尽管具有相同的 CA,cURL 和 Iceweasel 对于 TLS 证书的有效性存在分歧

尽管具有相同的 CA,cURL 和 Iceweasel 对于 TLS 证书的有效性存在分歧

在 Debian Jessie 8.4 GNU/Linux 上,我遇到了证书验证不一致的问题冰鼬鼠(Debian 的 Firefox 衍生品)和卷曲与 URL 相关https://profile.mensa.org.uk/contact.aspx

冰鼬鼠

参观https://profile.mensa.org.uk/contact.aspx使用 Iceweasel 不会产生错误或警告。单击地址栏左侧的挂锁图标,然后单击“更多信息...”按钮,会出现一个窗口,其中包含以下内容:

网站标识
网站:profile.mensa.org.uk
所有者:本网站不提供所有权信息。
经核实:地质信托公司

单击“查看证书”按钮会出现一个带有两个选项卡的窗口:“常规”和“详细信息”。常规选项卡显示:

该证书已经过验证,可用于以下用途:
SSL 客户端证书
SSL 服务器证书
发给
通用名称 (CN) profile.mensa.org.uk
组织 (O) <不是证书的一部分>
组织单位 (OU) GT91227394
序列号 06:26:4F
由...发出
通用名称 (CN) RapidSSL SHA256 CA - G3
组织 (O) GeoTrust Inc.
组织单位 (OU) <不是证书的一部分>
有效期
开始于 05/08/15
结束于 06/09/16
指纹
SHA-256 指纹 9C:F3:D7:B8:96:D6:A5:BC:98:9E:F0:DE:26:63:BD:17:
C5:29:24:C9:02:A9:90: D3:A5:49:AB:10:5D:E8:C0:3C
SHA1 指纹

单击“详细信息”选项卡会在“证书层次结构”字段中显示三级层次结构:

GeoTrust Global CA
  RapidSSL SHA256 CA - G3
    profile.mensa.org.uk

选择GeoTrust Global CA该字段中的项目,然后单击“导出...”按钮,然后另存为文件,即可~/Documents/organisations/mensa/geotrust_global_ca.pem按预期工作。这是指纹:

$ openssl x509 -noout -in ~/Documents/organisations/mensa/geotrust_global_ca.pem -fingerprint
SHA1 Fingerprint=DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12

让我们将其与 cURL 进行比较。

卷曲

参观https://profile.mensa.org.uk/contact.aspx使用 cURL 会导致证书错误。这是详细输出,尝试仅获取标头信息:

$ curl -v --head https://profile.mensa.org.uk/contact.aspx
* Hostname was NOT found in DNS cache
*   Trying 93.159.201.114...
* Connected to profile.mensa.org.uk (93.159.201.114) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

cURL 对于通过 HTTP 的此 URL 以及通过 HTTPS 的其他域来说都可以正常工作:

$ curl --head http://profile.mensa.org.uk/contact.aspx
HTTP/1.1 302 Found
Date: Sat, 28 May 2016 14:30:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Location: /login.aspx?target=%2fcontact.aspx
Set-Cookie: ASP.NET_SessionId=axylcyf2cep2lq4e3brkggln; path=/; HttpOnly
Set-Cookie: WebToolsParam= ; path=/; HttpOnly
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 151

$ curl --head https://www.mensa.org.uk
HTTP/1.1 200 OK
Date: Sat, 28 May 2016 12:39:56 GMT
Server: Apache
Pragma: no-cache
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESS4b296932593725667cea89bf7eb4e462=d10lbmrpju03rccsaftdemiai6; path=/; domain=.mensa.org.uk
Last-Modified: Sat, 28 May 2016 12:39:56 GMT
Content-Type: text/html; charset=utf-8

以下是有关 cURL 当前版本的信息:

$ curl -V
curl 7.38.0 (i586-pc-linux-gnu) libcurl/7.38.0 OpenSSL/1.0.1k zlib/1.2.8 libidn/1.29 libssh2/1.4.3 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API SPNEGO NTLM NTLM_WB SSL libz TLS-SRP

我相信,虽然 Iceweasel 有自己的 CA 存储,但 cURL 会在 中查找证书颁发机构证书/etc/ssl/certs,如上面的详细输出所示。所以,我的第一个想法是 cURL 在访问时遇到的错误https://profile.mensa.org.uk/contact.aspx一定是由于/etc/ssl/certs缺少 Iceweasel 识别的 CA 证书:GeoTrust Global CA。然而,我发现/etc/ssl/certs 包含合适的证书:

$ openssl x509 -noout -in /etc/ssl/certs/GeoTrust_Global_CA.pem -fingerprint
SHA1 Fingerprint=DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12

如您所见,这与~/Documents/organisations/mensa/geotrust_global_ca.pem上面的指纹相同。

所以,肯定还有其他事情发生。我尝试通过选项强制 cURL 使用这两个证书,--cacert但这没有成功:

$ curl --cacert ~/Documents/organisations/mensa/geotrust_global_ca.pem --head https://profile.mensa.org.uk/contact.aspx
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

$ curl --cacert /etc/ssl/certs/GeoTrust_Global_CA.pem --head https://profile.mensa.org.uk/contact.aspx
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

我的主要问题是:是什么导致了 cURL 和 Iceweasel 之间的这种不一致?

我的第二个问题是:这种不一致是否意味着 Iceweasel 中存在错误和/或 cURL 中存在错误?

答案1

显然,profile.mensa.org.uk 的证书链配置不正确。您的 Firefox 配置文件已缓存缺少的中间内容,因此它可以(对您)起作用;卷曲没有缓存。

归功于马特·诺德霍夫

相关内容