Poco + OpenSSL + CA PEM:"不可接受的证书" 2个相同网站中的1个错误

时间:2016-09-14 13:01:44

标签: c++ ssl openssl pki poco-libraries

我正在尝试与www1.filemail.com进行SSL握手。我正在使用cURL' cacert.pem,但我收到了这个错误:

Unacceptable certificate from 188.138.81.30: application verification failure

与任何其他HTTPS网站进行握手有效 - 包括www2.filemail.comwww1www2应该配置相同 - 并且它们在所有浏览器中都能正常运行。他们也在这里测试很好(两个站点都发送了相同的证书和中间证书):

为什么我使用OpenSSL和www1文件使cacert.pem出现此问题?

www1和www2的证书设置必须有所不同。我已经使用无数工具(openssl,ssllabs等)进行测试,试图找出差异 - 但我总是获得两个站点完全相同的结果(运行我的代码时除外)

我在这里缺少什么?这些网站之间有什么区别?

(应该注意的是,我们使用的是RapidSSL提供的相对便宜的通配符证书 - 所以我猜测它与中间证书或跨根证书有关 - 但是在测试时似乎一切都井然有序使用上面提到的工具。)

代码:

Poco::SharedPtr<Poco::Net::InvalidCertificateHandler> pCert = new Poco::Net::ConsoleCertificateHandler(false);
Poco::Net::Context::Ptr pContext = new Poco::Net::Context(Poco::Net::Context::CLIENT_USE, "", "", "C:\\cacert.pem", Poco::Net::Context::VERIFY_RELAXED, 9, false, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
Poco::Net::SSLManager::instance().initializeClient(0, pCert, pContext);

URI uri("https://www1.filemail.com");
Poco::Net::SecureStreamSocket ss(Poco::Net::SocketAddress(uri.getHost().c_str(), uri.getPort()));
ss.completeHandshake();

2 个答案:

答案 0 :(得分:4)

  

www1和www2应该配置相同 - 它们在所有浏览器中都能正常工作......

以下是证书。 diff表明它们是相同的终端实体(服务器)证书:

$ diff www1.txt www2.txt 
$

每个服务器都可以发送不同的链。将openssl s_clientopenssl x509-showcerts一起使用即可获得链接。

<强> WWW1

$ openssl s_client -connect www1.filemail.com:443 -tls1 -servername www1.filemail.com | openssl x509 -text -noout > www1.txt
depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3
verify error:num=20:unable to get local issuer certificate
^C
riemann:~$ cat www1.txt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15955 (0x3e53)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3
        Validity
            Not Before: Oct 14 20:14:57 2014 GMT
            Not After : Aug  4 13:09:28 2018 GMT
        Subject: OU = GT83551982, OU = See www.rapidssl.com/resources/cps (c)14, OU = Domain Control Validated - RapidSSL(R), CN = *.filemail.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c5:38:89:72:40:74:77:e2:76:f0:20:ae:d9:91:
                    26:ac:42:85:03:86:ff:2f:a1:94:b7:f3:86:4c:f7:
                    ce:63:46:47:e6:03:73:95:01:07:0b:e0:60:9a:93:
                    c3:b4:14:bc:4e:16:f2:50:12:89:11:42:f5:58:51:
                    74:15:81:d0:ce:6e:e2:85:e8:d2:3a:38:48:a3:02:
                    80:e0:a1:fa:ea:8f:ca:ee:bc:00:b3:b2:64:7f:9c:
                    da:ca:e8:3f:a7:48:af:5c:ed:8e:2f:27:95:19:52:
                    85:d1:15:9b:f5:4d:b7:21:44:89:05:6f:06:92:7b:
                    ab:9e:10:63:be:7e:ce:3b:58:10:68:ae:7a:52:6e:
                    e5:62:bf:ff:56:33:06:51:e5:61:a0:bd:6b:3c:c9:
                    f3:55:54:02:16:f2:56:27:81:be:83:82:53:25:1e:
                    c4:1c:1d:65:da:9f:2c:f7:97:49:3c:e1:03:35:1c:
                    da:c3:02:6d:93:1a:4a:89:53:4c:f5:3e:e7:f9:b9:
                    c0:10:e0:80:77:3a:d9:5d:ed:b1:46:9e:92:7e:86:
                    46:d7:be:fe:af:5a:af:02:b4:1b:d2:2b:08:1d:bc:
                    b5:93:8c:48:45:27:ba:26:69:a9:a8:9f:98:d3:de:
                    2d:f5:70:f5:39:6a:30:3b:8c:01:6c:85:19:a2:a6:
                    9a:65
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:C3:9C:F3:FC:D3:46:08:34:BB:CE:46:7F:A0:7C:5B:F3:E2:08:CB:59

