O problema
Digamos que eu gostaria de baixar todos os certificados SSL para um site específico para poder fazer a marcação de certificados mais tarde.
Como posso consultar o servidor web com o openssl, para baixar todos os certificados disponíveis sem conhecer suas propriedades?
EXEMPLO
O domínio api.cyberghostvpn.com possui certificados com as seguintes assinaturas:
- ECDSA + SHA256
- RSA + SHA256
- RSA + SHA1
Para fazer o download, você pode usar os seguintes comandos:
echo | \
openssl s_client -connect api.cyberghostvpn.com:443 2>/dev/null -sigalgs 'ECDSA+SHA256' 2>/dev/null | \
openssl x509 -outform DER > api_ECDSA+SHA256.crt
echo | \
echo | \
openssl s_client -connect api.cyberghostvpn.com:443 2>/dev/null -sigalgs 'RSA+SHA256' 2>/dev/null | \
openssl x509 -outform DER > api_RSA+SHA256.crt
echo | \
openssl s_client -connect api.cyberghostvpn.com:443 2>/dev/null -sigalgs 'RSA+SHA1' 2>/dev/null | \
openssl x509 -outform DER > api_RSA+SHA1.crt
RESPOSTAS
@Seth:
-
Você não precisa ser o proprietário do domínio para ter interesse no certificado SSL público de um site.
No meu caso, eu estava interessado nesses certificados, porque agora estou usando suas impressões digitais em um TrustManager (Java) personalizado que escrevi para ter certeza de obter os certificados corretos. Estou usando isso em um cliente okHTTP personalizado para que eu possa conectar-se diretamente ao servidor da API (conhecer os IPs) sem exigir uma pesquisa de DNS (que pode ser bloqueada em determinados países ...).
-
O Cloudflare não permite o download desses certificados em sua interface da Web.
@Alex:
PRIMEIRO COMENTÁRIO
- esses comandos foram realmente executados um por um (o superusuário estava removendo minhas linhas ... desculpe)
- Para sua resposta:
Seu comando apenas imprime a cadeia de certificados desta conexão SSL válida.
A cadeia começa na autoridade raiz e termina com o certificado do servidor.
Nos servidores, há vários certificados ssl instalados para aumentar a compatibilidade do cliente (para que os clientes mais novos possam estabelecer uma conexão mais segura).
Cada um dos comandos que eu especifiquei acima, faz o download de um certificado de servidor diferente, dependendo de qual conjunto de criptografia + algoritmo de hash eu permiti com '-sigalgs'.
SEGUNDO COMENTÁRIO
Você não acredita em mim? Veja a saída!
- Números de série:
- 96: 4f: da: 8c: 12: ff: 3f: c0: 9b: 65: 71: 33: 31: f6: fc: 7e
- 1f: 78: 84: e8: e5: e8: 72: 7b: 43: 36: 12: 7f: 15: 32: 14: 46
- ser: b3: dc: 01: de: 39: 74: 99: 7b: 99: a1: db: 97: d4: 34: 46
- Algoritmos de Assinatura:
- sha256WithRSAEncryption
- sha1WithRSAEncryption
- ecdsa-com-SHA256
- Nome alternativo do assunto
- DNS: ssl366066.cloudflaressl.com
- DNS: *. cyberghostvpn.com
- DNS: cyberghostvpn.com
Primeiro certificado:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
96:4f:da:8c:12:ff:3f:c0:9b:65:71:33:31:f6:fc:7e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA 2
Validity
Not Before: Mar 3 00:00:00 2018 GMT
Not After : Sep 9 23:59:59 2018 GMT
Subject: OU=Domain Control Validated, OU=PositiveSSL Multi-Domain, CN=ssl366066.cloudflaressl.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cd:47:a0:24:81:11:b2:8a:6d:e5:91:02:f0:0e:
d6:46:92:5f:28:4b:0c:9e:66:f8:e9:1d:d4:1f:4f:
