cURL 和默认 CApath/CAcert

tag-icon tag-icon curl
cURL 和默认 CApath/CAcert

我正在处理有关 cURL 及其 CApath 和 CAcert 值的令人困惑的情况,因为 cURL 对于同一系统(SUSE 11 SLES)上的两个用户的行为不同。

对于第一个用户,cURL 失败,其输出显示 CAfile 已设置,但 CApath 未设置。对于第二个用户,情况正好相反,cURL 可以正常工作。

两个用户都没有 .curlrc 文件(除非它有不同的名称,我尝试在“.curlrc”上查找)。对两个用户发出“curl-config --ca”不会返回任何结果。“which curl”会为两个用户提供 /usr/bin/curl。我没有看到用户之间的 .bashrc 或 .bash_profile 有任何差异。

造成这种行为的原因可能是什么?

编辑:当我准备发布我的问题时,我注意到一个 cURL 使用的是 TLSv1,而另一个使用的是 SSLv3。也许这就是问题的原因?即便如此,我还是看不出这种不同行为的原因。

第一个用户:

> curl -v -L https://github.com/arq5x/lumpy-sv/archive/0.2.13.tar.gz -o lumpy-sv-0.2.13.tar.gz
*   Trying 192.30.253.113...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to github.com (192.30.253.113) port 443 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.0 (OUT), TLS handshake, Client hello (1):

[more output]

* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate

对于第二个用户:

> curl -v -L https://github.com/arq5x/lumpy-sv/archive/0.2.13.tar.gz -o lumpy-sv-0.2.13.tar.gz
* About to connect() to github.com port 443 (#0)
*   Trying 192.30.253.113... connected
* Connected to github.com (192.30.253.113) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs/
* SSLv3, TLS handshake, Client hello (1):

[more output, download successful]

答案1

两次运行在 CAfile 和 CApath 的设置方式上有所不同。这可能是每个用户的本地环境或 curl 的设置所致。

我注意到这个问题已经有四年了,这个答案可能有点太晚了。然而,当我今天在 Ubuntu 21.04 上尝试同样的命令时,下载成功了。完整的输出如下:

$ curl -v -L https://github.com/arq5x/lumpy-sv/archive/0.2.13.tar.gz -o lumpy-sv-0.2.13.tar.gz
210324_135906
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 140.82.114.4:443...
* Connected to github.com (140.82.114.4) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2379 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [78 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=github.com
*  start date: Mar 12 00:00:00 2021 GMT
*  expire date: Mar 23 23:59:59 2022 GMT
*  subjectAltName: host "github.com" matched cert's "github.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x55e5ed06c4b0)
} [5 bytes data]
> GET /arq5x/lumpy-sv/archive/0.2.13.tar.gz HTTP/2
> Host: github.com
> user-agent: curl/7.74.0
> accept: */*
> 
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
} [5 bytes data]
< HTTP/2 302 
< server: GitHub.com
< date: Wed, 24 Mar 2021 17:59:06 GMT
< content-type: text/html; charset=utf-8
< vary: X-PJAX, Accept-Encoding, Accept, X-Requested-With
< location: https://codeload.github.com/arq5x/lumpy-sv/tar.gz/0.2.13
< cache-control: max-age=0, private
< strict-transport-security: max-age=31536000; includeSubdomains; preload
< x-frame-options: deny
< x-content-type-options: nosniff
< x-xss-protection: 0
< referrer-policy: no-referrer-when-downgrade
< expect-ct: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
< content-security-policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events wss://alive.github.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com online.visualstudio.com/api/v1/locations; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com secured-user-images.githubusercontent.com/ *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/socket-worker-6832eced.js gist.github.com/socket-worker-6832eced.js
< content-length: 122
< x-github-request-id: 928E:7076:7319E:A5F86:605B7DEA
< 
* Ignoring the response-body
{ [122 bytes data]
100   122  100   122    0     0    446      0 --:--:-- --:--:-- --:--:--   448
* Connection #0 to host github.com left intact
* Issue another request to this URL: 'https://codeload.github.com/arq5x/lumpy-sv/tar.gz/0.2.13'
*   Trying 140.82.113.9:443...
* Connected to codeload.github.com (140.82.113.9) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2376 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [80 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.github.com
*  start date: Mar  4 00:00:00 2021 GMT
*  expire date: Mar  9 23:59:59 2022 GMT
*  subjectAltName: host "codeload.github.com" matched cert's "*.github.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x55e5ed06c4b0)
} [5 bytes data]
> GET /arq5x/lumpy-sv/tar.gz/0.2.13 HTTP/2
> Host: codeload.github.com
> user-agent: curl/7.74.0
> accept: */*
> 
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
} [5 bytes data]
< HTTP/2 200 
< access-control-allow-origin: https://render.githubusercontent.com
< content-disposition: attachment; filename=lumpy-sv-0.2.13.tar.gz
< content-security-policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
< content-type: application/x-gzip
< etag: "20cc5ea746cf5762747447695b18c83a53d93ac9c617dbecf30c1f57774ce1fe"
< strict-transport-security: max-age=31536000
< vary: Authorization,Accept-Encoding
< x-content-type-options: nosniff
< x-frame-options: deny
< x-xss-protection: 1; mode=block
< date: Wed, 24 Mar 2021 17:59:06 GMT
< x-github-request-id: 8FE7:06F0:D805C:194103:605B7DEA
< 
{ [881 bytes data]
100 54.0M    0 54.0M    0     0  9896k      0 --:--:--  0:00:05 --:--:-- 11.0M
* Connection #1 to host codeload.github.com left intact
$

笔记:

  • 有重定向
  • CAfile 和 CApath 都已设置

如果仍然相关的话,我希望这有助于解决问题。

相关内容