如何通过 openssl 二进制文件下载域名的所有已公布的 SSL 证书?

如何通过 openssl 二进制文件下载域名的所有已公布的 SSL 证书?

问题

假设我想下载特定网站的每个 SSL 证书,以便以后能够进行证书固定。

如何使用 openssl 查询 Web 服务器,以下载所有可用的证书而不需要知道它们的任何属性?


示例

域名 api.cyberghostvpn.com 具有以下签名的证书:

  • ECDSA+SHA256
  • RSA+SHA256
  • RSA+SHA1

要下载这些内容,您可以使用以下命令:

回声 | \
openssl s_client -connect api.cyberghostvpn.com:443 2>/dev/null -sigalgs 'ECDSA+SHA256' 2>/dev/null | \ openssl x509 -outform DER > api_ECDSA+SHA256.crt
回声 | \ echo | \
openssl s_client -connect api.cyberghostvpn.com:443 2>/dev/null -sigalgs 'RSA+SHA256' 2>/dev/null | \ openssl x509 -outform DER > api_RSA+SHA256.crt
回声 | \
openssl s_client -connect api.cyberghostvpn.com:443 2>/dev/null -sigalgs 'RSA+SHA1' 2>/dev/null | \ openssl x509 -输出 DER > api_RSA+SHA1.crt


回复

@Seth:

  1. 您无需成为域名所有者即可对网站的公共 SSL 证书感兴趣。
    就我而言,我对这些证书感兴趣,因为我现在在编写的自定义 TrustManager (Java) 中使用它们的指纹,以确保获得正确的证书。我在自定义 okHTTP 客户端中使用它,这样我就可以直接连接到 api 服务器(知道 IP),而无需进行 DNS 查找(在某些国家/地区可能会被阻止...)。

  2. Cloudflare 不允许在其 Web 界面下载这些证书。

@Alex:

第一条评论 - 这些命令实际上是逐个执行的(超级用户删除了我的行...抱歉) - 您的回答:
您的命令仅打印出此有效 SSL 连接的证书链。
该链从根权限开始,以服务器证书结束。
服务器上安装了多个 SSL 证书以提高客户端兼容性(因此较新的客户端可以建立更安全的连接)。我上面指定的每个命令都会根据我使用“-sigalgs”允许的密码套件 + 哈希算法下载不同的服务器证书。


第二条评论

你不相信我?看看输出!

  • 序列号:
    • 96:4f:da:8c:12:ff:3f:c0:9b:65:71:33:31:f6:fc:7e
    • 1f:78:84:e8:e5:e8:72:7b:43:36:12:7f:15:32:14:46
    • 是:b3:dc:01:de:39:74:99:7b:99:a1:db:97:d4:34:46
  • 签名算法:
    • sha256WithRSAEncryption
    • sha1WithRSAEncryption
    • ecdsa-带-SHA256
  • 主题备用名称
    • DNS:ssl366066.cloudflaressl.com
    • DNS:*.cyberghostvpn.com
    • DNS:cyberghostvpn.com

