https://www.rfc-editor.org/rfc/rfc7633
如何简单检查网站证书是否具有 OCSP 必备扩展名?
例如,在询问时检查 let's encrypt 证书是否具有该属性:https ://community.letsencrypt.org/t/improving-revocation-will-lets-encrypt-support-ocsp-must-staple/4334/20
如何简单地检查证书是否具有 OCSP must-staple 属性?
信息安全
证书
ocsp
2021-09-04 22:58:47
1个回答
如果您使用 解析证书openssl x509 -text,您将获得:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
31:64:4e:0c:95:4d:02:eb:78:97:11:6f:62:ee:71:02
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO ECC Domain Validation Secure Server CA
Validity
Not Before: Dec 7 00:00:00 2015 GMT
Not After : Dec 6 23:59:59 2016 GMT
Subject: OU=Domain Control Validated, OU=GGSSL Domain SSL, CN=must-staple-no-ocsp.serverhello.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:11:7d:2b:99:af:dc:5a:4e:af:83:90:df:52:50:
3c:dc:52:08:0d:80:4c:b3:e3:fd:07:9c:99:6f:2c:
ab:1d:c0:ad:3e:c9:7c:da:25:f0:c2:e0:24:9b:b5:
fa:45:cf:e8:f6:cb:5d:7a:ce:a8:01:b5:af:5a:14:
03:fe:7c:6d:db:f3:ed:97:ea:08:cd:33:50:0f:09:
f1:00:50:ba:ae:ed:d2:a4:85:5b:4b:97:bf:0b:bf:
10:70:e1:32:83:70:d2
ASN1 OID: secp384r1
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:BB:FA:08:E0:BF:54:EE:5A:FD:16:A4:35:02:09:A9:A4:C8:EC:FD:4B
X509v3 Subject Key Identifier:
1E:4C:D6:4E:0C:75:9F:9A:E9:A4:C0:2E:44:BF:41:02:44:16:B7:B9
X509v3 Key Usage: critical
Digital Signature
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.2.7
CPS: https://secure.comodo.com/CPS
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.comodoca.com/COMODOECCDomainValidationSecureServerCA.crl
Authority Information Access:
CA Issuers - URI:http://crt.comodoca.com/COMODOECCDomainValidationSecureServerCA.crt
OCSP - URI:http://ocsp.comodoca.com
1.3.6.1.5.5.7.1.24:
0....
X509v3 Subject Alternative Name:
DNS:must-staple-no-ocsp.serverhello.com, DNS:www.must-staple-no-ocsp.serverhello.com
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:66:ed:0b:d2:4b:0a:97:15:29:91:54:5b:03:df:
97:ac:b8:f4:dc:cc:43:7b:08:eb:b9:50:cf:16:c2:ac:6f:4e:
02:20:6e:5c:4d:92:eb:b0:22:b6:91:41:e8:e1:a7:d2:27:cc:
ef:65:d5:e9:76:9a:a8:1d:d1:b1:1b:7d:79:8c:2c:0b
但openssl s_client -trace会显示:
TLS Feature:
status_request
代替
1.3.6.1.5.5.7.1.24:
0....
“1.3.6.1.5.5.7.1.24”是RFC中以“1.3.6.1.5.5.7.1”“24”形式编写的数字。根据 RFC,它“特别是,TLS 功能扩展可用于强制支持 TLS 协议中的撤销检查功能,例如在线证书状态协议 (OCSP) 装订。”
因此,如果您需要在调试时执行一次openssl s_client -connect must-staple-no-ocsp.serverhello.com:443 -servername must-staple-no-ocsp.serverhello.com -status,将证书 PEM 复制到文件中openssl x509 -text -noout -in foo.pem | grep 1.3.6.1.5.5.7.1.24就可以了。如果您需要将其打包在 API 中,那就更复杂了。