从 HTTP 重定向到 HTTPS 后 curl 无法验证自签名证书

Question

我在使用自签名 SSL 证书和 curl 时遇到问题。

服务器是 lighttpd。 HTTPS 工作正常：

$ curl https://192.168.144.1/zxc -k
HELLO

但是从 HTTP 重定向失败：

curl http://192.168.144.1:81/zxc -kvL
*   Trying 192.168.144.1...
* TCP_NODELAY set
* Connected to 192.168.144.1 (192.168.144.1) port 81 (#0)
> GET /zxc HTTP/1.1
> Host: 192.168.144.1:81
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Location: https://192.168.144.1:81/zxc
< Content-Length: 0
< Date: Sat, 30 May 2020 06:59:57 GMT
< Server: lighttpd/1.4.48
<
* Connection #0 to host 192.168.144.1 left intact
* Issue another request to this URL: 'https://192.168.144.1:81/zxc'
* Hostname 192.168.144.1 was found in DNS cache
*   Trying 192.168.144.1...
* TCP_NODELAY set
* Connected to 192.168.144.1 (192.168.144.1) port 81 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):

........... HERE IT STACKS FOR A MINUTE ....................

* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 192.168.144.1:81
* stopped the pause stream!
* Closing connection 1
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 192.168.144.1:81

我在这里找到了一个可能的解决方案https://stackoverflow.com/a/44494250/3743145：CURLOPT_SSL_VERIFYPEER=false。如何将其传递给 CURL CLI？

Answer 1

> * LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 192.168.144.1:81

错误是SSL_ERROR_SYSCALL，这与证书验证无关。事实上，仔细观察您所做的事情表明您正在从端口 81 上的普通 HTTP 重定向到 同一端口上的 HTTPS。

curl http://192.168.144.1:81/zxc -kvL
...
< HTTP/1.1 301 Moved Permanently
< Location: https://192.168.144.1:81/zxc

这与您之前在标准端口 (443) 上使用 HTTPS 的测试非常不同。您的 HTTP 服务器很可能不在同一个端口 81 上使用 HTTP 和 HTTPS - 大多数服务器甚至不支持这种配置。

Answer 2

我遇到了类似的问题，并通过确保我的证书中的私钥格式正确来解决问题。 https://sysadminupdates.com/blog/2021/06/22/ssl-error-libressl-ssl_connect-ssl_error_syscall/