【发布时间】:2014-07-25 14:16:59
【问题描述】:
我在 Windows 上尝试通过 SSL 使用 cURL,但遇到了我绝对无法弄清楚的证书问题。
例如,这是我尝试运行的示例。
$ curl "https://google.com" --ntlm -v --negotiate -u USERNAME:PASSWORD --proxy "PROXY" --cert "c:\temp\curl-ca-bundle.crt"
* Adding handle: conn: 0x147ce88
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x147ce88) send_pipe: 1, recv_pipe: 0
* About to connect() to proxy PROXY port 8080 (#0)
* Trying 192.168.134.80...
* Connected to PROXY (PROXY_IP) port 8080 (#0)
* Establish HTTP proxy tunnel to google.com:443
> CONNECT google.com:443 HTTP/1.1
> Host: google.com:443
> User-Agent: curl/7.30.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* unable to use client certificate (no key found or wrong pass phrase?)
* Closing connection 0
curl: (58) unable to use client certificate (no key found or wrong pass phrase?)
尝试使用 --cacert 而不是 --cert 会产生以下消息 -
* Adding handle: conn: 0x130cdf8
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x130cdf8) send_pipe: 1, recv_pipe: 0
* About to connect() to proxy PROXY port 8080 (#0)
* Trying 192.168.135.80...
* Connected to PROXY (PROXY_IP) port 8080 (#0)
* Establish HTTP proxy tunnel to google.com:443
> CONNECT google.com:443 HTTP/1.1
> Host: google.com:443
> User-Agent: curl/7.30.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* successfully set certificate verify locations:
* CAfile: c:\temp\curl-ca-bundle.crt
CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use the
-k (or --insecure) option.
我拥有的curl-ca-bundle.crt 来自here,这是几分钟前更新的。我确保该文件没有被 Windows 阻止。
对于它的价值,我在公司代理和防火墙后面。我已经阅读了有关此问题的所有内容,但不知道下一步该做什么。我确实意识到我可以忽略 SSL,但我想不惜一切代价避免这种情况。
【问题讨论】:
-
如果您从浏览器连接并检查服务器证书。它与您从另一个连接(来自另一个网络)获得的结果相同吗?
-
Google 有自己的 CA。下载 Google Internet Authority G2 并将其用作 CA(您需要将其从 ASN.1/DER 转换为 PEM)。没有必要相信 CA 动物园。如果 Steffen 是正确的,那么您可以使用
openssl s_client -connect google.com:443 -CAfile google-ca.pem验证证书是伪造的。 如果s_client没有以Verify 0 (OK)结束,那么你正在受到攻击。 -
@Bruno:我认为你在做某事。从 Chrome 检查有效的 SSL 证书表明它是从我们的代理服务器之一颁发的。
-
@user3238014 虽然没有直接关系,但可能与this的原因大致相同。
-
@jww:不幸的是,我在 Windows 机器上运行
openssl要么崩溃,要么给我一个文件 errno:9。这两个我目前都无法修复。