wget,自签名证书和自定义HTTPS服务器 [英] wget, self-signed certs and a custom HTTPS server
问题描述
由于各种原因,我创建了一个简单的HTTP服务器,并通过OpenSSL添加了SSL支持。我正在使用自签名证书。只要我将CA添加到受信任的根CA,IE,Firefox和Chrome就会愉快地加载内容。
For various reasons I have created a simple HTTP server, and added SSL support via OpenSSL. I'm using self-signed certificates. IE, Firefox and Chrome happily load content as long as I add the CA to the trusted root CAs.
然而,wget(即使使用 --no-check-certificate flag)报告:
However, wget (even when using the --no-check-certificate flag) reports:
OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
如果我使用以下命令对我的服务器运行OpenSSL客户端:
If I run the OpenSSL client against my server using:
openssl s_client -connect dnvista:82 -debug
我回来了:
验证错误:num = 19:证书链中的自签名证书
验证退货:0
然后
I get back: verify error:num=19:self signed certificate in certificate chain verify return:0 and then
5852:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:.\ssl\s3_pkt.c:1060:SSL alert number 40
5852:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_lib.c:188:
wget和OpenSSL客户端不能使用自签名证书吗?
Do wget and the OpenSSL client simply not work with self-signed certificates?
更新:
对于后来出现的任何人,添加此代码有助于OpenSSL客户端和Firefox:
For anyone that comes along later, adding this code helped with the OpenSSL client and Firefox:
EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
SSL_CTX_set_tmp_ecdh(ctx, ecdh);
EC_KEY_free(ecdh);
推荐答案
我检查了 - no-check-certificate 似乎只影响服务器证书。您需要在本地将自签名证书指定为有效的CA证书。
I checked the man page of wget, and --no-check-certificate only seems to affect the server certificate. You need to specify your self-signed certificate as a valid CA certificate locally.
为此,请在<$ c $中将证书指定为 - ca-certificate = ... <> c $ c> s_client 案例中的c> wget 和 -CAfile 。
To do this, specify the certificate as --ca-certificate=... in wget and -CAfile in the s_client case.
这篇关于wget,自签名证书和自定义HTTPS服务器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
