82.                         continue;
    
83.                 }
    
84.                 if (is_cert_begin) {
    
85.                         cert_text.append(pem);
    
86.                         cert_text.append("\n");
    
87.                 }
    
88.         }
    
89. 
    
90.         std::list<std::string>::iterator it = certs.begin();
    
91.         while (it != certs.end()) {
    
92.                 bio=BIO_new_mem_buf((void*)(it->c_str()), -1);
    
93.                 /* use it to read the PEM formatted certificate from memory into an X509
    
94.                  * structure that SSL can use
    
95.                  */
    
96.                 X509* px509 = PEM_read_bio_X509(bio, &cert, 0, NULL);
    
97.                 if (cert == NULL) {
    
98.                         printf("PEM_read_bio_X509 failed...\n");
    
99.                 }
    
100. 
     
101.                 /* get a pointer to the X509 certificate store (which may be empty!) */
     
102.                 store=SSL_CTX_get_cert_store((SSL_CTX *)sslctx);
     
103. 
     
104.                 /* add our certificate to this store */
     
105.                 int ret = X509_STORE_add_cert(store, cert);
     
106.                 if (ret == 0) {
     
107.                         printf("error adding certificate\n");
     
108.                 }
     
109. 
     
110.                 X509_free(cert);
     
111.                 cert = NULL;
     
112.                 BIO_free(bio);
     
113.                 bio = NULL;
     
114. 
     
115.                 // next certificate
     
116.                 ++it;
     
117.         }
     
118. 
     
119.         /* all set to go */
     
120.         return CURLE_OK ;
     
121. }
     
122. 
     
123. static CURLcode sslctx_function(CURL * curl, void * sslctx, void * parm)
     
124. {
     
125.   X509_STORE * store;
     
126.   X509 * cert=NULL;
     
127.   BIO * bio;
     
128. 
     
129.   char * mypem = // www.cacert.org
     
130.     "-----BEGIN CERTIFICATE-----\n"\
     
131.     "MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290\n"\
     
132.     "IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB\n"\
     
133.     "IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA\n"\
     
134.     "Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO\n"\
     
135.     "BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi\n"\
     
136.     "MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ\n"\
     
137.     "ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC\n"\
     
138.     "CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ\n"\
     
139.     "8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6\n"\
     
140.     "zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y\n"\
     
141.     "fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7\n"\
     
142.     "w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc\n"\
     
143.     "G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k\n"\
     
144.     "epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q\n"\
     
145.     "laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ\n"\
     
146.     "QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU\n"\
     
147.     "fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826\n"\
     
148.     "YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAc4w\n"\
     
149.     "ggHKMB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TCBowYDVR0jBIGbMIGY\n"\
     
150.     "gBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9vdCBDQTEe\n"\
     
151.     "MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0\n"\
     
152.     "IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy\n"\
     
153.     "dC5vcmeCAQAwDwYDVR0TAQH/BAUwAwEB/zAyBgNVHR8EKzApMCegJaAjhiFodHRw\n"\
     
154.     "czovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMAYJYIZIAYb4QgEEBCMWIWh0\n"\
     
155.     "dHBzOi8vd3d3LmNhY2VydC5vcmcvcmV2b2tlLmNybDA0BglghkgBhvhCAQgEJxYl\n"\
     
156.     "aHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDBWBglghkgBhvhC\n"\
     