第一个证书:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            96:4f:da:8c:12:ff:3f:c0:9b:65:71:33:31:f6:fc:7e
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA 2
        Validity
            Not Before: Mar  3 00:00:00 2018 GMT
            Not After : Sep  9 23:59:59 2018 GMT
        Subject: OU=Domain Control Validated, OU=PositiveSSL Multi-Domain, CN=ssl366066.cloudflaressl.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:cd:47:a0:24:81:11:b2:8a:6d:e5:91:02:f0:0e:
                    d6:46:92:5f:28:4b:0c:9e:66:f8:e9:1d:d4:1f:4f:
                    64:70:4a:5d:e9:a2:a6:cc:71:dc:76:15:f3:8a:6c:
                    59:e1:9c:5c:38:46:de:53:9b:c3:2d:87:c0:49:1b:
                    a2:68:1a:fb:ba:f7:5b:ec:b4:f9:92:85:1e:72:12:
                    78:94:47:ac:b9:3d:a3:cf:03:ed:18:e0:d0:8e:1f:
                    6b:59:49:f4:76:57:19:18:74:38:e1:77:45:74:7f:
                    ce:c4:59:77:4a:25:7b:88:58:9d:9f:ac:8c:4a:b6:
                    8c:cc:46:9b:9e:33:6d:52:26:6a:e3:b3:5d:6d:4a:
                    0a:e9:a0:4f:a8:3b:c4:cd:5f:1c:f9:50:7a:0d:da:
                    f1:ca:61:50:c2:56:52:ba:33:80:05:24:9a:58:49:
                    ff:90:36:de:06:24:32:29:47:2b:7d:ec:a5:ab:f7:
                    a6:fd:cf:04:46:02:b4:6b:d2:39:ee:f1:66:d5:e2:
                    23:1b:46:b8:d0:6d:e4:d1:1f:5d:26:e4:5e:44:6b:
                    b2:7b:bc:81:17:56:51:92:ec:61:95:bf:9a:56:8f:
                    5d:3d:66:e5:74:1a:a5:42:a6:ca:6d:4f:49:44:19:
                    5f:b8:e5:64:8a:24:31:80:32:bf:c7:7e:09:0a:7e:
                    19:ed
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:D4:B0:F4:FD:4F:9C:42:A4:6C:DC:3D:2E:EE:5B:41:18:C9:AD:03:F6

            X509v3 Subject Key Identifier: 
                5C:DD:94:66:77:CE:58:18:D8:64:2B:82:2E:3F:7F:F2:95:03:6B:84
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.6449.1.2.2.7
                  CPS: https://secure.comodo.com/CPS
                Policy: 2.23.140.1.2.1

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.comodoca4.com/COMODORSADomainValidationSecureServerCA2.crl

            Authority Information Access: 
                CA Issuers - URI:http://crt.comodoca4.com/COMODORSADomainValidationSecureServerCA2.crt
                OCSP - URI:http://ocsp.comodoca4.com

            X509v3 Subject Alternative Name: 
                DNS:ssl366066.cloudflaressl.com, DNS:*.cyberghostvpn.com, DNS:cyberghostvpn.com
    Signature Algorithm: sha256WithRSAEncryption
         3f:a2:7c:83:b5:e4:22:33:a1:c0:07:a3:7e:d0:8b:06:2f:d3:
         6e:d6:c2:2f:a5:66:49:0c:bb:39:dc:1c:be:0e:a3:ba:44:e9:
         3d:99:34:e7:3b:9d:4f:60:35:d1:52:fc:63:7d:a8:08:9e:52:
         24:36:8e:d0:89:4d:44:4e:d4:7c:9d:fd:87:dd:b6:7c:51:26:
         90:25:89:eb:88:0a:d5:37:18:bb:14:8b:d5:f6:2a:f0:f3:fc:
         31:04:db:d9:90:00:cc:e4:92:f6:cb:6c:fd:2e:af:ce:a0:fe:
         c6:54:58:fd:fc:43:bb:48:be:03:15:c0:95:54:1f:4f:8e:34:
         c1:b1:06:46:1d:69:3e:ca:8c:8b:91:07:4d:64:d2:46:48:9d:
         2e:9e:3f:da:f5:73:7b:2c:07:f3:89:89:e0:93:78:9f:b4:be:
         3d:d6:b7:3a:ba:20:a7:1f:3b:f0:8e:5b:d1:ea:07:8b:9c:a6:
         3d:16:56:a2:2e:c9:f7:81:9c:af:c5:65:00:0a:eb:49:c9:23:
         a0:70:8d:3d:4a:50:73:64:d8:49:f0:5f:b2:c9:bc:99:78:6f:
         53:73:83:74:ac:00:c4:3e:cf:d6:5a:2d:57:5e:3d:60:b3:02:
         bd:3d:66:89:c7:9c:e4:3e:89:5d:7c:14:a3:f5:3c:42:fd:a4:
         0a:06:9b:fe