            Authority Information Access: 
                OCSP - URI:http://gv.symcd.com
                CA Issuers - URI:http://gv.symcb.com/gv.crt

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DNS:*.filemail.com, DNS:filemail.com
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://gv.symcb.com/gv.crl

            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.113733.1.7.54
                  CPS: https://www.rapidssl.com/legal

    Signature Algorithm: sha256WithRSAEncryption
         77:7e:54:47:93:6c:b0:4e:9c:dc:01:47:1f:76:54:9d:f2:42:
         94:c1:94:f8:7b:b4:68:82:fe:6d:66:45:68:e1:bd:df:ba:6d:
         15:a1:6c:b0:79:9e:d7:99:d9:11:7e:84:e9:f1:63:7c:92:25:
         c3:fe:cc:02:1a:61:b9:a3:29:59:18:c2:f1:d2:d7:84:dc:8d:
         28:2e:b5:6e:91:d9:68:65:37:5a:b9:b3:d5:f4:d1:1f:b2:ec:
         2b:0f:e1:50:30:72:f7:04:70:68:26:b0:61:47:44:49:d0:62:
         31:81:53:fa:cc:3a:7b:a1:3b:74:da:c2:3b:7b:5d:9c:23:de:
         69:92:51:fc:ff:8d:7a:ea:fd:b2:68:5f:38:3d:22:f6:a6:4a:
         d7:a0:88:97:06:54:fd:ba:dc:b9:3a:69:25:89:99:0e:81:82:
         c8:63:5c:87:98:bf:70:08:0a:89:20:a1:17:63:31:26:7b:af:
         b3:83:f3:9c:b6:7e:64:52:08:bf:a3:74:d5:0c:26:f6:25:7c:
         b9:cb:27:57:88:7f:af:1c:b5:99:08:4a:fd:c2:b4:ec:7a:40:
         ea:80:ac:e8:88:84:33:53:ab:90:af:bc:bc:ea:6f:88:fe:a8:
         f9:c7:63:a3:74:2c:0b:37:5c:90:39:ad:85:82:6a:e9:ea:a7:
         e1:55:c2:dd

<强> WWW2

$ openssl s_client -connect www2.filemail.com:443 -tls1 -servername www2.filemail.com | openssl x509 -text -noout > www2.txt
depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3
verify error:num=20:unable to get local issuer certificate
^C
riemann:~$ cat www2.txt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15955 (0x3e53)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3
        Validity
            Not Before: Oct 14 20:14:57 2014 GMT
            Not After : Aug  4 13:09:28 2018 GMT
        Subject: OU = GT83551982, OU = See www.rapidssl.com/resources/cps (c)14, OU = Domain Control Validated - RapidSSL(R), CN = *.filemail.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c5:38:89:72:40:74:77:e2:76:f0:20:ae:d9:91:
                    26:ac:42:85:03:86:ff:2f:a1:94:b7:f3:86:4c:f7:
                    ce:63:46:47:e6:03:73:95:01:07:0b:e0:60:9a:93:
                    c3:b4:14:bc:4e:16:f2:50:12:89:11:42:f5:58:51:
                    74:15:81:d0:ce:6e:e2:85:e8:d2:3a:38:48:a3:02:
                    80:e0:a1:fa:ea:8f:ca:ee:bc:00:b3:b2:64:7f:9c:
                    da:ca:e8:3f:a7:48:af:5c:ed:8e:2f:27:95:19:52:
                    85:d1:15:9b:f5:4d:b7:21:44:89:05:6f:06:92:7b:
                    ab:9e:10:63:be:7e:ce:3b:58:10:68:ae:7a:52:6e:
                    e5:62:bf:ff:56:33:06:51:e5:61:a0:bd:6b:3c:c9:
                    f3:55:54:02:16:f2:56:27:81:be:83:82:53:25:1e:
                    c4:1c:1d:65:da:9f:2c:f7:97:49:3c:e1:03:35:1c:
                    da:c3:02:6d:93:1a:4a:89:53:4c:f5:3e:e7:f9:b9:
                    c0:10:e0:80:77:3a:d9:5d:ed:b1:46:9e:92:7e:86:
                    46:d7:be:fe:af:5a:af:02:b4:1b:d2:2b:08:1d:bc:
                    b5:93:8c:48:45:27:ba:26:69:a9:a8:9f:98:d3:de:
                    2d:f5:70:f5:39:6a:30:3b:8c:01:6c:85:19:a2:a6:
                    9a:65
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:C3:9C:F3:FC:D3:46:08:34:BB:CE:46:7F:A0:7C:5B:F3:E2:08:CB:59

