agosto 03, 2006

Extraer los certificados SSL de un determinado puerto

Con el comando "openssl s_client -showcerts -connect host:puerto" podemos obtener el certificado pem que opera en el dicho puerto, esto puede servirnos para añadirlo como certificado de confianza al cliente de correo, al navegador, etc.

Por ej:
$  openssl s_client -showcerts -connect smtp.gmail.com:465
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
-----BEGIN CERTIFICATE-----
MIIDVjCCAr+gAwIBAgIDP97OMA0GCSqGSIb3DQEBBAUAMIHOMQswCQYDVQQGEwJa
QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAb
BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0
aW9uIFNlcnZpY2VzIERpdmlzaW9uMSEwHwYDVQQDExhUaGF3dGUgUHJlbWl1bSBT
ZXJ2ZXIgQ0ExKDAmBgkqhkiG9w0BCQEWGXByZW1pdW0tc2VydmVyQHRoYXd0ZS5j
b20wHhcNMDUwOTA1MDg1OTAyWhcNMDYwOTA1MDg1OTAyWjBoMQswCQYDVQQGEwJV
UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzET
MBEGA1UEChMKR29vZ2xlIEluYzEXMBUGA1UEAxMOc210cC5nbWFpbC5jb20wgZ8w
DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMm+APV2IPBnnqOb5w15LPrpNaCfIDZm
3Z41dg/rmhs7szXCx5oWvW6idYerguXQuw1B0XWKbYLJ9Lbz/kX2k9NpyeNmz0J7
pLLBPoa0djthKfMQzgviWRmvad97JaFWFLxUGabISziA/0s3LB1VWMPX+IcxM0hs
pSzdSzjkoI8LAgMBAAGjgaYwgaMwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMEAGA1UdHwQ5MDcwNaAzoDGGL2h0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3
dGVQcmVtaXVtU2VydmVyQ0EuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AYYWaHR0cDovL29jc3AudGhhd3RlLmNvbTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3
DQEBBAUAA4GBACvK1QfluQ26oqabKWaQUauwJQio6t/nRUmaN/cfB3EVeZihxELb
+5a2aD/ljSUNLwEZb/OrG2eXGgnmwGrjERfLJurqYBXQuRwByAQ2lavucv4lgQmU
Qumc3IhN67fNinoOoMa+/KZAYaoBPI8n6t/JR1/q30/rCZ64xKfnqYRf
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
---
No client certificate CA names sent
---
SSL handshake has read 1012 bytes and written 338 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID: 709EA2D2758A275A4B8C8075F359AF7C09D9A4D1EDF86AFCDA36B82E224C6F10
Session-ID-ctx:
Master-Key: 7D780A94C7242D8B9606E1D642A159435C14E7B85DE67E5D572737FCEED6657EA7309CBD6076518C1C6C703CE29AE414
Key-Arg : None
Start Time: 1154612630
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---

Y ahora con yahoo:
$ openssl s_client -showcerts -connect edit.europe.yahoo.com:443
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=edit.europe.yahoo.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=edit.europe.yahoo.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=edit.europe.yahoo.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=edit.europe.yahoo.com
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIC8zCCAlygAwIBAgIDBVGfMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDUwNTA2MTc0OTUwWhcNMDgwNTA2MTc0OTUw
WjB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxML
U2FudGEgQ2xhcmExFDASBgNVBAoUC1lhaG9vISBJbmMuMQ4wDAYDVQQLEwVZYWhv
bzEeMBwGA1UEAxMVZWRpdC5ldXJvcGUueWFob28uY29tMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQCSCnaSDi6OhvE89DfhxiS5rVF7A1h1H0yyw/Fg8hzaiv1Q
2NXNrE2vI5CoBieSVCJB2YkcoMcL6Wedb6YyzxJ4fc76XlOWD59Y6Z+gc32LKmnn
EcffIKa469q4Ki0cjZY1ihBPQWMVOnLTYWPtrvmnfF3HhbEu4UWKSghK+lPOtQID
AQABo4GuMIGrMA4GA1UdDwEB/wQEAwIE8DAdBgNVHQ4EFgQUg/3COzfXW02QwMmB
SszHhQ9IVgowOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5j
b20vY3Jscy9zZWN1cmVjYS5jcmwwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gjIBBP
M5iQn9QwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEB
BQUAA4GBABkKrkQwN+igsvY6/jFPzUJMdSXbx5+LrniOBXK3rWBW0LC2lFED9hg/
zE/rh49IAYdTYE/UKVJW5DRnyhk95SpAiN53LlDdh+TKjOMim7lAk4B+kmreZHL9
Zdq2eEDiWXoOx4hQq5vMjKz8Lgd58lBf/mXqEkBM6mOcGwd4uJms
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=edit.europe.yahoo.com
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---

Tags:

comentarios: