cURL 链问题

cURL 链问题

在 Ubuntu 13.10 上运行系统 curl:

curl --version
curl 7.32.0 (x86_64-pc-linux-gnu) libcurl/7.32.0 OpenSSL/1.0.1e zlib/1.2.8 libidn/1.28 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smtp smtps telnet tftp 
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP 

我在尝试连接到时收到 SSL 错误https://blog.pinboard.in

curl -v https://blog.pinboard.in/
* Adding handle: conn: 0x1365a00
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x1365a00) send_pipe: 1, recv_pipe: 0
* About to connect() to blog.pinboard.in port 443 (#0)
*   Trying 67.23.8.22...
* Connected to blog.pinboard.in (67.23.8.22) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

在 Mac OS 10.9 上使用 curl 7.30.0 没有 SSL 错误:

curl -v https://blog.pinboard.in
* Adding handle: conn: 0x7fbe79003a00
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7fbe79003a00) send_pipe: 1, recv_pipe: 0
* About to connect() to blog.pinboard.in port 443 (#0)
*   Trying 67.23.8.22...
* Connected to blog.pinboard.in (67.23.8.22) port 443 (#0)
* TLS 1.0 connection using TLS_RSA_WITH_AES_128_CBC_SHA
* Server certificate: *.pinboard.in
* Server certificate: Gandi Standard SSL CA
* Server certificate: UTN-USERFirst-Hardware
> HEAD / HTTP/1.1
> User-Agent: curl/7.30.0
> Host: blog.pinboard.in
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Mon, 24 Mar 2014 00:52:00 GMT
Date: Mon, 24 Mar 2014 00:52:00 GMT
* Server Apache/2.2.9 (Debian) mod_fastcgi/2.4.6 PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8o is not blacklisted
< Server: Apache/2.2.9 (Debian) mod_fastcgi/2.4.6 PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8o
Server: Apache/2.2.9 (Debian) mod_fastcgi/2.4.6 PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8o
< Last-Modified: Wed, 19 Mar 2014 16:38:20 GMT
Last-Modified: Wed, 19 Mar 2014 16:38:20 GMT
< ETag: "21c05e-e006-4f4f847c4f700"
ETag: "21c05e-e006-4f4f847c4f700"
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Length: 57350
Content-Length: 57350
< Vary: Accept-Encoding
Vary: Accept-Encoding
< Content-Type: text/html; charset=utf8
Content-Type: text/html; charset=utf8

< 
* Connection #0 to host blog.pinboard.in left intact

尝试在浏览器中访问该页面时也没有 SSL 错误。Qualys SSL Labs 结果说链不完整,所以我猜浏览器和 Apple curl 可以解决这个问题。

有没有什么办法可以让 ubuntu 上的 curl 进行连接而无需禁用 SSL-k或手动下载证书?

相关内容