cURL SSL 连接错误 35 和 NSS 错误 -5961 [英] cURL SSL connect error 35 with NSS error -5961

问题描述

我有一台远程 Windows 7 服务器，只能通过端口 768 上的 HTTPS 访问.该服务器使用来自本地 CentOS 服务器中列出的 CA 的签名证书.

I have a remote Windows 7 server that is accessible only via HTTPS on port 768. The server is using a signed certificate from a CA listed in the local CentOS server.

每当我尝试使用以下命令通过 cURL 访问远程服务器时，都会出现如下错误:

Whenever I try to access the remote server via cURL using the following command, it errors out as follows:

[usr@serv certs]# curl -3 -v https://1.1.1.1:768/user/login
* About to connect() to 1.1.1.1 port 768 (#0)
*   Trying 1.1.1.1... connected
* Connected to 1.1.1.1 (1.1.1.1) port 768 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -5961
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error

(请注意，出于安全原因，IP 地址已被隐藏).

(Note that the IP address has been hidden for security reasons).

我正在运行以下版本的 cURL:

I am running the following version of cURL:

curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2

值得注意的是，这适用于另外两台运行 Windows XP 而不是 Windows 7 的远程服务器.

It's worth noting that this is working on two other remote servers which are both running Windows XP rather than windows 7.

我曾尝试强制 cURL 使用 SSLv3(使用 -3 标志和 -SSLv3 标志)但没有成功.

I have tried forcing cURL to use SSLv3 (using the -3 flag and the -SSLv3 flag) with no success.

我刚刚在运行 Raspbian 的 Raspberry Pi 上测试了相同的 CURL 命令，并且能够成功连接.因此，我认为这可能是 CentOS 服务器上使用的 cURL 版本的问题.树莓派运行的是以下版本:

I have just tested the same CURL command on a Raspberry Pi running Raspbian and have been able to connect successfully. I therefore believe it may be an issue with the version of cURL in use on the CentOS server. The raspberry pi is running the following version:

curl 7.26.0 (arm-unknown-linux-gnueabihf) libcurl/7.26.0 OpenSSL/1.0.1e zlib/1.2.7 libidn/1.25 libssh2/1.4.2 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp
Features: Debug GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP

推荐答案

curl with NSS 默认从 "/etc/pki/tls/certs/ca- 读取根 CA 证书bundle.crt" 为 PEM 格式.

curl with NSS read the Root CA certificates by default from "/etc/pki/tls/certs/ca-bundle.crt" in the PEM format.

* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt

您可以通过 curl 的选项 --cacert 带有包含 CA 证书的 PEM 文件.

You can specify another (your) CA certificate (or bundle on the NSS Shared DB) by curl's option --cacert with the PEM file containing the CA certificate(s).

如果您没有使用 --cacert 选项手动指定证书，NSS 会尝试从 NSS 数据库(位于 /etc/pki/nssdb) 自动.您可以通过 curl 的选项 --cert 指定它的昵称，如果密钥嵌入在证书中，这应该就足够了，如果没有，您可以使用 - 指定带有证书密钥的 PEM 文件 --键.如果密钥受密码保护，您可以通过 curl 的选项 --pass 提供它，以便您可以使用 nss-tools (yum install nss-tools)

If you don't specify the certificate manually with --cacert option, NSS tries to select the right one from the NSS database (located at /etc/pki/nssdb) automatically. You can specify it's nickname by curl's option --cert, this should be sufficient if the key is embedded in the cert, if not you can specify the PEM file with the certificate key using the --key. If the key is protected by a pass-phrase, you can give it by curl's option --pass so you can import your certificate to the NSS shared DB using the nss-tools (yum install nss-tools)

添加证书(通用命令行)

certutil -d sql:/etc/pki/nssdb -A -t <TRUSTARGS> -n <certificate nickname> -i <certificate filename>

关于 TRUSTARGS

About TRUSTARGS

指定信任属性以在现有证书中修改或在创建证书或将其添加到数据库时应用于证书.

Specify the trust attributes to modify in an existing certificate or to apply to a certificate when creating it or adding it to a database.

每个证书有三个可用的信任类别，按此顺序表示:"SSL 、电子邮件、对象签名".每一个类别位置使用零个或多个以下属性代码:

There are three available trust categories for each certificate, expressed in this order: " SSL , email , object signing ". In each category position use zero or more of the following attribute codes:

• p 被禁止(明确不信任)
• P 可信对等方
• c 有效 CA
• T 受信任的 CA 颁发客户端证书(隐含 c)
• C 可信 CA 颁发服务器证书(仅限 SSL)(暗示 c)
• u 证书可用于身份验证或签名
• w 发送警告(与其他属性一起使用以在该上下文中使用证书时包含警告)

类别的属性代码以逗号分隔，并且用引号括起来的整个属性集.例如:

The attribute codes for the categories are separated by commas, and the entire set of attributes enclosed by quotation marks. For example:

-t "TCu,Cu,Tuw"

-t "TCu,Cu,Tuw"

信任根 CA 证书来颁发 SSL 服务器证书

certutil -d sql:/etc/pki/nssdb -A -t "C,," -n <certificate nickname> -i <certificate filename> 

导入中间 CA 证书

certutil -d sql:/etc/pki/nssdb -A -t ",," -n <certificate nickname> -i <certificate filename>

信任自签名服务器证书

certutil -d sql:/etc/pki/nssdb -A -t "P,," -n <certificate nickname> -i <certificate filename> 

为 SSL 客户端身份验证添加个人证书和私钥

pk12util -d sql:/etc/pki/nssdb -i PKCS12_file_with_your_cert.p12

列出存储在 NSS DB 中的所有证书

certutil -d sql:/etc/pki/nssdb -L

列出证书的详细信息

certutil -d sql:/etc/pki/nssdb -L -n <certificate nickname>

删除证书

certutil -d sql:/etc/pki/nssdb -D -n <certificate nickname>

希望这会有所帮助.

这篇关于cURL SSL 连接错误 35 和 NSS 错误 -5961的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！