我正在尝试使用curl命令验证SSL。
到目前为止,我没有运气,因为我得到了以下内容:
-bash-4.2$ openssl verify -verbose -x509_strict -CAfile ca.cer server.cer
server.cer: OK
-bash-4.2$ curl --version
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.28.4 zlib/1.2.7 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets
-bash-4.2$ curl -v --cacert ca.cer https://localhost:8443
* About to connect() to localhost port 8443 (#0)
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: ca.cer
CApath: none
* Server certificate:
* subject: CN=xxx,O=xxx,L=xxx,C=xx
* start date: Dec 11 14:17:05 2017 GMT
* expire date: Dec 11 14:17:05 2018 GMT
* common name: xxx
* issuer: CN=xxx,O=xxx,L=xxx,C=xx
* NSS error -8182 (SEC_ERROR_BAD_SIGNATURE)
* Peer's certificate has an invalid signature.
* Closing connection 0
curl: (60) Peer's certificate has an invalid signature.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
所以问题是如果openssl验证没问题,为什么curl会出错?