Cryptography series: use openssl to detect whether a website supports ocsp

Language 2022-06-01 14:34:15 views: null

Continue to create, accelerate growth! This is the third day of my participation in the "Nuggets Daily New Plan · June Update Challenge", click to view the details of the event

Introduction

OCSP Online Certificate Status Protocol was proposed to replace CRL. For modern web servers, OCSP is generally supported, and OCSP is also standard for modern web servers.

But OCSP stapling is not supported by all web servers. But in real work, we may need to know the level of support for OCSP by a specific website.

Websites that support OCSP stapling

How to judge whether a web site supports OCSP stapling?

The easiest way is to go to a third-party website to check the certificate information of the website. For example, entrust.ssllabs.com we mentioned before, by entering the corresponding website information, in the
Protocol Details section, you can find the specific information about whether the website supports OCSP stapling, as shown below:

You can see that this website has OCSP stapling enabled. But in fact, most websites in the world do not have OCSP stapling enabled.

So is there any other way besides looking at OCSP stapling on a third-party website?

In fact we can easily do this using the openssl artifact. Of course, the premise is that this website supports https.

Next, we will explain in detail the whole process from obtaining the server's certificate to verifying whether the server supports OCSP stapling.

The website to be verified in this article is Microsoft's official website www.squarespace.com, which is a website that supports OCSP stapling.

Get the server's certificate

To verify whether the server supports OSCP, we first need to obtain the server's certificate, which can be done with openssl s_client -connect provided by openssl.

 openssl s_client -connect www.squarespace.com:443
复制代码

This command will output everything that makes the connection, including the certificate information for the website to be accessed.

Because we only need the certificate of the website, we need to save the content between -----BEGIN CERTIFICATE-----and -----END CERTIFICATE-----.

那么最终的命令如下:

  openssl s_client -connect www.squarespace.com:443 | sed -n '/-----BEGIN/,/-----END/p' > ca.pem
复制代码

这里我们使用一个sed -n命令从输出中截取以-----BEGIN开头和以-----END结尾的数据。

最终我们得到了网站的证书。

除了网站本身的证书之外,网站的证书本身是由其他的证书来签发的,这些证书叫做intermediate certificate,我们需要获取到整个证书链。

同样使用openssl的openssl s_client -showcerts命令可以获取所有的证书链:

openssl s_client -showcerts  -connect www.squarespace.com:443 | sed -n '/-----BEGIN/,/-----END/p' > chain.pem
复制代码

如果你打开chain.pem文件可以发现,文件里面有两个证书,最上面的一个就是服务器本身的证书,而第二个就是用于签名服务器证书的intermediate certificate。

获取OCSP responder地址

如果证书中包含有OCSP responder的地址,那么可以用下面的命令来获取:

openssl x509 -noout -ocsp_uri -in ca.pem 
复制代码

我们可以得到网站的ocsp responder地址是:http://ocsp.digicert.com

还有一种方法可以获得ocsp responder的地址:

openssl x509 -text -noout -in ca.pem
复制代码

这个命令会输出证书的所有信息,我们可以看到下面的内容:

 Authority Information Access:
                OCSP - URI:http://ocsp.digicert.com
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt
复制代码

其中OCSP – URI就是OCSP responder的地址。

发送OCSP请求

有了OCSP responder的地址,我们就可以进行OCSP验证,在这个命令中我们需要用到服务器的证书和intermediate证书。

具体的请求命令如下:

openssl ocsp -issuer chain.pem -cert ca.pem -text -url http://ocsp.digicert.com
复制代码

从输出中我们可以得到两部分,第一部分是OCSP Request Data,也就是OCSP请求数据:

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 521EE36C478119A9CB03FAB74E57E1197AF1818B
          Issuer Key Hash: 09262CA9DCFF639140E75867E2083F74F6EAF165
          Serial Number: 120014F1EC2395D56FDCC4DCB700000014F1EC
    Request Extensions:
        OCSP Nonce:
            04102873CFC7831AB971F3FDFBFCF3953EC5
复制代码

