在Ubuntu 13.10上运行系统curl:
curl --version curl 7.32.0 (x86_64-pc-linux-gnu) libcurl/7.32.0 OpenSSL/1.0.1e zlib/1.2.8 libidn/1.28 librtmp/2.3 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smtp smtps telnet tftp Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP 尝试连接到https://blog.pinboard.in时出现SSL错误。
curl -v https://blog.pinboard.in/ * Adding handle: conn: 0x1365a00 * Adding handle: send: 0 * Adding handle: recv: 0 * Curl_addHandleToPipeline: length: 1 * - Conn 0 (0x1365a00) send_pipe: 1, recv_pipe: 0 * About to connect() to blog.pinboard.in port 443 (#0) * Trying 67.23.8.22... * Connected to blog.pinboard.in (67.23.8.22) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS alert, Server hello (2): * SSL certificate problem: unable to get local issuer certificate * Closing connection 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
在Mac OS 10.9上使用curl 7.30.0,没有SSL错误:
curl -v https://blog.pinboard.in * Adding handle: conn: 0x7fbe79003a00 * Adding handle: send: 0 * Adding handle: recv: 0 * Curl_addHandleToPipeline: length: 1 * - Conn 0 (0x7fbe79003a00) send_pipe: 1, recv_pipe: 0 * About to connect() to blog.pinboard.in port 443 (#0) * Trying 67.23.8.22... * Connected to blog.pinboard.in (67.23.8.22) port 443 (#0) * TLS 1.0 connection using TLS_RSA_WITH_AES_128_CBC_SHA * Server certificate: *.pinboard.in * Server certificate: Gandi Standard SSL CA * Server certificate: UTN-USERFirst-Hardware > HEAD / HTTP/1.1 > User-Agent: curl/7.30.0 > Host: blog.pinboard.in > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Date: Mon, 24 Mar 2014 00:52:00 GMT Date: Mon, 24 Mar 2014 00:52:00 GMT * Server Apache/2.2.9 (Debian) mod_fastcgi/2.4.6 PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8o is not blacklisted < Server: Apache/2.2.9 (Debian) mod_fastcgi/2.4.6 PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8o Server: Apache/2.2.9 (Debian) mod_fastcgi/2.4.6 PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8o < Last-Modified: Wed, 19 Mar 2014 16:38:20 GMT Last-Modified: Wed, 19 Mar 2014 16:38:20 GMT < ETag: "21c05e-e006-4f4f847c4f700" ETag: "21c05e-e006-4f4f847c4f700" < Accept-Ranges: bytes Accept-Ranges: bytes < Content-Length: 57350 Content-Length: 57350 < Vary: Accept-Encoding Vary: Accept-Encoding < Content-Type: text/html; charset=utf8 Content-Type: text/html; charset=utf8 < * Connection #0 to host blog.pinboard.in left intact
尝试访问浏览器中的页面时也没有SSL错误。 Qualys SSL实验室的结果表明,这条链是不完整的,所以我猜浏览器和苹果curl可以解决这个问题。
有什么办法可以让curl在ubuntu上连接而不用通过-k手动禁用SSL或手动下载证书?