64:70:4a:5d:e9:a2:a6:cc:71:dc:76:15:f3:8a:6c:
59:e1:9c:5c:38:46:de:53:9b:c3:2d:87:c0:49:1b:
a2:68:1a:fb:ba:f7:5b:ec:b4:f9:92:85:1e:72:12:
78:94:47:ac:b9:3d:a3:cf:03:ed:18:e0:d0:8e:1f:
6b:59:49:f4:76:57:19:18:74:38:e1:77:45:74:7f:
ce:c4:59:77:4a:25:7b:88:58:9d:9f:ac:8c:4a:b6:
8c:cc:46:9b:9e:33:6d:52:26:6a:e3:b3:5d:6d:4a:
0a:e9:a0:4f:a8:3b:c4:cd:5f:1c:f9:50:7a:0d:da:
f1:ca:61:50:c2:56:52:ba:33:80:05:24:9a:58:49:
ff:90:36:de:06:24:32:29:47:2b:7d:ec:a5:ab:f7:
a6:fd:cf:04:46:02:b4:6b:d2:39:ee:f1:66:d5:e2:
23:1b:46:b8:d0:6d:e4:d1:1f:5d:26:e4:5e:44:6b:
b2:7b:bc:81:17:56:51:92:ec:61:95:bf:9a:56:8f:
5d:3d:66:e5:74:1a:a5:42:a6:ca:6d:4f:49:44:19:
5f:b8:e5:64:8a:24:31:80:32:bf:c7:7e:09:0a:7e:
19:ed
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:D4:B0:F4:FD:4F:9C:42:A4:6C:DC:3D:2E:EE:5B:41:18:C9:AD:03:F6
X509v3 Subject Key Identifier:
5C:DD:94:66:77:CE:58:18:D8:64:2B:82:2E:3F:7F:F2:95:03:6B:84
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.2.7
CPS: https://secure.comodo.com/CPS
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.comodoca4.com/COMODORSADomainValidationSecureServerCA2.crl
Authority Information Access:
CA Issuers - URI:http://crt.comodoca4.com/COMODORSADomainValidationSecureServerCA2.crt
OCSP - URI:http://ocsp.comodoca4.com
X509v3 Subject Alternative Name:
DNS:ssl366066.cloudflaressl.com, DNS:*.cyberghostvpn.com, DNS:cyberghostvpn.com
Signature Algorithm: sha256WithRSAEncryption
3f:a2:7c:83:b5:e4:22:33:a1:c0:07:a3:7e:d0:8b:06:2f:d3:
6e:d6:c2:2f:a5:66:49:0c:bb:39:dc:1c:be:0e:a3:ba:44:e9:
3d:99:34:e7:3b:9d:4f:60:35:d1:52:fc:63:7d:a8:08:9e:52:
24:36:8e:d0:89:4d:44:4e:d4:7c:9d:fd:87:dd:b6:7c:51:26:
90:25:89:eb:88:0a:d5:37:18:bb:14:8b:d5:f6:2a:f0:f3:fc:
31:04:db:d9:90:00:cc:e4:92:f6:cb:6c:fd:2e:af:ce:a0:fe:
c6:54:58:fd:fc:43:bb:48:be:03:15:c0:95:54:1f:4f:8e:34:
c1:b1:06:46:1d:69:3e:ca:8c:8b:91:07:4d:64:d2:46:48:9d:
2e:9e:3f:da:f5:73:7b:2c:07:f3:89:89:e0:93:78:9f:b4:be:
3d:d6:b7:3a:ba:20:a7:1f:3b:f0:8e:5b:d1:ea:07:8b:9c:a6:
3d:16:56:a2:2e:c9:f7:81:9c:af:c5:65:00:0a:eb:49:c9:23:
a0:70:8d:3d:4a:50:73:64:d8:49:f0:5f:b2:c9:bc:99:78:6f:
53:73:83:74:ac:00:c4:3e:cf:d6:5a:2d:57:5e:3d:60:b3:02:
bd:3d:66:89:c7:9c:e4:3e:89:5d:7c:14:a3:f5:3c:42:fd:a4:
0a:06:9b:fe
Segundo certificado
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1f:78:84:e8:e5:e8:72:7b:43:36:12:7f:15:32:14:46
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Domain Validation Legacy Server CA 2
Validity
Not Before: Mar 2 00:00:00 2018 GMT
Not After : Sep 8 23:59:59 2018 GMT
Subject: OU=Domain Control Validated, OU=Legacy Multi-Domain SSL, CN=ssl366065.cloudflaressl.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cb:9c:14:cd:c9:78:7e:0d:9a:1b:af:98:bd:6d:
21:c7:12:04:d4:97:fd:de:bc:ea:a9:fd:d4:2b:e7:
d0:98:b5:54:f2:2b:aa:6c:fb:60:86:9c:cf:ae:d4:
e3:fe:ad:b9:95:f0:ae:c5:9b:9f:f3:3a:51:93:55:
7a:e6:62:4e:47:5c:15:b8:f0:64:a3:07:6a:f1:32:
8b:7f:f8:d6:2b:ed:34:67:25:95:b0:f2:e8:ac:aa:
cf:e2:7c:a8:39:10:c5:c5:78:e8:69:f4:44:67:94:
7f:88:36:2d:0f:a5:c9:a1:4f:eb:04:7f:06:c3:c7:
c3:5a:8b:ea:65:e4:78:98:57:67:4e:98:7d:63:e1:
7f:4d:90:93:35:ac:57:a2:7a:82:36:c4:73:5c:c2:
a2:26:87:c6:2d:db:ec:9f:d8:89:84:a8:b9:c0:fe:
7b:e9:c7:11:61:f7:8c:48:2c:86:65:0a:08:8f:1f:
10:e0:3a:f4:2e:1d:f3:92:5e:4b:46:97:37:d9:6b:
dd:ca:ed:a4:7f:b5:8e:85:66:a0:b7:a7:e8:89:46:
cf:fd:78:f7:bc:dd:fc:29:d1:5f:1e:89:ba:2e:44:
f6:ba:36:32:4e:99:d7:53:13:a6:76:9a:4f:a0:15:
91:bd:83:08:20:7c:cc:be:9e:c9:ae:8d:c8:ad:ab:
cd:1d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:99:8E:02:95:C5:1E:55:22:7B:87:70:8B:5E:1C:01:C2:76:C4:AE:E8
X509v3 Subject Key Identifier:
58:D9:A7:F4:57:FE:6E:E2:E9:D0:F0:80:E3:25:07:6B:B3:20:17:AC
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.2.7
CPS: https://secure.comodo.com/CPS
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.comodoca4.com/COMODODomainValidationLegacyServerCA2.crl
Authority Information Access:
CA Issuers - URI:http://crt.comodoca4.com/COMODODomainValidationLegacyServerCA2.crt
OCSP - URI:http://ocsp.comodoca4.com
X509v3 Subject Alternative Name:
DNS:ssl366065.cloudflaressl.com, DNS:*.cyberghostvpn.com, DNS:cyberghostvpn.com
Signature Algorithm: sha1WithRSAEncryption
07:1b:13:eb:96:01:9f:da:7d:80:5f:72:92:c0:bd:6b:86:ea:
b5:5b:e6:35:6b:c7:dc:a1:1b:65:62:69:3f:bd:45:af:8e:ca:
95:76:c9:69:97:8d:2f:b2:36:96:e9:41:ab:fe:7a:36:fb:ce:
e9:f5:5d:fb:01:40:7e:6f:d9:e7:24:ac:a2:99:b3:2c:3b:dc:
4c:cc:69:90:ed:6e:da:0c:a0:86:95:dd:69:65:a4:de:41:51:
85:2e:1c:3c:56:00:ae:d6:4d:bb:e7:e8:8c:94:f9:fe:cc:0c:
c2:41:62:5d:64:b4:0e:53:67:56:c1:db:87:75:5a:e9:6c:01:
be:45:aa:92:fa:e8:4f:7a:a1:44:f9:00:48:a7:55:ee:d6:9b:
1f:9e:70:e0:fa:c5:7e:cd:9b:d8:c8:a1:e8:bb:4d:7f:31:ef:
9a:cf:27:ff:39:f7:ce:80:9d:11:cc:d1:29:69:de:ad:04:51:
cd:b1:8e:af:63:00:d4:08:e7:90:5c:f1:82:8e:8f:0d:0d:8c:
42:1e:17:ce:6a:20:00:77:04:cc:c2:e3:11:af:78:3b:3c:0b:
d2:4e:1d:5a:ec:58:77:09:15:bc:f0:0e:cf:fa:ea:51:1c:19:
a3:5f:69:cb:f4:8a:83:f7:2c:de:a1:5f:2e:fe:47:06:e0:87:
8e:3b:12:52
Terceiro certificado:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
be:b3:dc:01:de:39:74:99:7b:99:a1:db:97:d4:34:46
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO ECC Domain Validation Secure Server CA 2
Validity
Not Before: Mar 2 00:00:00 2018 GMT
Not After : Sep 8 23:59:59 2018 GMT
Subject: OU=Domain Control Validated, OU=PositiveSSL Multi-Domain, CN=ssl366067.cloudflaressl.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:92:0b:93:8a:65:ce:02:eb:f9:81:be:cf:54:19:
eb:5b:b4:ce:61:1b:32:25:b0:ca:da:e1:1a:b9:59:
98:cd:d0:0a:81:0d:4a:99:1b:e8:f5:fd:e1:1f:7b:
07:36:a9:85:4f:17:54:f3:71:1a:ee:1b:ad:af:98:
7c:55:97:7a:7b
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:40:09:61:67:F0:BC:83:71:4F:DE:12:08:2C:6F:D4:D4:2B:76:3D:96
X509v3 Subject Key Identifier:
C6:2E:B1:E7:71:C3:3E:B8:B6:B5:2F:34:8A:5A:06:ED:EB:15:A1:60
X509v3 Key Usage: critical
Digital Signature
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.2.7
CPS: https://secure.comodo.com/CPS
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crl
Authority Information Access:
CA Issuers - URI:http://crt.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crt
OCSP - URI:http://ocsp.comodoca4.com
X509v3 Subject Alternative Name:
DNS:ssl366067.cloudflaressl.com, DNS:*.cyberghostvpn.com, DNS:cyberghostvpn.com
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:bf:a3:b1:95:e2:2f:42:5f:8c:e3:f5:24:5f:
7b:cb:6b:22:bc:98:47:3e:31:6c:25:9d:fc:15:36:9a:26:45:
b9:02:21:00:82:32:aa:6e:e3:6f:5f:41:b9:91:e1:bd:0e:39:
e4:2c:35:60:ce:8a:72:db:6e:48:63:e7:6b:44:5a:f3:4c:5e