1. Use the ssl library that comes with python to obtain the Common Name of the certificate
Because the built-in ssl library is relatively weak, if you specify a ca certificate, the corresponding certificate data is usually returned blank, so you need to prepare the ca certificate first, you can use http://curl.haxx.se/docs/caextract.htmlon
Cacert. pem
Use the following script to obtain CommanName
import socketimport sslip='65.55.85.12's = socket.socket()s.settimeout(10)c = ssl.wrap_socket(s, cert_reqs=ssl.CERT_REQUIRED, ca_certs='cacert.pem')c.settimeout(10)print( "try connect to %s" % (ip))c.connect((ip, 443))cert = c.getpeercert()print cert
If the connection is normal, the result should be similar to the following result.
try connect to 65.55.85.12{'notAfter': 'May 22 23:59:59 2015 GMT', 'subjectAltName': (('DNS', 'mail.live.com'), ('DNS', 'm.mail.live.com'), ('DNS', 'contacts.live.com'), ('DNS', 'hotmail.co.jp'), ('DNS', 'hotmail.co.uk'), ('DNS', 'hotmail.com'), ('DNS', 'hotmail.live.com'), ('DNS', 'hotmail.msn.com'), ('DNS', 'people.live.com'), ('DNS', 'www.hotmail.com'), ('DNS', 'www.hotmail.msn.com'), ('DNS', 'www.mail.live.com'), ('DNS', 'home.live.com'), ('DNS', 'www.live.com'), ('DNS', 'dvt.mail.live.com'), ('DNS', 'snt002.afx.ms'), ('DNS', 'snt002.mail.live.com'), ('DNS', 'snt110.afx.ms'), ('DNS', 'snt110.mail.live.com'), ('DNS', 'snt111.afx.ms'), ('DNS', 'snt111.mail.live.com'), ('DNS', 'snt112.afx.ms'), ('DNS', 'snt112.mail.live.com'), ('DNS', 'snt113.afx.ms'), ('DNS', 'snt113.mail.live.com'), ('DNS', 'snt114.afx.ms'), ('DNS', 'snt114.mail.live.com'), ('DNS', 'snt115.afx.ms'), ('DNS', 'snt115.mail.live.com'), ('DNS', 'snt116.afx.ms'), ('DNS', 'snt116.mail.live.com'), ('DNS', 'snt117.afx.ms'), ('DNS', 'snt117.mail.live.com'), ('DNS', 'snt118.afx.ms'), ('DNS', 'snt118.mail.live.com'), ('DNS', 'snt120.afx.ms'), ('DNS', 'snt120.mail.live.com'), ('DNS', 'snt121.afx.ms'), ('DNS', 'snt121.mail.live.com'), ('DNS', 'snt122.afx.ms'), ('DNS', 'snt122.mail.live.com'), ('DNS', 'snt123.afx.ms'), ('DNS', 'snt123.mail.live.com'), ('DNS', 'snt124.afx.ms'), ('DNS', 'snt124.mail.live.com'), ('DNS', 'snt125.afx.ms'), ('DNS', 'snt125.mail.live.com'), ('DNS', 'snt126.afx.ms'), ('DNS', 'snt126.mail.live.com'), ('DNS', 'snt127.afx.ms'), ('DNS', 'snt127.mail.live.com'), ('DNS', 'snt128.afx.ms'), ('DNS', 'snt128.mail.live.com'), ('DNS', 'snt129.afx.ms'), ('DNS', 'snt129.mail.live.com'), ('DNS', 'snt130.afx.ms'), ('DNS', 'snt130.mail.live.com'), ('DNS', 'snt131.afx.ms'), ('DNS', 'snt131.mail.live.com'), ('DNS', 'snt132.afx.ms'), ('DNS', 'snt132.mail.live.com'), ('DNS', 'snt133.afx.ms'), ('DNS', 'snt133.mail.live.com'), ('DNS', 'snt134.afx.ms'), ('DNS', 'snt134.mail.live.com'), ('DNS', 'snt135.afx.ms'), ('DNS', 'snt135.mail.live.com'), ('DNS', 'snt136.afx.ms'), ('DNS', 'snt136.mail.live.com'), ('DNS', 'snt137.afx.ms'), ('DNS', 'snt137.mail.live.com'), ('DNS', 'snt138.afx.ms'), ('DNS', 'snt138.mail.live.com'), ('DNS', 'snt139.afx.ms'), ('DNS', 'snt139.mail.live.com'), ('DNS', 'snt140.afx.ms'), ('DNS', 'snt140.mail.live.com'), ('DNS', 'snt141.afx.ms'), ('DNS', 'snt141.mail.live.com'), ('DNS', 'snt142.afx.ms'), ('DNS', 'snt142.mail.live.com'), ('DNS', 'snt143.afx.ms'), ('DNS', 'snt143.mail.live.com'), ('DNS', 'snt144.afx.ms'), ('DNS', 'snt144.mail.live.com'), ('DNS', 'snt145.afx.ms'), ('DNS', 'snt145.mail.live.com'), ('DNS', 