curl:(60)SSL证书问题:在代理后面上传时 [英] curl: (60) SSL certificate problem: when uploading behind proxy

问题描述

我需要在公司代理后面进行 curl 上传.根据我尝试的网站，我遇到了以下两种类型的问题，

• curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
• curl: (60) SSL 证书问题:无法获取本地颁发者证书

以下是详细信息:

案例 1:

<代码>...<HTTP/1.1 200 连接建立<代理:CCProxy<* 代理回复 200 到 CONNECT 请求* CONNECT 阶段完成！* ALPN，提供 h2* ALPN，提供 http/1.1* 成功设置证书验证位置:* CAfile:/etc/ssl/certs/ca-certificates.crtCApath:/etc/ssl/certs* TLSv1.3(OUT)，TLS握手，客户端问候(1):* CONNECT 阶段完成！* CONNECT 阶段完成！* 错误:1408F10B:SSL 例程:ssl3_get_record:错误的版本号* 关闭连接 0curl:(35)错误:1408F10B:SSL例程:ssl3_get_record:错误的版本号

案例 2:

$ curl -vX POST -d "userId=5&title=Hello World&body=Post body."https://jsonplaceholder.typicode.com/posts注意:不必要使用 -X 或 --request，POST 已被推断.* 使用代理环境变量 https_proxy == 'http://10.xx.xx.xx:808/'* 正在尝试 10.xx.xx.xx:808...* TCP_NODELAY 设置* 连接到 10.xx.xx.xx 端口 808 (#0)* 分配连接缓冲区！* 建立到 jsonplaceholder.typicode.com:443 的 HTTP 代理隧道>连接 jsonplaceholder.typicode.com:443 HTTP/1.1>主机:jsonplaceholder.typicode.com:443>用户代理:curl/7.68.0>代理连接:保持活动><HTTP/1.1 200 连接建立<代理:CCProxy<* 代理回复 200 到 CONNECT 请求* CONNECT 阶段完成！* ALPN，提供 h2* ALPN，提供 http/1.1* 成功设置证书验证位置:* CAfile:/etc/ssl/certs/ca-certificates.crtCApath:/etc/ssl/certs* TLSv1.3(OUT)，TLS握手，客户端问候(1):* CONNECT 阶段完成！* CONNECT 阶段完成！* TLSv1.3 (IN)、TLS 握手、Server hello (2):* TLSv1.2 (IN)、TLS 握手、证书 (11):* TLSv1.2 (OUT)、TLS 警报、未知 CA (560):* SSL 证书问题:无法获取本地颁发者证书* 关闭连接 0curl:(60)SSL证书问题:无法获取本地颁发者证书更多详细信息:https://curl.haxx.se/docs/sslcerts.htmlcurl 无法验证服务器的合法性，因此无法建立与它的安全连接.要了解更多关于这种情况和如何修复它，请访问上面提到的网页.

问题不是上面的CCProxy，而是我们公司使用的是Zscaler透明代理，它用自己的证书拦截SSL请求.

请问有什么办法可以解决吗?

$ curl --versioncurl 7.68.0 (x86_64-pc-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1g zlib/1.2.11 brotli/1.0.7 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.8.0 nghttp2/1.40.0 librtmp/2.3发布日期:2020-01-08$ lsb_release -a没有可用的 LSB 模块.分销商 ID:Debian描述:Debian GNU/Linux 靶心/sid发布:测试代号:靶心

解决方案

两个选项中的第 1 步都将提取 Zscaler 证书.

选项 1 直接卷曲

1. 下载证书(所有证书都包含在一个文件中)
2. 执行 curl 命令传递您要使用的证书.

