如何在Ubuntu上使用旧版SSL支持编译Curl？ [英] How to compile Curl with legacy SSL support on Ubuntu?

问题描述

当尝试使用Curl连接到启用HTTPS的旧网站时，出现以下错误：

I have the following error, when attempting to connect to an old HTTPS-enabled web site using Curl:

curl https://10.11.1.44
curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

更详细地讲：

* Expire in 0 ms for 6 (transfer 0x55a4192abdd0)
*   Trying 10.11.1.44...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x55a4192abdd0)
* Connected to 10.11.1.44 (10.11.1.44) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS alert, protocol version (582):
* error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
* Closing connection 0
curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

如果我尝试使用 --ssl2 或-ssl3 选项，出现以下错误：

If I try to use the --ssl2 or --ssl3 options, I get the following error:

root@kali:~# curl https://10.11.1.44/ --sslv2
curl: (4) OpenSSL was built without SSLv2 support
root@kali:~# curl https://10.11.1.44/ --sslv3
curl: (4) OpenSSL was built without SSLv3 support

我已经咨询了以下页面，以了解如何使用SSL2 / 3支持构建Curl，但是我不确定如何启用它？

I've consulted the following page for how to build Curl with SSL2/3 support, but I'm not sure how to enable it?

https://curl.haxx.se/docs/install.html

有什么想法吗？

推荐答案

您需要同时编译两个curl和您的ssl后端，显然，您将需要C编译器，并且可能需要更多东西，但idk是什么，希望这应该能够解决它：

you'll need to compile both curl and your ssl backend from source, obviously you'll need a C compiler, and probably more stuff but idk what, hopefully this should cover it:

sudo apt-get install gcc build-essential make cmake autoconf git automake libtool

这大概可以用几个ssl后端完成，但是由于我在最熟悉OpenSSL的人中，我将继续使用OpenSSL来构建openssl，请转到 https：//的openssl存储库。 github.com/openssl/openssl 并找到合适的openssl版本，在本示例中，我选择的版本为 1.1.1c （这是截止至

this can probably be done with several ssl backends, but since i'm most familiar with OpenSSL, i'll proceed with OpenSSL, to build openssl go to the openssl repo at https://github.com/openssl/openssl and find an appropriate openssl version, in this example i chose version 1.1.1c (which is the latest stable openssl release as of writing),

git clone -b 'OpenSSL_1_1_1c' --single-branch --depth 1 https://github.com/openssl/openssl
cd openssl
./config no-shared enable-ssl2 enable-ssl3 enable-ssl3-method
make -j $(nproc)

（最后一步可能要花一些时间），但是openSSL的构建脚本不会创建lib文件夹，但是curl的构建脚本希望lib文件位于openssl内的lib文件夹中文件夹，因此在制作之后，运行

(the last step may take a while) but openSSL's build script does not create a lib folder, but curl's build script expect the lib files to be in a lib folder inside the openssl folder, so after the make, run

mkdir lib
cp *.a lib;

一旦完成，就该卷曲了，所以 cd .. 从那里克隆出最新版本的curl，在此示例中，我使用curl 7.65.0 （撰写本文时，最新的curl发行版）

once that's done, it's time to make curl, so cd .. out of there and clone a recent version of curl, in this example i use curl 7.65.0 (latest curl release as of writing),

git clone -b 'curl-7_65_0' --single-branch --depth 1 https://github.com/curl/curl.git
cd curl
./buildconf
LDFLAGS="-static" ./configure --with-ssl=$(realpath ../openssl) --disable-shared  --enable-static
make -j $(nproc)

（如果您想知道为什么我使用了realpath：curl的buildscript中似乎有一个bug，如果您提供相对路径，它会失败，因此需要绝对路径，它似乎。如果您想知道为什么我进行了静态构建，也称为--disable-shared --enable-static，则您的$ PATH中可能有一个不同的libopenssl库，因此要避免与ubuntu的内置libopenssl（静态构建）冲突更加安全。）

(if you wonder why i used realpath: there appears to be a bug in curl's buildscript that makes it fail if you supply a relative path, so an absolute path is required, it seems. if you wonder why i made a static build aka --disable-shared --enable-static, you may have a different libopenssl library in your $PATH, so to avoid a conflict with ubuntu's built-in libopenssl, a static build is safer.)

最后

/temp2/curl# ./src/curl --sslv3 https://google.com
curl: (35) error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version

（因为 https://google.com 完全不再支持sslv3。）

(because https://google.com no longer supports sslv3, at all.)

git clone -b 'OpenSSL_1_1_1g' --single-branch --depth 1 https://github.com/openssl/openssl
cd openssl
./config no-shared enable-ssl2 enable-ssl3 enable-ssl3-method
make -j $(nproc)
mkdir lib
cp *.a lib;
cd ..
git clone -b 'curl-7_71_1' --single-branch --depth 1 https://github.com/curl/curl.git
cd curl
./buildconf
LDFLAGS="-static" ./configure --with-ssl=$(realpath ../openssl) --disable-shared  --enable-static
make -j $(nproc)
./src/curl --sslv3 https://google.com

这篇关于如何在Ubuntu上使用旧版SSL支持编译Curl？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！