            Authority Information Access: 
                OCSP - URI:http://gv.symcd.com
                CA Issuers - URI:http://gv.symcb.com/gv.crt

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DNS:*.filemail.com, DNS:filemail.com
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://gv.symcb.com/gv.crl

            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.113733.1.7.54
                  CPS: https://www.rapidssl.com/legal

    Signature Algorithm: sha256WithRSAEncryption
         77:7e:54:47:93:6c:b0:4e:9c:dc:01:47:1f:76:54:9d:f2:42:
         94:c1:94:f8:7b:b4:68:82:fe:6d:66:45:68:e1:bd:df:ba:6d:
         15:a1:6c:b0:79:9e:d7:99:d9:11:7e:84:e9:f1:63:7c:92:25:
         c3:fe:cc:02:1a:61:b9:a3:29:59:18:c2:f1:d2:d7:84:dc:8d:
         28:2e:b5:6e:91:d9:68:65:37:5a:b9:b3:d5:f4:d1:1f:b2:ec:
         2b:0f:e1:50:30:72:f7:04:70:68:26:b0:61:47:44:49:d0:62:
         31:81:53:fa:cc:3a:7b:a1:3b:74:da:c2:3b:7b:5d:9c:23:de:
         69:92:51:fc:ff:8d:7a:ea:fd:b2:68:5f:38:3d:22:f6:a6:4a:
         d7:a0:88:97:06:54:fd:ba:dc:b9:3a:69:25:89:99:0e:81:82:
         c8:63:5c:87:98:bf:70:08:0a:89:20:a1:17:63:31:26:7b:af:
         b3:83:f3:9c:b6:7e:64:52:08:bf:a3:74:d5:0c:26:f6:25:7c:
         b9:cb:27:57:88:7f:af:1c:b5:99:08:4a:fd:c2:b4:ec:7a:40:
         ea:80:ac:e8:88:84:33:53:ab:90:af:bc:bc:ea:6f:88:fe:a8:
         f9:c7:63:a3:74:2c:0b:37:5c:90:39:ad:85:82:6a:e9:ea:a7:
         e1:55:c2:dd
  

我正在尝试向www1.filemail.com进行SSL握手 - 但我是   收到此错误:

Unacceptable certificate from 188.138.81.30: application verification failure

RapidSSL SHA256 CA - G3 是一个CA;它 颁发 服务器的证书。该服务器称为 主题 。在您建立链条时, 颁发者将成为当前 主题。链的顶部是自签名根。从根本上说,发行人 == 主题

RapidSSL G3 CA是(1)自签名的,因此它是根CA;或者(2)由链中较高的另一个CA签名,因此它是一个从属CA(即它有一个发行者)。在这种情况下,G3 CA是一个下属,它有一个发行者。

听起来好像一台服务器正在发送验证服务器证书所需的完整链条;而另一台服务器不是。服务器应该发送完整的链以避免PKI中的"which directory" problem&#34;完整链&#34; 是每个证书,除了自签名根(但许多人也发送根)。

客户端必须信任自签名的先验,以及它不应该被发送的原因(否则,坏人可以交换他自己的链)。或者,而不是使用cacert.pem

Poco::Net::Context::CLIENT_USE, "", "", "C:\\cacert.pem", ...

