差異處

這裏顯示兩個版本的差異處。

連向這個比對檢視

兩邊的前次修訂版 前次修改
下次修改		 前次修改
tech:curl_ssl [2008/08/22 10:38] jonathantech:curl_ssl [2021/06/13 09:43] (目前版本) – [參考網頁] jonathan
行 1: 行 1:
 +====== cURL 讀取雙向 ssl 認證 Web Server 網頁方式 ======
 +  * Server 端的 RootCA 是 RootCA.crt
 +  * Server 端測試網址 : https://mail.ichiayi.com/t.txt
 +  * Client 端的憑證是 ClientCA.crt
 +  * Client 端的密鑰是 ClientCA.key
 +  * 產生 Client 端 pem 格式含有密鑰的憑證檔 <code sh>
 +cat ClientCA.crt > ClientCA.pem
 +cat ClientCA.key >> ClientCA.pem
 +</code>
 +===== 使用 cURL 語法 =====
 +<code sh>
 +curl --cacert RootCA.crt --cert ClientCA.pem https://mail.ichiayi.com/t.txt
 +</code>
 +++++看產生結果|
 +<file>
 +[jonathan@pd920 ca]$ curl --cacert RootCA.crt --cert ClientCA.pem https://mail.ichiayi.com/t.txt
 +Enter PEM pass phrase: <-- 輸入 ClientCA 的密碼
 +test
 +</file>
 +++++
  