第二证书

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            1f:78:84:e8:e5:e8:72:7b:43:36:12:7f:15:32:14:46
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Domain Validation Legacy Server CA 2
        Validity
            Not Before: Mar  2 00:00:00 2018 GMT
            Not After : Sep  8 23:59:59 2018 GMT
        Subject: OU=Domain Control Validated, OU=Legacy Multi-Domain SSL, CN=ssl366065.cloudflaressl.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:cb:9c:14:cd:c9:78:7e:0d:9a:1b:af:98:bd:6d:
                    21:c7:12:04:d4:97:fd:de:bc:ea:a9:fd:d4:2b:e7:
                    d0:98:b5:54:f2:2b:aa:6c:fb:60:86:9c:cf:ae:d4:
                    e3:fe:ad:b9:95:f0:ae:c5:9b:9f:f3:3a:51:93:55:
                    7a:e6:62:4e:47:5c:15:b8:f0:64:a3:07:6a:f1:32:
                    8b:7f:f8:d6:2b:ed:34:67:25:95:b0:f2:e8:ac:aa:
                    cf:e2:7c:a8:39:10:c5:c5:78:e8:69:f4:44:67:94:
                    7f:88:36:2d:0f:a5:c9:a1:4f:eb:04:7f:06:c3:c7:
                    c3:5a:8b:ea:65:e4:78:98:57:67:4e:98:7d:63:e1:
                    7f:4d:90:93:35:ac:57:a2:7a:82:36:c4:73:5c:c2:
                    a2:26:87:c6:2d:db:ec:9f:d8:89:84:a8:b9:c0:fe:
                    7b:e9:c7:11:61:f7:8c:48:2c:86:65:0a:08:8f:1f:
                    10:e0:3a:f4:2e:1d:f3:92:5e:4b:46:97:37:d9:6b:
                    dd:ca:ed:a4:7f:b5:8e:85:66:a0:b7:a7:e8:89:46:
                    cf:fd:78:f7:bc:dd:fc:29:d1:5f:1e:89:ba:2e:44:
                    f6:ba:36:32:4e:99:d7:53:13:a6:76:9a:4f:a0:15:
                    91:bd:83:08:20:7c:cc:be:9e:c9:ae:8d:c8:ad:ab:
                    cd:1d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:99:8E:02:95:C5:1E:55:22:7B:87:70:8B:5E:1C:01:C2:76:C4:AE:E8

            X509v3 Subject Key Identifier: 
                58:D9:A7:F4:57:FE:6E:E2:E9:D0:F0:80:E3:25:07:6B:B3:20:17:AC
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.6449.1.2.2.7
                  CPS: https://secure.comodo.com/CPS

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.comodoca4.com/COMODODomainValidationLegacyServerCA2.crl

            Authority Information Access: 
                CA Issuers - URI:http://crt.comodoca4.com/COMODODomainValidationLegacyServerCA2.crt
                OCSP - URI:http://ocsp.comodoca4.com

            X509v3 Subject Alternative Name: 
                DNS:ssl366065.cloudflaressl.com, DNS:*.cyberghostvpn.com, DNS:cyberghostvpn.com
    Signature Algorithm: sha1WithRSAEncryption
         07:1b:13:eb:96:01:9f:da:7d:80:5f:72:92:c0:bd:6b:86:ea:
         b5:5b:e6:35:6b:c7:dc:a1:1b:65:62:69:3f:bd:45:af:8e:ca:
         95:76:c9:69:97:8d:2f:b2:36:96:e9:41:ab:fe:7a:36:fb:ce:
         e9:f5:5d:fb:01:40:7e:6f:d9:e7:24:ac:a2:99:b3:2c:3b:dc:
         4c:cc:69:90:ed:6e:da:0c:a0:86:95:dd:69:65:a4:de:41:51:
         85:2e:1c:3c:56:00:ae:d6:4d:bb:e7:e8:8c:94:f9:fe:cc:0c:
         c2:41:62:5d:64:b4:0e:53:67:56:c1:db:87:75:5a:e9:6c:01:
         be:45:aa:92:fa:e8:4f:7a:a1:44:f9:00:48:a7:55:ee:d6:9b:
         1f:9e:70:e0:fa:c5:7e:cd:9b:d8:c8:a1:e8:bb:4d:7f:31:ef:
         9a:cf:27:ff:39:f7:ce:80:9d:11:cc:d1:29:69:de:ad:04:51:
         cd:b1:8e:af:63:00:d4:08:e7:90:5c:f1:82:8e:8f:0d:0d:8c:
         42:1e:17:ce:6a:20:00:77:04:cc:c2:e3:11:af:78:3b:3c:0b:
         d2:4e:1d:5a:ec:58:77:09:15:bc:f0:0e:cf:fa:ea:51:1c:19:
         a3:5f:69:cb:f4:8a:83:f7:2c:de:a1:5f:2e:fe:47:06:e0:87:
         8e:3b:12:52

