我正在使用WebService,我仍然无法validation对等证书。 我使用libCurl到C语言,这是输出:
无法执行发布,错误:对等证书无法使用给定的CA证书进行身份validation
所以我试图通过openssl命令testing连接:
openssl s_client -connect homnfce.sefaz.am.gov.br:443 -cert cert.pem -key nfcek.pem
然后: Verify return code: 20 (unable to get local issuer certificate)
走得更远,我环顾服务器证书,注意到他们有一个证书链。 所以我已经下载了他们,并添加使用keytool:
keytool -import -trustcacerts -file cert1.cer -alias mykey keytool -import -trustcacerts -file cert2.cer -alias mykey2 keytool -import -trustcacerts -file cert3.cer -alias mykey3
即使有这些变化,我仍然无法validation同行证书。
我认为它可以指示一个错误,而设置CURLOPTs,inheritance人提取的代码:
if (curl_easy_setopt(curl, CURLOPT_POST, 1) != CURLE_OK) { if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_POST, 1) failed"); return -1; } if (curl_easy_setopt(curl, CURLOPT_URL, "https://homnfce.sefaz.am.gov.br/nfce-services-nac/services/NfeStatusServico2?wsdl") != CURLE_OK) { if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_URL) failed"); return -1; } if (curl_easy_setopt(curl, CURLOPT_PORT, 443) != CURLE_OK) { if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_PORT, 443) failed"); return -1; } if (curl_easy_setopt(curl, CURLOPT_SSLCERT, "cert.pem") != CURLE_OK) { if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_SSLCERT) failed"); return -1; } if (curl_easy_setopt(curl, CURLOPT_SSLKEY, "nfcek.pem") != CURLE_OK) { if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_SSLKEY) failed"); return -1; } sprintf(szCertPath, "%s","/home/CAcerts/"); if (curl_easy_setopt(curl, CURLOPT_CAPATH, szCertPath) != CURLE_OK) { if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER) failed"); return -1; } if (curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, iLen) != CURLE_OK) { if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE) failed"); return -1; } if (curl_easy_setopt(curl, CURLOPT_SSLCERTPASSWD, szMyPw) != CURLE_OK ) { if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_TIMEOUT) failed"); return -1; } if (curl_easy_setopt(curl, CURLOPT_READDATA, pfChk) != CURLE_OK ) { if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE) failed"); return -1; } if (curl_easy_setopt(curl, CURLOPT_WRITEDATA, pfAnswer) != CURLE_OK ) { if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_WRITEDATA) failed"); return -1; } if (curl_easy_setopt(curl, CURLOPT_TIMEOUT, iOnlineServerTimeout) != CURLE_OK ) { if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_TIMEOUT) failed"); return -1; } if (curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1) != CURLE_OK) { if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1) failed"); return __LINE__; } if ( (res = curl_easy_perform(curl)) != CURLE_OK ){ if ( DEBUG_DETAILS ) vTraceStr("iNFCE_CurlReq(): Cannot Perform Post, Err: %s\n", (char *)curl_easy_strerror(res)); return -1; }
一个重要的事实是,我不能使用不安全的模式选项ingnore同行authentication(CURLOPT_SSL_VERIFYPEER = 0)。
有任何想法吗? 什么可能是错的?
提前致谢
我已经做到了 其实这是服务器CA的一个问题。 我从主机下载证书链,然后使用openssl命令转换:
openssl x509 -in raiz_v2.cer -out raiz_v2.pem openssl x509 -in ac_certsign_g6.cer -out ac_certsign_g6.pem openssl x509 -in ac_certsign_mult_g5.cer -out ac_certsign_mult_g5.pem
所以我们统一使用:
cat raiz_v2.pem > cacert.pem cat ac_certsign_g6.pem >> cacert.pem cat ac_certsign_mult_g5.pem >> cacert.pem
然后,我使用CURLOPT_CAINFO选项指向cacert.pem。