Ssl 卷曲https://github.com 证书链中的自签名证书失败

当我执行：

curl -L https://github.com

我得到：

   % Total    % Received % Xferd  Average Speed   Time    Time     Time
 Current
                                  Dload  Upload   Total   Spent    Left  Speed   0     0    0     0    0     0      0      0 --:--:-- --:--:--
 --:--:--     0 curl: (60) SSL certificate problem: self signed certificate in certificate chain More details here:
 https://curl.haxx.se/docs/sslcerts.html

 curl failed to verify the legitimacy of the server and therefore could
 not establish a secure connection to it. To learn more about this
 situation and how to fix it, please visit the web page mentioned
 above.

即使卡巴斯基也证实了这一点，卷曲仍能完美地工作。我也已经按照这里的建议替换了

cacert.pem

其他：

curl --version

 curl 7.58.0 (x86_64-w64-mingw32) libcurl/7.58.0 OpenSSL/1.0.2n
 (WinSSL) zlib/1.2.11 libidn2/2.0.4 nghttp2/1.29.0 Release-Date:
 2018-01-24 Protocols: dict file ftp ftps gopher http https imap imaps
 ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp Features: AsynchDNS
 Debug IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL libz TLS-SRP
 HTTP2 HTTPS-proxy MultiSSL Metalink


curl -L -v https://github.com

* STATE: INIT => CONNECT handle 0x12bf160; line 1392 (connection #-5000)
* Rebuilt URL to: https://github.com/
* Added connection 0. The cache now contains 1 members
* STATE: CONNECT => WAITRESOLVE handle 0x12bf160; line 1428 (connection #0)   % Total    % Received % Xferd  Average Speed   Time 
Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed   0     0    0     0    0     0      0      0 --:--:-- --:--:--
--:--:--     0*   Trying 192.30.253.112...
* TCP_NODELAY set
* STATE: WAITRESOLVE => WAITCONNECT handle 0x12bf160; line 1509 (connection #0)
* Connected to github.com (192.30.253.112) port 443 (#0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x12bf160; line 1561 (connection #0)
* Marked for [keep alive]: HTTP default
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt   CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22): } [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1): } [512 bytes data]
* STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x12bf160; line 1575 (connection #0) { [5 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2): { [109 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11): { [1920 bytes data]
* TLSv1.2 (OUT), TLS alert, Server hello (2): } [2 bytes data]
* SSL certificate problem: self signed certificate in certificate chain
* Marked for [closure]: Failed HTTPS connection
* multi_done
* stopped the pause stream!   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
* The cache now contains 0 members
* Expire cleared curl: (60) SSL certificate problem: self signed certificate in certificate chain More details here:
https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could
not establish a secure connection to it. To learn more about this
situation and how to fix it, please visit the web page mentioned
above.

---

您可能有一个拦截代理。您首先需要找出

github.com

解析到的IP地址，然后获取/查看您获得的证书，例如：

openssl s_client-connect github.com:443-servername github.com

。我得到：

subject=/businessCategory=Private Organization/judictionc=US/judictionst=特拉华/serialNumber=5157550/C=US/ST=California/L=San Francisco/O=GitHub，Inc./CN=GitHub.com

你呢？好的。这是我的工作笔记本电脑，因此安装了防病毒软件卡巴斯基。卡巴斯基插入一个代理，该代理添加一个自签名证书。这就是请求失败的原因。所以我猜你要么完全信任这个拦截代理，从而信任它的证书，要么就删除所有HTTPS流的这个组件……是的。通过按照这里的建议创建一个

ca-all.pem

，我能够执行

curl--cacert~/Desktop/ca-all.pem-Lhttps://github.com

成功。从技术上讲，这不是问题。事实上，您只需了解，您正在将所有的明文通信量提供给某个应用程序，该应用程序可能会满足它的需求，除了把它送到你想要到达的真正目的地。您必须决定是否信任此应用程序始终对TLS流中假定交换的所有私有数据执行正确的操作。