第三個證書:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            be:b3:dc:01:de:39:74:99:7b:99:a1:db:97:d4:34:46
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO ECC Domain Validation Secure Server CA 2
        Validity
            Not Before: Mar  2 00:00:00 2018 GMT
            Not After : Sep  8 23:59:59 2018 GMT
        Subject: OU=Domain Control Validated, OU=PositiveSSL Multi-Domain, CN=ssl366067.cloudflaressl.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: 
                    04:92:0b:93:8a:65:ce:02:eb:f9:81:be:cf:54:19:
                    eb:5b:b4:ce:61:1b:32:25:b0:ca:da:e1:1a:b9:59:
                    98:cd:d0:0a:81:0d:4a:99:1b:e8:f5:fd:e1:1f:7b:
                    07:36:a9:85:4f:17:54:f3:71:1a:ee:1b:ad:af:98:
                    7c:55:97:7a:7b
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:40:09:61:67:F0:BC:83:71:4F:DE:12:08:2C:6F:D4:D4:2B:76:3D:96

            X509v3 Subject Key Identifier: 
                C6:2E:B1:E7:71:C3:3E:B8:B6:B5:2F:34:8A:5A:06:ED:EB:15:A1:60
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.6449.1.2.2.7
                  CPS: https://secure.comodo.com/CPS
                Policy: 2.23.140.1.2.1

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crl

            Authority Information Access: 
                CA Issuers - URI:http://crt.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crt
                OCSP - URI:http://ocsp.comodoca4.com

            X509v3 Subject Alternative Name: 
                DNS:ssl366067.cloudflaressl.com, DNS:*.cyberghostvpn.com, DNS:cyberghostvpn.com
    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:bf:a3:b1:95:e2:2f:42:5f:8c:e3:f5:24:5f:
         7b:cb:6b:22:bc:98:47:3e:31:6c:25:9d:fc:15:36:9a:26:45:
         b9:02:21:00:82:32:aa:6e:e3:6f:5f:41:b9:91:e1:bd:0e:39:
         e4:2c:35:60:ce:8a:72:db:6e:48:63:e7:6b:44:5a:f3:4c:5e

答案1

如果您无法访问服务器,那么找出服务器将支持哪些签名算法的唯一方法是依次尝试每个算法,这与您所做的类似,但涵盖了所有可能性。一个简单的脚本就可以为您做到这一点。假设您可以访问类似 Unix 的 shell:

for sign in RSA DSA ECDSA; do
  for digest in MD5 SHA1 SHA224 SHA256 SHA384 SHA512; do
    sigalgs="${sign}+${digest}"
    echo "Trying $sigalgs"
      echo | openssl s_client -connect api.cyberghostvpn.com:443 -sigalgs "$sigalgs" 2> /dev/null > "${sigalgs}.cer"
      if [ $? != 0 ]; then rm "${sigalgs}.cer"; fi
  done
done

奇怪的是,并非所有服务器都遵守 ClientHello 消息中的 SignatureAlgorithm 扩展。 所有 RSA 请求www.google.com都会返回,但 DSA 和 ECDSA 则会失败。sha256withRSAEncryption

相关内容