openssl s_client using a proxy
1 | openssl s_client -connect some.https.server:443 -showcerts |
当您要检查服务器的证书及其证书链时,这是一个很好的命令。
当您位于HTTP / HTTPS代理后面时,是否可以运行此命令?
您可以使用proxytunnel:
1 | proxytunnel -p yourproxy:8080 -d www.google.com:443 -a 7000 |
然后您可以执行以下操作:
1 | openssl s_client -connect localhost:7000 -showcerts |
希望这可以帮到你!
对于2015年5月之后来到这里的用户:opensl的下一发行版中将包含一个新的" -proxy"选项:https://rt.openssl.org/Ticket/Display.html?id=2651&user= guest&pass = guest
从openssl v1.1.0开始
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | C:\\openssl>openssl version OpenSSL 1.1.0g 2 Nov 2017 C:\\openssl>openssl s_client -proxy 192.168.103.115:3128 -connect www.google.com -CAfile C:\\TEMP\\internalCA.crt CONNECTED(00000088) depth=2 DC = com, DC = xxxx, CN = xxxx CA interne verify return:1 depth=1 C = FR, L = CROIX, CN = svproxysg1, emailAddress = [email protected] verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = www.google.com verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com i:/C=xxxx/L=xxxx/CN=svproxysg1/[email protected] 1 s:/C=xxxx/L=xxxx/CN=svproxysg1/[email protected] i:/DC=com/DC=xxxxx/CN=xxxxx CA interne --- Server certificate -----BEGIN CERTIFICATE----- MIIDkTCCAnmgAwIBAgIJAIv4/hQAAAAAMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNV BAYTAkZSMQ4wDAYDVQQHEwVDUk9JWDETMBEGA1UEAxMKc3Zwcm94eXNnMTEeMBwG |
官方没有。
但这是一个补丁:http://rt.openssl.org/Ticket/Display.html?id=2651&user=guest&pass=guest
即使使用openssl v1.1.0,我在传递代理时也遇到一些问题,例如
那迫使我写一个最小的Java类来显示SSL握手
1 2 3 4 5 6 7 8 9 10 11 12 13 | public static void main(String[] args) throws IOException, URISyntaxException { HttpHost proxy = new HttpHost("proxy.my.company", 8080); DefaultProxyRoutePlanner routePlanner = new DefaultProxyRoutePlanner(proxy); CloseableHttpClient httpclient = HttpClients.custom() .setRoutePlanner(routePlanner) .build(); URI uri = new URIBuilder() .setScheme("https") .setHost("www.myhost.com") .build(); HttpGet httpget = new HttpGet(uri); httpclient.execute(httpget); } |
具有以下依赖性:
1 2 3 4 5 6 | <dependency> <groupId>org.apache.httpcomponents</groupId> httpclient</artifactId> <version>4.5.2</version> <type>jar</type> </dependency> |
您可以在启用Java SSL日志记录的情况下运行它
这应该产生不错的输出,例如
1 2 3 4 5 6 7 8 9 10 11 12 | trustStore provider is : init truststore adding as trusted cert: Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US Issuer: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US Algorithm: RSA; Serial number: 0xc3517 Valid from Mon Jun 21 06:00:00 CEST 1999 until Mon Jun 22 06:00:00 CEST 2020 adding as trusted cert: Subject: CN=SecureTrust CA, O=SecureTrust Corporation, C=US Issuer: CN=SecureTrust CA, O=SecureTrust Corporation, C=US (....) |