名为“bytepool”的用户拥有哪个版本的链接,以便他能够找到此解决方法?请参阅下面的链接。
他写道:“我快速浏览了代码,似乎相关函数是 https.c 中的 verify_cert .... 因此,为了快速修复我的问题,我为自己构建了一个自定义版本,其中 verify_cert 始终返回 true,即证书检查完全被绕过。”
barlop 进一步编辑
即将http://links.twibright.com/download.php下载并解压http://links.twibright.com/download/links-2.8.tar.gz 我看到这是 https.c 的内容,我没有看到 verify_cert 函数
Here is the contents of https.c
/* https.c
* HTTPS protocol client implementation
* (c) 2002 Mikulas Patocka
* This file is a part of the Links program, released under GPL.
* In addition, as a special exception, the copyright holders give
* permission to link the code of portions of this program with the
* OpenSSL library under certain conditions as described in each
* individual source file, and distribute linked combinations
* including the two.
* You must obey the GNU General Public License in all respects
* for all of the code used other than OpenSSL. If you modify
* file(s) with this exception, you may extend this exception to your
* version of the file(s), but you are not obligated to do so. If you
* do not wish to do so, delete this exception statement from your
* version. If you delete this exception statement from all source
* files in the program, then also delete it here.
*/
#include "links.h"
#ifndef PATH_MAX
#define PATH_MAX 255
#endif
#ifdef HAVE_SSL
static SSL_CTX *context = NULL;
SSL *getSSL(void)
{
if (!context) {
const SSL_METHOD *m;
unsigned char f_randfile[PATH_MAX];
unsigned char *os_pool;
unsigned os_pool_size;
const unsigned char *f = (const unsigned char *)RAND_file_name(cast_char f_randfile, sizeof(f_randfile));
if (f && RAND_egd(cast_const_char f) < 0) {
/* Not an EGD, so read and write to it */
if (RAND_load_file(cast_const_char f_randfile, -1))
RAND_write_file(cast_const_char f_randfile);
}
os_seed_random(&os_pool, &os_pool_size);
if (os_pool_size) RAND_add(os_pool, os_pool_size, os_pool_size);
mem_free(os_pool);
/* needed for systems without /dev/random, but obviously kills security. */
/*{
static unsigned char pool[32768];
int i;
int rs;
struct timeval tv;
EINTRLOOP(rs, gettimeofday(&tv, NULL));
for (i = 0; i < (int)sizeof pool; i++) pool[i] = random() ^ tv.tv_sec ^ tv.tv_usec;
RAND_add(pool, sizeof pool, sizeof pool);
}*/
SSLeay_add_ssl_algorithms();
m = SSLv23_client_method();
if (!m) return NULL;
context = SSL_CTX_new((void *)m);
if (!context) return NULL;
SSL_CTX_set_options(context, SSL_OP_ALL);
SSL_CTX_set_default_verify_paths(context);
}
return (SSL_new(context));
}
void ssl_finish(void)
{
if (context) SSL_CTX_free(context);
}
void https_func(struct connection *c)
{
c->ssl = DUMMY;
http_func(c);
}
#else
void https_func(struct connection *c)
{
setcstate(c, S_NO_SSL);
abort_connection(c);
}
#endif
答案1
名为“bytepool”的用户拥有哪个版本的链接,以便他能够找到此解决方法?请参阅下面的链接。
未知。
他写道:“我快速浏览了代码,似乎相关函数是 https.c 中的 verify_cert .... 因此,为了快速修复我的问题,我为自己构建了一个自定义版本,其中 verify_cert 始终返回 true,即证书检查完全被绕过。”
馊主意。
下面的代码应该可以解决问题如果您要做的就是成功获得过期的证书。
本质上,您添加函数https_verify_cb,然后告诉上下文使用回调。然后,当 OpenSSL 遇到证书时,它会在进行一些自己的处理后调用您的回调。
以下代码允许任何证书过期,包括 CA 和中间证书。您可以使用 将其限制为最终实体证书(即服务器证书)depth == 0。
$ diff -u https.c.orig https.c
--- https.c.orig 2013-09-20 17:17:00.000000000 -0400
+++ https.c 2014-11-13 17:42:40.000000000 -0500
@@ -23,10 +23,34 @@
#define PATH_MAX 255
#endif
+#ifndef NDEBUG
+# include <stdio.h>
+#endif
+
#ifdef HAVE_SSL
+#include <openssl/ssl.h>
+#include <openssl/x509_vfy.h>
+
static SSL_CTX *context = NULL;
+int https_verify_cb(int preverify, X509_STORE_CTX* x509_ctx)
+{
+ /* For error codes, see http://www.openssl.org/docs/apps/verify.html */
+
+ const int depth = X509_STORE_CTX_get_error_depth(x509_ctx);
+ const int err = X509_STORE_CTX_get_error(x509_ctx);
+
+#ifndef NDEBUG
+ fprintf(stdout, "https_verify_cb (depth=%d)(preverify=%d)(error=%d)\n", depth, preverify, err);
+#endif
+
+ /* We return the result of `preverify`, which is the result of customary */
+ /* X509 verifcation. If all goes well, the value will be 1. If preverify */
+ /* failed, then we return success if the certifcate is expired. */
+ return preverify || (err == X509_V_ERR_CERT_HAS_EXPIRED);
+}
+
SSL *getSSL(void)
{
if (!context) {
@@ -62,7 +86,12 @@
if (!m) return NULL;
context = SSL_CTX_new((void *)m);
if (!context) return NULL;
- SSL_CTX_set_options(context, SSL_OP_ALL);
+
+ /* SSL_CTX_set_options(context, SSL_OP_ALL); */
+ const long flags = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
+ long old_opts = SSL_CTX_set_options(context, flags);
+
+ SSL_CTX_set_verify(context, SSL_VERIFY_PEER, https_verify_cb);
SSL_CTX_set_default_verify_paths(context);
}
请注意,OpenSSL 1.1.0 之前的版本不执行主机名匹配,因此即使名称不匹配,库也会成功构建路径。请参阅手册页X509_检查主机(3)。
答案2
这肯定是一个非常非常旧的版本,因为没有一个可下载的版本包含这样的代码。除此之外,你可以简单地使用以下方法完全禁用验证SSL_CTX_set_verify。虽然这不安全,但实际上并不比链接的正常行为更不安全,即检查认证路径,但不检查请求的主机名是否与证书匹配。这使得中间人攻击变得容易,因为您可以使用任何由受信任 CA 签名的证书,而不是真正的证书。