您可以加载 RapidSSL SHA256 CA - G3 ,并将其用作信任的根目录。您将避免验证服务器链所需 cacert.pem 中的其他300个CA 。它的安全工程很好。

您可以从Intermediate CA Certificate: RapidSSL with SHA-2 (under SHA-1 Root)的rapidSSL网站获取 RapidSSL SHA256 CA - G3

使用RapidSSL更新SHA256 CA-G3

这是签名者的证书:

$ cat rapidssl.pem 
-----BEGIN CERTIFICATE-----
MIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTQwODI5MjEzOTMyWhcNMjIwNTIwMjEzOTMyWjBHMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXUmFwaWRTU0wg
U0hBMjU2IENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv
VJvZWF0eLFbG1eh/9H0WA//Qi1rkjqfdVC7UBMBdmJyNkA+8EGVf2prWRHzAn7Xp
SowLBkMEu/SW4ib2YQGRZjEiwzQ0Xz8/kS9EX9zHFLYDn4ZLDqP/oIACg8PTH2lS
1p1kD8mD5xvEcKyU58Okaiy9uJ5p2L4KjxZjWmhxgHsw3hUEv8zTvz5IBVV6s9cQ
DAP8m/0Ip4yM26eO8R5j3LMBL3+vV8M8SKeDaCGnL+enP/C1DPz1hNFTvA5yT2AM
QriYrRmIV9cE7Ie/fodOoyH5U/02mEiN1vi7SPIpyGTRzFRIU4uvt2UevykzKdkp
YEj4/5G8V1jlNS67abZZAgMBAAGjggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kwEgYD
VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig
JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF
BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARF
MEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3Ry
dXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBCwUAA4IBAQCjWB7GQzKs
rC+TeLfqrlRARy1+eI1Q9vhmrNZPc9ZE768LzFvB9E+aj0l+YK/CJ8cW8fuTgZCp
fO9vfm5FlBaEvexJ8cQO9K8EWYOHDyw7l8NaEpt7BDV7o5UzCHuTcSJCs6nZb0+B
kvwHtnm8hEqddwnxxYny8LScVKoSew26T++TGezvfU5ho452nFnPjJSxhJf3GrkH
uLLGTxN5279PURt/aQ1RKsHWFf83UTRlUfQevjhq7A6rvz17OQV79PP7GqHQyH5O
ZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWmMy66S6VdU5oNMOGNX2Esr8zvsJmh
gP8L8mJMcCaY
-----END CERTIFICATE-----

注意OpenSSL已完成 验证返回码:2(无法获得颁发者证书) 。这很好,因为你不关心发行人。您已完全信任 GeoTrust Inc., CN = RapidSSL SHA256 CA - G3 ,并 RapidSSL SHA256 CA - G3 认证/签署了服务器的证书。

