在使用命令gnutls-cli
和Ruby代码测试网站的证书锁定时,我发现了一个奇怪的现象.有时,这两种方法获得的证书信任链的数量不同.
命令行gnutls-cli github-cloud.s3.amazonaws.com
将显示4:
(我go 掉了一些多余的信息)
Certificate[0] info: subject `CN=*.s3.amazonaws.com' pin-sha256="hK1awhGE7onU0O+/0pwyTCX1ngEBhLhdNNtD8P11+xY=" Certificate[1] info: subject `CN=Amazon,OU=Server CA 1B,O=Amazon,C=US' pin-sha256="JSMzqOOrtyOT1kmau6zKhgT676hGgczD5VMdRMyJZFA=" Certificate[2] info: subject `CN=Amazon Root CA 1,O=Amazon,C=US' pin-sha256="++MBgDH5WGvL9Bcn5Be30cRcL0f5O+NyoXuWtQdX1aI=" Certificate[3] info: subject `CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\ pin-sha256="KwccWaCgrnaw6tsrrSO61FgLacNgG2MMLq8GE6+oP5I="
使用Ruby(gihub-cloud.s3.amazonaws.com):
/CN=*.s3.amazonaws.com hK1awhGE7onU0O+/0pwyTCX1ngEBhLhdNNtD8P11+xY= /C=US/O=Amazon/OU=Server CA 1B/CN=Amazon JSMzqOOrtyOT1kmau6zKhgT676hGgczD5VMdRMyJZFA= /C=US/O=Amazon/CN=Amazon Root CA 1 ++MBgDH5WGvL9Bcn5Be30cRcL0f5O+NyoXuWtQdX1aI=
命令行gnutls-cli www.netflix.com
将显示2:
Certificate[0] info: subject `CN=www.netflix.com,O=Netflix\, Inc. pin-sha256:3TGagkVvINvo827M04z0YZlg5kctebcod1Qwb83pA0s= Certificate[1] info: subject `CN=DigiCert TLS RSA SHA256 2020 CA1,O=DigiCert Inc pin-sha256="RQeZkB42znUfsDIIFWIRiYEcKl7nHwNFwWCrnMMJbVc="
使用拼音(www.netflix.com):
/C=US/ST=California/L=Los Gatos/O=Netflix, Inc./CN=www.netflix.com 3TGagkVvINvo827M04z0YZlg5kctebcod1Qwb83pA0s= /C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1 RQeZkB42znUfsDIIFWIRiYEcKl7nHwNFwWCrnMMJbVc= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=
以下是Ruby代码:
#!/usr/bin/env ruby
require 'colorize'
require 'net/http'
require 'openssl'
require 'base64'
domain = "www.netflix.com"
http = Net::HTTP.new(domain, 443)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.verify_callback = lambda do | preverify_ok, cert_store |
return false unless preverify_ok
end_cert = cert_store.chain[0]
return true unless end_cert.to_der == cert_store.current_cert.to_der
cert_store.chain.each do |i|
sha256 = OpenSSL::Digest::SHA256.new
digest = sha256.digest(i.public_key.to_der)
spki = Base64.strict_encode64(digest)
puts i.subject.to_s, spki
end
true
end
res = http.get '/'
Ruby代码引用Implementing HTTPS certificate/pubkey pinning with Ruby
谢谢!