使用 curl cacert 选项时不会进行 SSL 验证

tag-icon tag-icon ssl certificate curl ssl-certificate
使用 curl cacert 选项时不会进行 SSL 验证

这是我对 curl--cacert选项的理解:

我们可以通过为此选项提供 PEM 文件路径,让 curl 根据自定义信任库执行 SSL 验证。它主要用于我们尝试与具有自签名证书的服务器建立连接时,我试过了,它确实按预期工作。

现在,出于好奇,我尝试连接到https://google.com使用仅包含 stackexchange.com 证书的自定义 cacert。我以为它会失败,但 SSL 握手成功了。

想知道背后的原因或者我对 cacert 选项的理解是错误的。

$ curl -v https://google.com --cacert "stackexchange.pem"
*   Trying 142.250.192.78:443...
* Connected to google.com (142.250.192.78) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: stackexchange.pem
*  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.google.com
*  start date: Mar 28 01:19:44 2022 GMT
*  expire date: Jun 20 01:19:43 2022 GMT
*  subjectAltName: host "google.com" matched cert's "google.com"
*  issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f86dd012000)
> GET / HTTP/2
> Host: google.com
> user-agent: curl/7.77.0
> accept: */*
>
< HTTP/2 301
< location: https://www.google.com/
< content-type: text/html; charset=UTF-8
< date: Fri, 15 Apr 2022 09:47:01 GMT
< expires: Sun, 15 May 2022 09:47:01 GMT
< cache-control: public, max-age=2592000
< server: gws
< content-length: 220
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
<
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
* Connection #0 to host google.com left intact

问题是 SSL 握手如何成功,因为我的信任库不信任 google.com 并且它只包含 stackexchange.com。

输出curl -V

$ curl -V
curl 7.77.0 (x86_64-apple-darwin21.0) libcurl/7.77.0 (SecureTransport) LibreSSL/2.8.3 zlib/1.2.11 nghttp2/1.42.0
Release-Date: 2021-05-26
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL UnixSockets

我使用的是 macOS Monterey v12.1

相关内容