====== cURL 讀取雙向 ssl 認證 Web Server 網頁方式 ======
  * Server 端的 RootCA 是 RootCA.crt
  * Server 端測試網址 : https://mail.ichiayi.com/t.txt
  * Client 端的憑證是 ClientCA.crt
  * Client 端的密鑰是 ClientCA.key
  * 產生 Client 端 pem 格式含有密鑰的憑證檔 <code sh>
cat ClientCA.crt > ClientCA.pem
cat ClientCA.key >> ClientCA.pem
</code>
===== 使用 cURL 語法 =====
<code sh>
curl --cacert RootCA.crt --cert ClientCA.pem https://mail.ichiayi.com/t.txt
</code>
++++看產生結果|
<file>
[jonathan@pd920 ca]$ curl --cacert RootCA.crt --cert ClientCA.pem https://mail.ichiayi.com/t.txt
Enter PEM pass phrase: <-- 輸入 ClientCA 的密碼
test
</file>
++++

  * 也可以將 RootCA.crt 加入 CA cert bundle (/etc/pki/tls/certs/ca-bundle.crt) <code sh>
openssl x509 -inform PEM -in RootCA.crt -out RootCA.pem -text
cat RootCA.pem >> /etc/pki/tls/certs/ca-bundle.crt
</code> 這樣就可以不需要指定 --cacert

  * 如果出現 ServerCA 的 CN 定義與網址不符，或是 ServerCA 過期等問題，也可以改用 --insecure 來取消 cURL 檢驗 ServerCA 憑證有效性<code sh>
curl --cert ClientCA.pem https://localhost/t.txt
curl --insecure --cert ClientCA.pem https://localhost/t.txt
</code>
++++看產生結果|
<file>
[jonathan@pd920 ca]$ curl --cert ClientCA.pem https://localhost/t.txt
Enter PEM pass phrase: <-- 輸入 ClientCA 的密碼
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). The default
 bundle is named curl-ca-bundle.crt; you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
[jonathan@pd920 ca]$
</file>
<file>
[jonathan@pd920 ca]$ curl --insecure --cert ClientCA.pem https://localhost/t.txt
Enter PEM pass phrase: <-- 輸入 ClientCA 的密碼
test
</file>
++++

  * 如果不想因為輸入 ClientCA 密碼中斷自動執行的程序，也可以改寫成 --cert ClientCA.pem**:密碼**<code sh>
curl --insecure --cert ClientCA.pem:mypasswd https://localhost/t.txt
</code>
++++看產生結果|
<file>
[jonathan@pd920 ca]$ curl --insecure --cert ClientCA.pem:mypasswd https://localhost/t.txt
test
</file>
++++

  * 如果擔心這樣將 ClientCA 密碼暴露在外，也可直接在簽發 ClientCA 時就不設定密碼，或者改用 curl 指定參數檔方式提供, Exp. 參數檔為 testcurl.conf，原本語法為<code sh>
curl --cacert RootCA.crt --cert ClientCA.pem:mypasswd https://mail.ichiayi.com/t.txt
</code>
    * testcurl.conf 內容就定義為<file>
cacert = "RootCA.crt"
cert = "ClientCA.pem:mypasswd"
url = "https://mail.ichiayi.com/t.txt"
</file>
    * 將 testcurl.conf 定義只有自己可以讀寫的權限<code sh>
chmod 600 testcurl.conf
</code>
    * 使用 cURL config 語法為<code sh>
curl --conf testcurl.conf
</code>
++++加上 -v 可看到完整的傳輸訊息|
<file>
[jonathan@pd920 jonathan]$ curl --conf testcurl.conf -v
* About to connect() to mail.ichiayi.com port 443
*   Trying 220.130.131.239... connected
* Connected to mail.ichiayi.com (220.130.131.239) port 443
* successfully set certificate verify locations:
*   CAfile: RootCA.crt
  CApath: none
* SSLv2, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server key exchange (12):
SSLv3, TLS handshake, Request CERT (13):
SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Client key exchange (16):
SSLv3, TLS handshake, CERT verify (15):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*        subject: /C=TW/ST=Taiwan/L=Taipei/O=Trysoft Corp./CN=mail.ichiayi.com/emailAddress=tryweb@ichiayi.com
*        start date: 2008-08-19 09:15:22 GMT
*        expire date: 2010-08-19 09:15:22 GMT
*        common name: mail.ichiayi.com (matched)
*        issuer: /C=TW/ST=Taiwan/L=Taipei/O=Trysoft Corp./emailAddress=tryweb@ichiayi.com
* SSL certificate verify ok.
> GET /t.txt HTTP/1.1
> User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
> Host: mail.ichiayi.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 22 Aug 2008 02:04:49 GMT
< Server: Apache/2.2.3 (CentOS)
< Last-Modified: Thu, 14 Aug 2008 09:26:22 GMT
< ETag: "2304c2-5-4546819248b80"
< Accept-Ranges: bytes
< Content-Length: 5
< Vary: Accept-Encoding
< Connection: close
< Content-Type: text/plain; charset=UTF-8
test
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
</file>
++++

===== 參考網頁 =====
  * [[tech:openssl_caserver]]
  * [[tech:apache_ssl]]
  * http://curl.haxx.se/docs/sslcerts.html
  * http://curl.haxx.se/docs/caextract.html
  * https://support.nmi.com/hc/en-gb/articles/360021544791-How-to-Check-If-the-Correct-Certificates-Are-Installed-on-Linux

{{tag>curl ssl}}