访问SSL时,cURL无法使用curl-ca-bundle.crt

时间:2014-07-25 14:17:00

标签: windows curl ssl

我在Windows上尝试使用SSL来使用cURL,但遇到了我绝对无法理解的证书问题。

例如,以下是我正在尝试运行的示例。

$ curl "https://google.com" --ntlm -v --negotiate -u USERNAME:PASSWORD --proxy "PROXY" --cert "c:\temp\curl-ca-bundle.crt"
* Adding handle: conn: 0x147ce88
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x147ce88) send_pipe: 1, recv_pipe: 0
* About to connect() to proxy PROXY port 8080 (#0)
*   Trying 192.168.134.80...
* Connected to PROXY (PROXY_IP) port 8080 (#0)
* Establish HTTP proxy tunnel to google.com:443
> CONNECT google.com:443 HTTP/1.1
> Host: google.com:443
> User-Agent: curl/7.30.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* unable to use client certificate (no key found or wrong pass phrase?)
* Closing connection 0
curl: (58) unable to use client certificate (no key found or wrong pass phrase?)

尝试使用--cacert代替--cert会产生以下消息 -

* Adding handle: conn: 0x130cdf8
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x130cdf8) send_pipe: 1, recv_pipe: 0
* About to connect() to proxy PROXY port 8080 (#0)
*   Trying 192.168.135.80...
* Connected to PROXY (PROXY_IP) port 8080 (#0)
* Establish HTTP proxy tunnel to google.com:443
> CONNECT google.com:443 HTTP/1.1
> Host: google.com:443
> User-Agent: curl/7.30.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* successfully set certificate verify locations:
*   CAfile: c:\temp\curl-ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use the
-k (or --insecure) option.

curl-ca-bundle.crt来自here,几分钟前更新了。我确保Windows不会阻止该文件。

对于它的价值,我是企业代理和防火墙的幕后推手。我已经阅读了有关此问题的所有内容,并且不知道下一步该怎么做。我确实意识到我可以忽略SSL,但是不惜一切代价避免这种情况。

1 个答案:

答案 0 :(得分:2)

  

对于它的价值,我是企业代理和防火墙的幕后推手。我已经阅读了有关此问题的所有内容,并且不知道下一步该怎么做。我确实意识到我可以忽略SSL,但是不惜一切代价避免这种情况。

我建议防火墙进行SSL拦截,即它可以作为中间人使用。要检查加密连接,它会将其拆分为两个加密连接,但当然它无法使用原始证书对浏览器和代理之间的连接进行签名。因此,它将创建一个新证书,由特定于防火墙的CA签名。您需要将此CA添加到CA捆绑包中,否则验证将失败。

有关详细信息,您可能尝试使用Web浏览器访问目标站点,并检查签署服务器证书的CA或询问系统管理员以获取SSL拦截的详细信息。