 +  * 也可以將 RootCA.crt 加入 CA cert bundle (/etc/pki/tls/certs/ca-bundle.crt) <code sh>
 +openssl x509 -inform PEM -in RootCA.crt -out RootCA.pem -text
 +cat RootCA.pem >> /etc/pki/tls/certs/ca-bundle.crt
 +</code> 這樣就可以不需要指定 --cacert
 +
 +  * 如果出現 ServerCA 的 CN 定義與網址不符,或是 ServerCA 過期等問題,也可以改用 --insecure 來取消 cURL 檢驗 ServerCA 憑證有效性<code sh>
 +curl --cert ClientCA.pem https://localhost/t.txt
 +curl --insecure --cert ClientCA.pem https://localhost/t.txt
 +</code>
 +++++看產生結果|
 +<file>
 +[jonathan@pd920 ca]$ curl --cert ClientCA.pem https://localhost/t.txt
 +Enter PEM pass phrase: <-- 輸入 ClientCA 的密碼
 +curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
 +error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
 +More details here: http://curl.haxx.se/docs/sslcerts.html
 +
 +curl performs SSL certificate verification by default, using a "bundle"
 + of Certificate Authority (CA) public keys (CA certs). The default
 + bundle is named curl-ca-bundle.crt; you can specify an alternate file
 + using the --cacert option.
 +If this HTTPS server uses a certificate signed by a CA represented in
 + the bundle, the certificate verification probably failed due to a
 + problem with the certificate (it might be expired, or the name might
 + not match the domain name in the URL).
 +If you'd like to turn off curl's verification of the certificate, use
 + the -k (or --insecure) option.
 +[jonathan@pd920 ca]$
 +</file>
 +<file>
 +[jonathan@pd920 ca]$ curl --insecure --cert ClientCA.pem https://localhost/t.txt
 +Enter PEM pass phrase: <-- 輸入 ClientCA 的密碼
 +test
 +</file>
 +++++
 +
 +  * 如果不想因為輸入 ClientCA 密碼中斷自動執行的程序,也可以改寫成 --cert ClientCA.pem**:密碼**<code sh>
 +curl --insecure --cert ClientCA.pem:mypasswd https://localhost/t.txt
 +</code>
 +++++看產生結果|
 +<file>
 +[jonathan@pd920 ca]$ curl --insecure --cert ClientCA.pem:mypasswd https://localhost/t.txt
 +test
 +</file>
 +++++
 +
 +  * 如果擔心這樣將 ClientCA 密碼暴露在外,也可直接在簽發 ClientCA 時就不設定密碼,或者改用 curl 指定參數檔方式提供, Exp. 參數檔為 testcurl.conf,原本語法為<code sh>
 +curl --cacert RootCA.crt --cert ClientCA.pem:mypasswd https://mail.ichiayi.com/t.txt
 +</code>
 +    * testcurl.conf 內容就定義為<file>
 +cacert = "RootCA.crt"
 +cert = "ClientCA.pem:mypasswd"
 +url = "https://mail.ichiayi.com/t.txt"
 +</file>
 +    * 將 testcurl.conf 定義只有自己可以讀寫的權限<code sh>
 +chmod 600 testcurl.conf
 +</code>
 +    * 使用 cURL config 語法為<code sh>
 +curl --conf testcurl.conf
 +</code>
 +++++加上 -v 可看到完整的傳輸訊息|
 +<file>
 +[jonathan@pd920 jonathan]$ curl --conf testcurl.conf -v
 +* About to connect() to mail.ichiayi.com port 443
 +*   Trying 220.130.131.239... connected
 +* Connected to mail.ichiayi.com (220.130.131.239) port 443
 +* successfully set certificate verify locations:
 +*   CAfile: RootCA.crt
 +  CApath: none
 +* SSLv2, Client hello (1):
 +SSLv3, TLS handshake, Server hello (2):
 +SSLv3, TLS handshake, CERT (11):
 +SSLv3, TLS handshake, Server key exchange (12):
 +SSLv3, TLS handshake, Request CERT (13):
 +SSLv3, TLS handshake, Server finished (14):
 +SSLv3, TLS handshake, CERT (11):
 +SSLv3, TLS handshake, Client key exchange (16):
 +SSLv3, TLS handshake, CERT verify (15):
 +SSLv3, TLS change cipher, Client hello (1):
 +SSLv3, TLS handshake, Finished (20):
 +SSLv3, TLS change cipher, Client hello (1):
 +SSLv3, TLS handshake, Finished (20):
 +SSL connection using DHE-RSA-AES256-SHA
 +* Server certificate:
 +*        subject: /C=TW/ST=Taiwan/L=Taipei/O=Trysoft Corp./CN=mail.ichiayi.com/[email protected]
 +*        start date: 2008-08-19 09:15:22 GMT
 +*        expire date: 2010-08-19 09:15:22 GMT
 +*        common name: mail.ichiayi.com (matched)
 +*        issuer: /C=TW/ST=Taiwan/L=Taipei/O=Trysoft Corp./[email protected]
 +* SSL certificate verify ok.
 +> GET /t.txt HTTP/1.1
 +> User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
 +> Host: mail.ichiayi.com
 +> Accept: */*
 +>
 +< HTTP/1.1 200 OK
 +< Date: Fri, 22 Aug 2008 02:04:49 GMT
 +< Server: Apache/2.2.3 (CentOS)
 +< Last-Modified: Thu, 14 Aug 2008 09:26:22 GMT
 +< ETag: "2304c2-5-4546819248b80"
 +< Accept-Ranges: bytes
 +< Content-Length: 5
 +< Vary: Accept-Encoding
 +< Connection: close
 +< Content-Type: text/plain; charset=UTF-8
 +test
 +* Closing connection #0
 +* SSLv3, TLS alert, Client hello (1):
 +</file>
 +++++
 +
 +===== 參考網頁 =====
 +  * [[tech:openssl_caserver]]
 +  * [[tech:apache_ssl]]
 +  * http://curl.haxx.se/docs/sslcerts.html
 +  * http://curl.haxx.se/docs/caextract.html
 +  * https://support.nmi.com/hc/en-gb/articles/360021544791-How-to-Check-If-the-Correct-Certificates-Are-Installed-on-Linux
 +
 +{{tag>curl ssl}}