从请求数据中,我们可以看到详细的OCSP请求数据结构,包括issuer的内容和OCSP nonce。

第二部分是响应数据,很遗憾我们得到了下面的请求错误响应数据:

OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: B76BA2EAA8AA848C79EAB4DA0F98B2C59576B9F4
    Produced At: Apr 30 04:36:26 2022 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: E4E395A229D3D4C1C31FF0980C0B4EC0098AABD8
      Issuer Key Hash: B76BA2EAA8AA848C79EAB4DA0F98B2C59576B9F4
      Serial Number: 0F21C13200AE502D52BBE8DFEAB0F807
    Cert Status: good
    This Update: Apr 30 04:21:01 2022 GMT
    Next Update: May  7 03:36:01 2022 GMT
复制代码

上面返回结果中,Cert Status: good表示的是OCSP请求成功了,这个网站是一个支持OCSP协议的网站。

后面的两行是OCSP上次更新的时间和下次更新的时间:

    This Update: Apr 30 04:21:01 2022 GMT
    Next Update: May  7 03:36:01 2022 GMT
复制代码

说明这个网站还支持OCSP stapling。

另外,请求某些网站的OCSP url的时候可能会得到下面的异常:

Error querying OCSP responder
4346349100:error:27FFF072:OCSP routines:CRYPTO_internal:server response error:/AppleInternal/Library/BuildRoots/66382bca-8bca-11ec-aade-6613bcf0e2ee/Library/Caches/com.apple.xbs/Sources/libressl/libressl-2.8/crypto/ocsp/ocsp_ht.c:251:Code=400,Reason=Bad Request
复制代码

为什么会这样呢?

This is because the website ocsp.msocsp.com does not support the default HTTP 1.0 request of OCSP, and there is no Host request header by default in the HTTP 1.0 request. So we need to add the Host request header and execute it again.

an easier way

Above we actually split the request to execute step by step. We can also use openssl to perform the task in one step as follows:

openssl s_client -tlsextdebug -status -connect www.squarespace.com:443
复制代码

From the output, we can see the following data:

OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: B76BA2EAA8AA848C79EAB4DA0F98B2C59576B9F4
    Produced At: Apr 27 04:36:26 2022 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: E4E395A229D3D4C1C31FF0980C0B4EC0098AABD8
      Issuer Key Hash: B76BA2EAA8AA848C79EAB4DA0F98B2C59576B9F4
      Serial Number: 0F21C13200AE502D52BBE8DFEAB0F807
    Cert Status: good
    This Update: Apr 27 04:21:02 2022 GMT
    Next Update: May  4 03:36:02 2022 GMT
复制代码

The above command directly outputs the OCSP response result. From the result, we can clearly see whether the website supports OCSP and OCSP stapling.

Summarize

Although most websites do not support OCSP stapling, we can effectively judge by using the above command.

For more information, please refer to  www.flydean.com/44-openssl-…

The most popular interpretation, the most profound dry goods, the most concise tutorials, and many tricks you don't know are waiting for you to discover!

Welcome to pay attention to my official account: "Program those things", understand technology, understand you better!

Guess you like

Origin juejin.im/post/7103895982407942152
Recommended
Ranking
How cascading public network servers and network companies with free softether, forming a network penetration
axios package
C implementation creates multiple txt file and named to the natural numbers, then the resulting decimal data written txt file
ctfhub技能树 信息泄露 目录遍历 PHPINFO 备份文件下载
The real version of graduation = #"Massey University graduation certificate in New Zealand" is exactly the same as the original MQU certificate
Examples of simple web application architecture
MATLAB graphics drawing-polar and logarithmic images
java里的this和super关键字使用(附代码实例操作)
Markdown을 사용하여 다양한 플랫폼과 호환되고 보기 쉽고 매우 아름다운 Readme 또는 기사를 작성하는 방법은 무엇입니까? 자세한 그림, 도구, 예제가 포함된 템플릿이 첨부되어 있습니다.
What does java startup hardcode correspond to?
Daily
More
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(31)
2024-04-16(23)
2024-04-15(5)
2024-04-14(0)

Code World

© 2018 codetd.com