问题描述
我的soap客户端不接受我必须连接的服务上的证书。它给出错误: tcp_connect中的SSL / TLS证书主机名不匹配
。但是chrome接受证书。我检查了铬的证书,我注意到它是一个通配符证书形式* .domain.nl。是否需要其他配置步骤来使gSoap / openssl接受此操作?
My soap client is not accepting the certificate on the service I have to connect to. It gives the error: SSL/TLS certificate host name mismatch in tcp_connect
. However chrome does accept the certificate. I inspected the certificate in chrome and I noticed it is a wildcard certificate in the form *.domain.nl. Are there additional configurations steps required to get gSoap/openssl to accept this?
ssl init:
soap_ssl_client_context(&proxy,
SOAP_SSL_DEFAULT, /* use SOAP_SSL_DEFAULT in production code */
NULL, /* keyfile (cert+key) */
NULL, /* password to read the keyfile */
"c:\\test\\cacert.pem",
NULL, /* optional capath to directory with trusted certificates */
NULL
)
我正在测试的cacert.pem是
The cacert.pem I'm testing with is http://curl.haxx.se/ca/cacert.pem
当我添加 SOAP_SSL_SKIP_HOST_CHECK
到选项一切正常。
When I add SOAP_SSL_SKIP_HOST_CHECK
to the options everything works fine.
推荐答案
我有同样的问题使用gSOAP 2.8.22。搜索解决方案我发现了你的问题...但没有答案。所以我下载,构建和调试OpenSSL 1.0.2d 2015年7月9日(当前最新版本)。
I had the same issue using gSOAP 2.8.22. Searching for a solution I found your question... but no answer. So I download, built and debugged "OpenSSL 1.0.2d 9 Jul 2015" (current last version).
我尝试访问。证书在证书主题Alt名称通配符名称(如* .office365.com)中包含。我发现代码在stdsoap2.cpp中处理此字段,但不检查通配符名称:
I tried to access https://outlook.office365.com/ews/exchange.asmx. The certificate contains in the "Certificate Subject Alt Name" wildcard names like "*.office365.com". I found the code handling this field in stdsoap2.cpp but it doesn't check wildcard names:
names = (GENERAL_NAMES*)X509_get_ext_d2i(peer, NID_subject_alt_name, NULL, NULL);
if (names)
{ val = i2v_GENERAL_NAMES(NULL, names, val);
sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
}
if (val)
{ int j;
for (j = 0; j < sk_CONF_VALUE_num(val); j++)
{ CONF_VALUE *nval = sk_CONF_VALUE_value(val, j);
if (nval && !strcmp(nval->name, "DNS") && !strcmp(nval->value, host))
{ ok = 1;
break;
}
}
sk_CONF_VALUE_pop_free(val, X509V3_conf_free);
}
然后我将代码更改为
names = (GENERAL_NAMES*)X509_get_ext_d2i(peer, NID_subject_alt_name, NULL, NULL);
if (names)
{ val = i2v_GENERAL_NAMES(NULL, names, val);
sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
}
if (val)
{ int j;
for (j = 0; j < sk_CONF_VALUE_num(val); j++)
{ CONF_VALUE *nval = sk_CONF_VALUE_value(val, j);
if (nval && !strcmp(nval->name, "DNS"))
{
if ( !strcmp( nval->value, host))
{
ok = 1;
break;
}
else if ( *nval->value == '*')
{
const char* const t = nval->value + 1;
if ( *t == '.')
{
const char* const h = strchr( host, '.');
if ( h && !strcmp( t, h))
{
ok = 1;
break;
}
}
}
}
}
sk_CONF_VALUE_pop_free(val, X509V3_conf_free);
}
此修复程序不处理UTF-8名称。为此,你可以看看处理通用名称的代码(搜索NID_commonName)。
This fix doesn't deal with UTF-8 names. For that you can have a look in the code for handling common name (search for NID_commonName).
这篇关于gSoap SSL / TLS证书主机名在tcp_connect中不匹配的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!