$ openssl s_client -connect www1.filemail.com:443 -tls1 -servername www1.filemail.com -CAfile rapidssl.pem 
CONNECTED(00000003)
depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3
verify error:num=2:unable to get issuer certificate
issuer= C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
Server did acknowledge servername extension.
---
Certificate chain
 0 s:/OU=GT83551982/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=*.filemail.com
   i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
 1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEsDCCA5igAwIBAgICPlMwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UEBhMCVVMx
FjAUBgNVBAoTDUdlb1RydXN0IEluYy4xIDAeBgNVBAMTF1JhcGlkU1NMIFNIQTI1
NiBDQSAtIEczMB4XDTE0MTAxNDIwMTQ1N1oXDTE4MDgwNDEzMDkyOFowgZIxEzAR
BgNVBAsTCkdUODM1NTE5ODIxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29t
L3Jlc291cmNlcy9jcHMgKGMpMTQxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZh
bGlkYXRlZCAtIFJhcGlkU1NMKFIpMRcwFQYDVQQDDA4qLmZpbGVtYWlsLmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMU4iXJAdHfidvAgrtmRJqxC
hQOG/y+hlLfzhkz3zmNGR+YDc5UBBwvgYJqTw7QUvE4W8lASiRFC9VhRdBWB0M5u
4oXo0jo4SKMCgOCh+uqPyu68ALOyZH+c2sroP6dIr1ztji8nlRlShdEVm/VNtyFE
iQVvBpJ7q54QY75+zjtYEGiuelJu5WK//1YzBlHlYaC9azzJ81VUAhbyVieBvoOC
UyUexBwdZdqfLPeXSTzhAzUc2sMCbZMaSolTTPU+5/m5wBDggHc62V3tsUaekn6G
Rte+/q9arwK0G9IrCB28tZOMSEUnuiZpqaifmNPeLfVw9TlqMDuMAWyFGaKmmmUC
AwEAAaOCAVgwggFUMB8GA1UdIwQYMBaAFMOc8/zTRgg0u85Gf6B8W/PiCMtZMFcG
CCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL2d2LnN5bWNkLmNvbTAm
BggrBgEFBQcwAoYaaHR0cDovL2d2LnN5bWNiLmNvbS9ndi5jcnQwDgYDVR0PAQH/
BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAnBgNVHREEIDAe
gg4qLmZpbGVtYWlsLmNvbYIMZmlsZW1haWwuY29tMCsGA1UdHwQkMCIwIKAeoByG
Gmh0dHA6Ly9ndi5zeW1jYi5jb20vZ3YuY3JsMAwGA1UdEwEB/wQCMAAwRQYDVR0g
BD4wPDA6BgpghkgBhvhFAQc2MCwwKgYIKwYBBQUHAgEWHmh0dHBzOi8vd3d3LnJh
cGlkc3NsLmNvbS9sZWdhbDANBgkqhkiG9w0BAQsFAAOCAQEAd35UR5NssE6c3AFH
H3ZUnfJClMGU+Hu0aIL+bWZFaOG937ptFaFssHme15nZEX6E6fFjfJIlw/7MAhph
uaMpWRjC8dLXhNyNKC61bpHZaGU3Wrmz1fTRH7LsKw/hUDBy9wRwaCawYUdESdBi
MYFT+sw6e6E7dNrCO3tdnCPeaZJR/P+Neur9smhfOD0i9qZK16CIlwZU/brcuTpp
JYmZDoGCyGNch5i/cAgKiSChF2MxJnuvs4PznLZ+ZFIIv6N01Qwm9iV8ucsnV4h/
rxy1mQhK/cK07HpA6oCs6IiEM1OrkK+8vOpviP6o+cdjo3QsCzdckDmthYJq6eqn
4VXC3Q==
-----END CERTIFICATE-----
subject=/OU=GT83551982/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=*.filemail.com
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
---
No client certificate CA names sent
Server Temp Key: ECDH, P-521, 521 bits
---
SSL handshake has read 2834 bytes and written 338 bytes
Verification error: unable to get issuer certificate
---
New, SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 27390000AF3638FDEA75DDF52B9D937F290593304123134062F049306BBDE87F
    Session-ID-ctx: 
    Master-Key: E8E2613F6267C705CA82EEE4C8A992880A2ABDA9E8D477A10C952764B1F4DD3D39244D3F0AD915B8FEB7E5FA1E8D55FD
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1473889933
    Timeout   : 7200 (sec)
    Verify return code: 2 (unable to get issuer certificate)
    Extended master secret: yes
----

答案 1 :(得分:2)

Günter Obiltschnig通过POCO @ Github帮助我,并通过替换

使其工作
(((lambda (x y) (x y))
  (lambda (y) (lambda (y x) (x (x y))))
  (lambda (x) (lambda (x y) (x (y x)))))
 (lambda (x) 2)
 (lambda (y) 3))

Poco::Net::SecureStreamSocket ss(Poco::Net::SocketAddress(uri.getHost().c_str(), uri.getPort()));

(包括SecureStreamSocket构造函数中的主机名 - 用于证书验证)

来自POCO文件:

Poco::Net::SecureStreamSocket ss(Poco::Net::SocketAddress(uri.getHost().c_str(), uri.getPort()), uri.getHost());

我仍然不知道www1和www2之间配置的确切区别是,如果有人可以启发我的话会很高兴。