在 Ubuntu 13.10 上运行系统 curl:
curl --version
curl 7.32.0 (x86_64-pc-linux-gnu) libcurl/7.32.0 OpenSSL/1.0.1e zlib/1.2.8 libidn/1.28 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP
我在尝试连接到时收到 SSL 错误https://blog.pinboard.in
。
curl -v https://blog.pinboard.in/
* Adding handle: conn: 0x1365a00
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x1365a00) send_pipe: 1, recv_pipe: 0
* About to connect() to blog.pinboard.in port 443 (#0)
* Trying 67.23.8.22...
* Connected to blog.pinboard.in (67.23.8.22) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
在 Mac OS 10.9 上使用 curl 7.30.0 没有 SSL 错误:
curl -v https://blog.pinboard.in
* Adding handle: conn: 0x7fbe79003a00
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7fbe79003a00) send_pipe: 1, recv_pipe: 0
* About to connect() to blog.pinboard.in port 443 (#0)
* Trying 67.23.8.22...
* Connected to blog.pinboard.in (67.23.8.22) port 443 (#0)
* TLS 1.0 connection using TLS_RSA_WITH_AES_128_CBC_SHA
* Server certificate: *.pinboard.in
* Server certificate: Gandi Standard SSL CA
* Server certificate: UTN-USERFirst-Hardware
> HEAD / HTTP/1.1
> User-Agent: curl/7.30.0
> Host: blog.pinboard.in
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Mon, 24 Mar 2014 00:52:00 GMT
Date: Mon, 24 Mar 2014 00:52:00 GMT
* Server Apache/2.2.9 (Debian) mod_fastcgi/2.4.6 PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8o is not blacklisted
< Server: Apache/2.2.9 (Debian) mod_fastcgi/2.4.6 PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8o
Server: Apache/2.2.9 (Debian) mod_fastcgi/2.4.6 PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8o
< Last-Modified: Wed, 19 Mar 2014 16:38:20 GMT
Last-Modified: Wed, 19 Mar 2014 16:38:20 GMT
< ETag: "21c05e-e006-4f4f847c4f700"
ETag: "21c05e-e006-4f4f847c4f700"
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Length: 57350
Content-Length: 57350
< Vary: Accept-Encoding
Vary: Accept-Encoding
< Content-Type: text/html; charset=utf8
Content-Type: text/html; charset=utf8
<
* Connection #0 to host blog.pinboard.in left intact
尝试在浏览器中访问该页面时也没有 SSL 错误。Qualys SSL Labs 结果说链不完整,所以我猜浏览器和 Apple curl 可以解决这个问题。
有没有什么办法可以让 ubuntu 上的 curl 进行连接而无需禁用 SSL-k
或手动下载证书?