157.     "AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg\n"\
     
158.     "b3ZlciB0byBodHRwOi8vd3d3LmNhY2VydC5vcmcwDQYJKoZIhvcNAQEEBQADggIB\n"\
     
159.     "ACjH7pyCArpcgBLKNQodgW+JapnM8mgPf6fhjViVPr3yBsOQWqy1YPaZQwGjiHCc\n"\
     
160.     "nWKdpIevZ1gNMDY75q1I08t0AoZxPuIrA2jxNGJARjtT6ij0rPtmlVOKTV39O9lg\n"\
     
161.     "18p5aTuxZZKmxoGCXJzN600BiqXfEVWqFcofN8CCmHBh22p8lqOOLlQ+TyGpkO/c\n"\
     
162.     "gr/c6EWtTZBzCDyUZbAEmXZ/4rzCahWqlwQ3JNgelE5tDlG+1sSPypZt90Pf6DBl\n"\
     
163.     "Jzt7u0NDY8RD97LsaMzhGY4i+5jhe1o+ATc7iwiwovOVThrLm82asduycPAtStvY\n"\
     
164.     "sONvRUgzEv/+PDIqVPfE94rwiCPCR/5kenHA0R6mY7AHfqQv0wGP3J8rtsYIqQ+T\n"\
     
165.     "SCX8Ev2fQtzzxD72V7DX3WnRBnc0CkvSyqD/HMaMyRa+xMwyN2hzXwj7UfdJUzYF\n"\
     
166.     "CpUCTPJ5GhD22Dp1nPMd8aINcGeGG7MW9S/lpOt5hvk9C8JzC6WZrG/8Z7jlLwum\n"\
     
167.     "GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk\n"\
     
168.     "zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/qbn3BHLt4Ui9SyIAmW\n"\
     
169.     "omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD\n"\
     
170.     "-----END CERTIFICATE-----\n";
     
171. 
     
172.   /* get a BIO */
     
173.   bio=BIO_new_mem_buf(mypem, -1);
     
174.   /* use it to read the PEM formatted certificate from memory into an X509
     
175.    * structure that SSL can use
     
176.    */
     
177.   PEM_read_bio_X509(bio, &cert, 0, NULL);
     
178.   if (cert == NULL)
     
179.     printf("PEM_read_bio_X509 failed...\n");
     
180. 
     
181.   /* get a pointer to the X509 certificate store (which may be empty!) */
     
182.   store=SSL_CTX_get_cert_store((SSL_CTX *)sslctx);
     
183. 
     
184.   /* add our certificate to this store */
     
185.   if (X509_STORE_add_cert(store, cert)==0)
     
186.     printf("error adding certificate\n");
     
187. 
     
188.   /* all set to go */
     
189.   return CURLE_OK ;
     
190. }
     
191. 
     
192. int main(void)
     
193. {
     
194.   CURL * ch;
     
195.   CURLcode rv;
     
196. 
     
197.   rv=curl_global_init(CURL_GLOBAL_ALL);
     
198.   ch=curl_easy_init();
     
199.   rv=curl_easy_setopt(ch,CURLOPT_VERBOSE, 0L);
     
200.   rv=curl_easy_setopt(ch,CURLOPT_HEADER, 0L);
     
201.   rv=curl_easy_setopt(ch,CURLOPT_NOPROGRESS, 1L);
     
202.   rv=curl_easy_setopt(ch,CURLOPT_NOSIGNAL, 1L);
     
203.   rv=curl_easy_setopt(ch,CURLOPT_WRITEFUNCTION, *writefunction);
     
204.   rv=curl_easy_setopt(ch,CURLOPT_WRITEDATA, stdout);
     
205.   rv=curl_easy_setopt(ch,CURLOPT_HEADERFUNCTION, *writefunction);
     
206.   rv=curl_easy_setopt(ch,CURLOPT_WRITEHEADER, stderr);
     
207.   rv=curl_easy_setopt(ch,CURLOPT_SSLCERTTYPE,"PEM");
     
208.   rv=curl_easy_setopt(ch,CURLOPT_SSL_VERIFYPEER,1L);
     
209.   rv=curl_easy_setopt(ch,CURLOPT_SSL_VERIFYHOST, 2L);
     
210.   rv=curl_easy_setopt(ch,CURLOPT_URL, "https://www.dropbox.com/");
     
211.   rv=curl_easy_setopt(ch,CURLOPT_VERBOSE, 1);
     
212. 
     
