如何配置 curl (openssl) 以使其与自定义引擎和 TLSv1.0 一起工作

tag-icon tag-icon 20.04 ssl curl openssl tls
如何配置 curl (openssl) 以使其与自定义引擎和 TLSv1.0 一起工作

我已成功将自定义引擎添加到我的 OpenSSL 配置中,如下所示:

openssl_conf = openssl_def # at the beginning of the config file

[openssl_def] # at the end
engines = engine_section

[engine_section]
gost = gost_section

[gost_section]
engine_id = gost
dynamic_path = /usr/lib/aarch64-linux-gnu/engines-1.1/gost.so
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet

它似乎有效,但当我尝试

curl -v https://lk.egrz.ru

我收到以下错误:

*   Trying 82.202.190.159:443...
* TCP_NODELAY set
* Connected to lk.egrz.ru (82.202.190.159) port 443 (#0)
GOST engine already loaded
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS alert, protocol version (582):
* error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
* Closing connection 0
curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

但是,当我在旧的 Centos 上尝试上述命令时,一切似乎都正常工作:

*   Trying 82.202.190.159:443...
* TCP_NODELAY set
* Connected to lk.egrz.ru (82.202.190.159) port 443 (#0)
GOST engine already loaded
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.0 (IN), TLS handshake, Certificate (11):
* TLSv1.0 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0

不同之处在于,我只在 Ubuntu 20.04 LTS 机器上收到错误

我进行了研究,发现 TLSv1.0 不再受支持。

正如这个问题所建议的那样当我尝试 CURL 网站时出现 SSL 错误,解决方法是在 openssl.cnf 中添加以下内容

openssl_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT@SECLEVEL=1

我也将上面的代码片段添加到配置中,同时声明了自定义引擎,但它并没有解决问题。

有人能建议如何正确配置 openssl.cnf 文件以定义自定义引擎和 TLSv1.0 支持吗?这可能吗?

提前致谢

答案1

如果只是为了使用 curl,您可以使用 $HOME/.curlrc 中的文件配置自己的选项

https://everything.curl.dev/cmdline/configfile

例子:

root@xxxx:/home/xxxx# cat ~/.curlrc 
insecure
ciphers DEFAULT:!DH
#ciphers AES256-SHA

相关内容