Geek Answers Handbook

Obtaining a certificate using OpenSSL.Net

I would like to use the OpenSSL.Net shell to get a certificate from a remote server to my C # code. Essentially, I would like to replicate

openssl s_client -connect 192.168.254.13:636 -showcerts

.. and finally bring the results to the X509 certificate. Is this possible, and if so, can someone point me in the right direction?

+7
source share
4 answers

I think there are two parts to the question:

  • How to get a server certificate
  • How to get a certificate chain

To obtain a server certificate, you use SslStream, whose methods are similar to .NET. Sslstream

 var serverName = "...; var client = new TcpClient(serverName, 443); // Create an SSL stream that will close the client stream. using (var sslStream = new SslStream(client.GetStream(),true)) { sslStream.AuthenticateAsClient(serverName); var serverCertificate = sslStream.RemoteCertificate; }

It seems that OpenSSL.Net cannot get the certificate chain. The -showcerts parameter uses the SSL_get_peer_cert_chain function, which is not implemented in OpenSSL.NET.

If you don't mind mixing OpenSSL.Net and the built-in .NET classes, you can convert the OpenSSL.Net certificate to a .NET certificate and retrieve the chain using .NET X509Chain.Build . You can convert .NET certificates back to OpenSSL.NET certificates using the .NET RawData certificate.

 var managedCert = new System.Security.Cryptography.X509Certificates.X509Certificate2(serverCertificate.DER); var chain = new System.Security.Cryptography.X509Certificates.X509Chain(); chain.Build(managedCert); foreach (var element in chain.ChainElements) { var raw = element.Certificate.RawData; using (var bio = new BIO(raw)) { var oc = OpenSSL.X509.X509Certificate.FromDER(bio); } }

Perhaps you can use the .NET SslStream and X509Certificate2 objects to do what you want using the raw certificate data without using OpenSSL.Net.

+6
source

Try using ServicePointManager.ServerCertificateValidationCallback. This will be called with the X509 et voila server certificate

http://msdn.microsoft.com/en-us/library/system.net.servicepointmanager.servercertificatevalidationcallback.aspx

+2
source

To create the same functionality as s_client, you should probably take a look at the s_client code.

You can find s_client inside openssl-XYZtar.gz file / apps / s_client.c

PEM_write_bio_X509 probably does the "print" of X509Certificate:

 if (c_showcerts) PEM_write_bio_X509(bio,sk_X509_value(sk,i)); }

But there is a connecting part ...

ftp://ftp.openssl.org/source/openssl-1.0.1.tar.gz

+2
source

To obtain a CRL, first check the certificate and its issuance certificate for the cRLDistributionPoints extension, which contains the GeneralName URI. This extension is defined in RFC 3280, and it indicates the way in which the CAs associate a CRL location that matches the certificate used to issue another certificate. Unfortunately, this extension is defined as optional, and most root CAs do not use it.

+1
source

More articles:


All Articles