'snt146.afx.ms'), ('DNS', 'snt146.mail.live.com'), ('DNS', 'snt147.afx.ms'), ('DNS', 'snt147.mail.live.com'), ('DNS', 'snt148.afx.ms'), ('DNS', 'snt148.mail.live.com')), 'subject': ((('1.3.6.1.4.1.311.60.2.1.3', u'US'),), (('1.3.6.1.4.1.311.60.2.1.2', u'Washington'),), (('businessCategory', u'Private Organization'),), (('serialNumber', u'600413485'),), (('countryName', u'US'),), (('postalCode', u'98052'),), (('stateOrProvinceName', u'Washington'),), (('localityName', u'Redmond'),), (('streetAddress', u'1 Microsoft Way'),), (('organizationName', u'Microsoft Corporation'),), (('organizationalUnitName', u'Outlook Kahuna SNT-DC A May2013'),), (('commonName', u'mail.live.com'),))}
The commonName in the subject is the result to be obtained.
2. Use the pyOpenSSL library to obtain the Common Name of the certificate.
The ssl library that comes with python gets too little content and can be obtained using a third-party pyOpenSSL library. This library encapsulates openssl, So it provides more operations and richer content.
Installing pyOpenSSL in ubuntu is relatively simple. It is not described here. It is troublesome to install python ssl in windows. Because the python ssl library that comes with it already meets my needs, after trying to install pyOpenSSL fails, and the following results are executed from ubuntu.
python openssl2.py 65.55.85.12 try to handshake issuer:
subject: [('UNDEF', 'US'), ('UNDEF', 'Washington'), ('businessCategory', 'Private Organization'), ('serialNumber', '600413485'), ('C', 'US'), ('postalCode', '98052'), ('ST', 'Washington'), ('L', 'Redmond'), ('street', '1 Microsoft Way'), ('O', 'Microsoft Corporation'), ('OU', 'Outlook Kahuna SNT-DC A May2013'), ('CN', 'mail.live.com')]
CN in subject is the content to be obtained.
The script content is as follows:
from socket import socket from OpenSSL.SSL import Connection, Context, SSLv3_METHOD,TLSv1_METHOD,WantReadErrorsslcontext = Context(SSLv3_METHOD)sslcontext.set_timeout(30)ip='65.55.85.12's = socket()s.connect((ip, 443))c = Connection(sslcontext, s)c.set_connect_state()print "%s try to handshake " % ( ip )c.do_handshake()cert = c.get_peer_certificate()print "issuer: ",cert.get_issuer()print "subject: ",cert.get_subject().get_components()c.shutdown()s.close()
3. Use the s_client command of openssl to obtain
openssl s_client -connect 65.55.85.12:443subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Washington/businessCategory=Private Organization/serialNumber=600413485/C=US/postalCode=98052/ST=Washington/L=Redmond/street=1 Microsoft Way/O=Microsoft Corporation/OU=Outlook Kahuna SNT-DC A May2013/CN=mail.live.comissuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
S_client other usage can look at: http://blog.csdn.net/tzdjzs/article/details/28113893
4. Comparison
In terms of simplicity, openssl is the easiest tool to use, but it is troublesome to verify a group of IP ranges.
The ssl library provided by python is relatively simple to obtain and requires a ca certificate. Because it is self-built, it can be used in Windows and linux.
The pyOpenSSL library has powerful functions. You can obtain the server certificate information without verifying the server certificate. However, it is a headache if you try it in the window.
Recently, I have been crazy about searching materials on the Internet. I wrote this script when I was bored.