从HTTP重定向到HTTPS后，curl无法验证自签名证书 [英] curl fails to verify self signed certificate after redirection from HTTP to HTTPS

问题描述

我对自签名SSL证书和curl有问题.

I have a problem with self-signed SSL certificate and curl.

服务器为lighttpd.HTTPS正常工作:

Server is lighttpd. HTTPS works fine:

$ curl https://192.168.144.1/zxc -k
HELLO

但是从HTTP重定向会失败:

But with redirection from HTTP it fails:

curl http://192.168.144.1:81/zxc -kvL
*   Trying 192.168.144.1...
* TCP_NODELAY set
* Connected to 192.168.144.1 (192.168.144.1) port 81 (#0)
> GET /zxc HTTP/1.1
> Host: 192.168.144.1:81
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Location: https://192.168.144.1:81/zxc
< Content-Length: 0
< Date: Sat, 30 May 2020 06:59:57 GMT
< Server: lighttpd/1.4.48
<
* Connection #0 to host 192.168.144.1 left intact
* Issue another request to this URL: 'https://192.168.144.1:81/zxc'
* Hostname 192.168.144.1 was found in DNS cache
*   Trying 192.168.144.1...
* TCP_NODELAY set
* Connected to 192.168.144.1 (192.168.144.1) port 81 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):

........... HERE IT STACKS FOR A MINUTE ....................

* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 192.168.144.1:81
* stopped the pause stream!
* Closing connection 1
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 192.168.144.1:81

我在这里找到的一种可能的解决方法 https://stackoverflow.com/a/44494250/3743145 :CURLOPT_SSL_VERIFYPEER = false.如何将其传递给CURL CLI?

One possible solution I found here https://stackoverflow.com/a/44494250/3743145: CURLOPT_SSL_VERIFYPEER=false. How to pass it to CURL CLI?

推荐答案

> * LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 192.168.144.1:81

错误为 SSL_ERROR_SYSCALL ，与证书验证无关.实际上，仔细研究一下您所执行的操作表明，您正在从端口81上的纯HTTP重定向到同一端口上的 HTTPS .

The error is SSL_ERROR_SYSCALL and this has nothing to do with certificate validation. In fact, a closer look at what you are doing shows that you are redirecting from plain HTTP on port 81 to HTTPS on the same port.

curl http://192.168.144.1:81/zxc -kvL
...
< HTTP/1.1 301 Moved Permanently
< Location: https://192.168.144.1:81/zxc

这与您在标准端口(443)上使用HTTPS之前所进行的测试有很大的不同.而且您的HTTP服务器很有可能不会在同一端口81上使用HTTP和HTTPS-大多数服务器甚至都不支持这种配置.

This is very different from what you've tested before where you used HTTPS on the standard port (443). And it is very likely that your HTTP server does not speak HTTP and HTTPS on the same port 81 - most servers don't even support such kind of configuration.

这篇关于从HTTP重定向到HTTPS后，curl无法验证自签名证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！