{"id":1653,"date":"2021-07-16T04:14:39","date_gmt":"2021-07-16T04:14:39","guid":{"rendered":"https:\/\/www.ipcpu.com\/?p=1653"},"modified":"2022-07-31T04:15:08","modified_gmt":"2022-07-31T04:15:08","slug":"openssl-https-ocsp","status":"publish","type":"post","link":"https:\/\/c.ipcpu.com\/2021\/07\/openssl-https-ocsp\/","title":{"rendered":"\u4f7f\u7528openssl\u547d\u4ee4\u6821\u9a8chttps\u8bc1\u4e66\u7684OCSP"},"content":{"rendered":"<div id=\"MathJax_Message\" style=\"display: none;\"><\/div>\n<p><div class=\"wiz_toc_layer\"><a class=\"wiz_toc h1\" href=\"#wiz-toc-0-1940305594\">\u4e00\u3001\u51c6\u5907\u8bc1\u4e66<\/a><br \/><a class=\"wiz_toc h1\" href=\"#wiz-toc-1-1993027133\">\u4e8c\u3001\u83b7\u53d6\u8bc1\u4e66\u7684OCSP\u670d\u52a1\u5668<\/a><br \/><a class=\"wiz_toc h1\" href=\"#wiz-toc-2-544540363\">\u4e09\u3001\u6821\u9a8cOCSP<\/a><br \/><a class=\"wiz_toc h1\" href=\"#wiz-toc-3-1722751331\">\u53c2\u8003\u8d44\u6599<\/a><\/div>\n<p><a href=\"#wizToc\" style=\"display: none;\">toc<\/a><\/p>\n<h2 id=\"wiz-toc-0-1940305594\">\u4e00\u3001\u51c6\u5907\u8bc1\u4e66<\/h2>\n<p>\u6ce8\u610f\uff0c\u5982\u679c\u670d\u52a1\u5668\u4e0a\u5f00\u542f\u4e86SNI\uff0c\u62e5\u6709\u591a\u4e2assl\u8bc1\u4e66\uff0c \u8fd8\u9700\u8981\u6307\u5b9a -servername<\/p>\n<div>\n<pre><code># Get server cert\nopenssl s_client -connect sqimg.qq.com:443 -servername sqimg.qq.com  &lt; \/dev\/null 2&gt;&amp;1 | sed -n '\/-----BEGIN\/,\/-----END\/p' &gt; certificate.pem\n# Get intermediate cert\nopenssl s_client -connect sqimg.qq.com:443 -servername sqimg.qq.com  &lt; \/dev\/null 2&gt;&amp;1 | sed -n '\/-----BEGIN\/,\/-----END\/p' | awk 'BEGIN { n=0 } { if ($0==\"-----BEGIN CERTIFICATE-----\") { n+=1 } if (n&gt;=2) { print $0 } }' &gt; chain.pem<\/code><\/pre>\n<\/div>\n<h2 id=\"wiz-toc-1-1993027133\">\u4e8c\u3001\u83b7\u53d6\u8bc1\u4e66\u7684OCSP\u670d\u52a1\u5668<\/h2>\n<div>\n<pre><code># Get the OCSP responder for server cert\nopenssl x509 -noout -ocsp_uri -in certificate.pem\n# http:\/\/ocsp.int-x3.letsencrypt.org\n\n# \u6216\u8005\n# openssl x509 -in certificate.crt -noout -text | grep OCSP<\/code><\/pre>\n<\/div>\n<h2 id=\"wiz-toc-2-544540363\">\u4e09\u3001\u6821\u9a8cOCSP<\/h2>\n<div>\n<pre><code>openssl ocsp -issuer chain.pem -cert certificate.pem \\\n        -verify_other chain.pem \\\n        -header \"Host\" \"ocsp.int-x3.letsencrypt.org\" -text \\\n        -url http:\/\/ocsp.int-x3.letsencrypt.org<\/code><\/pre>\n<\/div>\n<p>\u5982\u679c\u6210\u529f\uff0c\u6700\u540e\u4f1a\u663e\u793a<\/p>\n<div>\n<pre><code>Response verify OK\ncertificate.pem: good\n        This Update: Mar 24 00:00:00 2021 GMT\n        Next Update: Mar 30 23:59:58 2021 GMT<\/code><\/pre>\n<\/div>\n<h2 id=\"wiz-toc-3-1722751331\">\u53c2\u8003\u8d44\u6599<\/h2>\n<p><a href=\"http:\/\/cooolin.com\/scinet\/2020\/07\/16\/ocsp-stapling-nginx.html\">http:\/\/cooolin.com\/scinet\/2020\/07\/16\/ocsp-stapling-nginx.html<\/a><\/p>\n<p>\u8f6c\u8f7d\u8bf7\u6ce8\u660e\uff1a<a href=\"https:\/\/c.ipcpu.com\">IPCPU-\u7f51\u7edc\u4e4b\u8def<\/a> &raquo; <a href=\"https:\/\/c.ipcpu.com\/2021\/07\/openssl-https-ocsp\/\">\u4f7f\u7528openssl\u547d\u4ee4\u6821\u9a8chttps\u8bc1\u4e66\u7684OCSP<\/a><\/p>","protected":false},"excerpt":{"rendered":"<p>\u4e00\u3001\u51c6\u5907\u8bc1\u4e66\u4e8c\u3001\u83b7\u53d6\u8bc1\u4e66\u7684OCSP\u670d\u52a1\u5668\u4e09\u3001\u6821\u9a8cOCSP\u53c2\u8003\u8d44\u6599 toc \u4e00\u3001\u51c6\u5907\u8bc1\u4e66 \u6ce8\u610f\uff0c\u5982\u679c\u670d\u52a1\u5668\u4e0a\u5f00\u542f\u4e86SNI\uff0c\u62e5\u6709\u591a\u4e2assl\u8bc1\u4e66\uff0c \u8fd8\u9700\u8981\u6307\u5b9a -servername # Get server cert openssl s_client -connect sqimg.qq.com:443 -servername sqimg.qq.com &lt; \/dev\/null 2&gt;&amp;1 | sed -n &#8216;\/&#8212;&#8211;BEGIN\/,\/&#8212;&#8211;END\/p&#8217; &gt; certificate.pem # Get intermediate cert openssl s_client -connect sqimg.qq.com:443 -servername sqimg.qq.com &lt; \/dev\/null 2&gt;&amp;1 | sed -n &#8216;\/&#8212;&#8211;BEGIN\/,\/&#8212;&#8211;END\/p&#8217; | awk &#8216;BEGIN { n=0 } { if ($0==&#8221;&#8212;&#8211;BEGIN CERTIFICATE&#8212;&#8211;&#8220;) { n+=1 } [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[28],"_links":{"self":[{"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/posts\/1653"}],"collection":[{"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/comments?post=1653"}],"version-history":[{"count":1,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/posts\/1653\/revisions"}],"predecessor-version":[{"id":1654,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/posts\/1653\/revisions\/1654"}],"wp:attachment":[{"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/media?parent=1653"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/categories?post=1653"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/tags?post=1653"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}