213.   /* first try: retrieve page without cacerts' certificate -> will fail
     
214.    */
     
215.   /*
     
216.   rv=curl_easy_perform(ch);
     
217.   if (rv==CURLE_OK)
     
218.     printf("*** transfer succeeded ***\n");
     
219.   else
     
220.     printf("*** transfer failed ***\n");
     
221. */
     
222.   /* second try: retrieve page using cacerts' certificate -> will succeed
     
223.    * load the certificate by installing a function doing the nescessary
     
224.    * "modifications" to the SSL CONTEXT just before link init
     
225.    */
     
226.   //rv = curl_easy_setopt(ch, CURLOPT_CAPATH, "d:\\");
     
227.   //rv = curl_easy_setopt(ch, CURLOPT_CAINFO, "d:\\cacert.pem");
     
228.   //rv = curl_easy_setopt(ch, CURLOPT_CERTINFO, 1L);
     
229.   rv=curl_easy_setopt(ch,CURLOPT_SSL_CTX_FUNCTION, *sslctx2_function);
     
230.   rv=curl_easy_perform(ch);
     
231.   if (rv==CURLE_OK)
     
232.     printf("*** transfer succeeded ***\n");
     
233.   else
     
234.     printf("*** transfer failed ***\n");
     
235. 
     
236.   curl_easy_cleanup(ch);
     
237.   curl_global_cleanup();
     
238.   return rv;
     
239. }

复制代码

linux_c_py_php

你是客户端, 你希望的是: 你拿着服务端传给你的证书, 去CA问证书的合法性, 合法你就继续通信, 否则不和服务端通信了.

1. CURLOPT_SSL_VERIFYHOST
   
2. 
   
3. Pass a long as parameter.
   
4. 
   
5. This option determines whether libcurl verifies that the server cert is for the server it is known as.
   
6. 
   
7. When negotiating a SSL connection, the server sends a certificate indicating its identity.
   
8. 
   
9. When CURLOPT_SSL_VERIFYHOST is 2, that certificate must indicate that the server is the server to which you meant to connect, or the connection fails.
   
10. 
    
11. Curl considers the server the intended one when the Common Name field or a Subject Alternate Name field in the certificate matches the host name in the URL to which you told Curl to connect.
    
12. 
    
13. When the value is 1, libcurl will return a failure. It was previously (in 7.28.0 and earlier) a debug option of some sorts, but it is no longer supported due to frequently leading to programmer mistakes.
    
14. 
    
15. When the value is 0, the connection succeeds regardless of the names in the certificate.
    
16. 
    
17. The default value for this option is 2.
    
18. 
    
19. This option controls checking the server's certificate's claimed identity. The server could be lying. To control lying, see CURLOPT_SSL_VERIFYPEER. If libcurl is built against NSS and CURLOPT_SSL_VERIFYPEER is zero, CURLOPT_SSL_VERIFYHOST is ignored.

复制代码

1. CURLOPT_SSL_VERIFYPEER
   
2. 
   
3. Pass a long as parameter. By default, curl assumes a value of 1.
   
4. 
   
5. This option determines whether curl verifies the authenticity of the peer's certificate. A value of 1 means curl verifies; 0 (zero) means it doesn't.
   
6. 
   
7. When negotiating a SSL connection, the server sends a certificate indicating its identity. Curl verifies whether the certificate is authentic, i.e. that you can trust that the server is who the certificate says it is. This trust is based on a chain of digital signatures, rooted in certification authority (CA) certificates you supply. curl uses a default bundle of CA certificates (the path for that is determined at build time) and you can specify alternate certificates with the CURLOPT_CAINFO option or the CURLOPT_CAPATH option.
   
8. 
   
9. When CURLOPT_SSL_VERIFYPEER is nonzero, and the verification fails to prove that the certificate is authentic, the connection fails. When the option is zero, the peer certificate verification succeeds regardless.
   
10. 
    
11. Authenticating the certificate is not by itself very useful. You typically want to ensure that the server, as authentically identified by its certificate, is the server you mean to be talking to. Use CURLOPT_SSL_VERIFYHOST to control that. The check that the host name in the certificate is valid for the host name you're connecting to is done independently of the CURLOPT_SSL_VERIFYPEER option.

复制代码

seamine_cu

linux_c_py_php 发表于 2012-11-14 19:29
你是客户端, 你希望的是: 你拿着服务端传给你的证书, 去CA问证书的合法性, 合法你就继续通信, 否则不和服务 ...

So, 这个例子是客户端的啊。。