# 1openssl s_client -showcerts -连接 jsonplaceholder.typicode.com:443 </dev/null 2>/dev/null |sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' >打字码.crt#2curl --cacert typicode.crt -v -d "userId=5&title=Hello World&body=发布正文."https://jsonplaceholder.typicode.com/posts

选项 2(安装脚本)

如果 curl 命令由您无法控制的安装程序执行，则更新您的证书:

1. 从服务器提取证书(使用 FQDN 或 IP 和 PORT，即:jsonplaceholder.typicode.com:443)
2. 将 XXX.crt 证书移至您的证书目录
3. 更新证书
4. 执行安装脚本

# 1openssl s_client -showcerts -连接 jsonplaceholder.typicode.com:443 </dev/null 2>/dev/null |sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' >打字码.crt#2sudo mv typicode.crt/usr/local/share/ca-certificates/# 3sudo update-ca-certificates# 4 执行你的安装脚本

奖金

如果您只需要/想要获取 Zscaler 证书，请从以下位置获取 IP:

有证书

参考资料:

• 如何为命令行安装证书
• 无法连接到服务器:x509:证书由未知机构签名

I need to do curl uploading behind company proxy. and I've getting the following two type of problems depending on the site that I try,

• curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
• curl: (60) SSL certificate problem: unable to get local issuer certificate

Here are the details:

Case 1:

. . . 
< HTTP/1.1 200 Connection established
< Proxy-agent: CCProxy
< 
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

Case 2:

$ curl -vX POST -d "userId=5&title=Hello World&body=Post body." https://jsonplaceholder.typicode.com/posts
Note: Unnecessary use of -X or --request, POST is already inferred.
* Uses proxy env variable https_proxy == 'http://10.xx.xx.xx:808/'
*   Trying 10.xx.xx.xx:808...
* TCP_NODELAY set
* Connected to 10.xx.xx.xx port 808 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to jsonplaceholder.typicode.com:443
> CONNECT jsonplaceholder.typicode.com:443 HTTP/1.1
> Host: jsonplaceholder.typicode.com:443
> User-Agent: curl/7.68.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection established
< Proxy-agent: CCProxy
< 
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

The problem is not the above CCProxy, but our company is using the Zscaler transparent proxy which is intercepting SSL requests with its own certificate.

Is there any way to fix it pls?

$ curl --version
curl 7.68.0 (x86_64-pc-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1g zlib/1.2.11 brotli/1.0.7 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.8.0 nghttp2/1.40.0 librtmp/2.3
Release-Date: 2020-01-08

$ lsb_release -a 
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux bullseye/sid
Release:        testing
Codename:       bullseye

解决方案

Step 1 in both options will extract the Zscaler certificates.

OPTION 1 Direct curl

1. Download the certificates (all certificates are included in a single file)
2. Execute the curl command passing the certificateS you want to use.

# 1
openssl s_client -showcerts 
-connect jsonplaceholder.typicode.com:443 </dev/null 2>/dev/null 
| sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p'  > typicode.crt
# 2
curl --cacert typicode.crt -v 
-d "userId=5&title=Hello World&body=Post body." 
 https://jsonplaceholder.typicode.com/posts

OPTION 2 (installer script)

In case the curl command is executed by an installer you don't have control, then, update your certificates:

1. Extract the certificates from server (use the FQDN or IP and PORT, i.e: jsonplaceholder.typicode.com:443)
2. Move the XXX.crt certificate to your certificates directory
3. Update certificates
4. Execute installation script

# 1
openssl s_client -showcerts 
-connect jsonplaceholder.typicode.com:443 </dev/null 2>/dev/null 
| sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p'  > typicode.crt
# 2
sudo mv typicode.crt /usr/local/share/ca-certificates/
# 3
sudo update-ca-certificates
# 4 execute your installer script

Bonus

In case you need/want to get the Zscaler certificates only, get the IP from: https://ip.zscaler.com

openssl s_client -showcerts -servername server -connect 165.225.216.33:443 >  </dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | grep -m1 -B-1 -- '-----END CERTIFICATE-----'  > zscaler.crt

UPDATED (11/19/21):

• Adding option 1, when is a direct curl and no need of install the certificates.
• Optimized the command for extracting the certificates (creating the file)
• Bonus: Getting the Zscaler IP

Tested on Ubuntu 20 and 18 behind Zscaler proxy.

Without certificate

With certificate

References:

• How to install certificates for command line
• unable to connect to server: x509: certificate signed by unknown authority

这篇关于curl:(60)SSL证书问题:在代理后面上传时的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！