Windows cURL在访问SSL时无法使用cURL-ca-bundle.crt_Windows_Curl_Ssl

Windows cURL在访问SSL时无法使用cURL-ca-bundle.crt

windows curl ssl

Windows cURL在访问SSL时无法使用cURL-ca-bundle.crt,windows,curl,ssl,Windows,Curl,Ssl,我在Windows上尝试使用SSL使用cURL，但遇到了我绝对无法解决的证书问题例如，这里有一个我正在尝试运行的示例 $ curl "https://google.com" --ntlm -v --negotiate -u USERNAME:PASSWORD --proxy "PROXY" --cert "c:\temp\curl-ca-bundle.crt" * Adding handle: conn: 0x147ce88 * Adding handle: send: 0 * Adding

我在Windows上尝试使用SSL使用cURL，但遇到了我绝对无法解决的证书问题

例如，这里有一个我正在尝试运行的示例

$ curl "https://google.com" --ntlm -v --negotiate -u USERNAME:PASSWORD --proxy "PROXY" --cert "c:\temp\curl-ca-bundle.crt"
* Adding handle: conn: 0x147ce88
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x147ce88) send_pipe: 1, recv_pipe: 0
* About to connect() to proxy PROXY port 8080 (#0)
*   Trying 192.168.134.80...
* Connected to PROXY (PROXY_IP) port 8080 (#0)
* Establish HTTP proxy tunnel to google.com:443
> CONNECT google.com:443 HTTP/1.1
> Host: google.com:443
> User-Agent: curl/7.30.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* unable to use client certificate (no key found or wrong pass phrase?)
* Closing connection 0
curl: (58) unable to use client certificate (no key found or wrong pass phrase?)

我拥有的

curl ca bundle.crt

来自，几分钟前更新过。我确保该文件未被Windows阻止

值得一提的是，我支持公司代理和防火墙。我已经阅读了关于这个问题的所有资料，不知道下一步该怎么办。我知道我可以忽略SSL，但我希望不惜一切代价避免这种情况

我建议防火墙进行SSL拦截，也就是说，它作为中间人工作。要检查加密连接，它会将其拆分为两个加密连接，但它当然无法使用原始证书对浏览器和代理之间的连接进行签名。因此，它将创建一个新的证书，由特定于防火墙的CA签名。您需要将此CA添加到CA包中，否则验证将失败

有关详细信息，您可以尝试使用web浏览器访问目标站点，并检查签署服务器证书的CA，或者向系统管理员询问SSL拦截的详细信息。

如果您从浏览器连接并检查服务器证书。它是否与您从另一个连接（从另一个网络）获得的相同？谷歌有自己的CA。下载并将其用作CA（您需要将其从ASN.1/DER转换为PEM）。没有必要相信加州动物园。如果Steffen是正确的，那么您可以使用

openssl s_客户端-connect google.com:443-CAfile google-ca.pem

验证证书是否伪造。如果

s\u client

没有完成

Verify 0（OK）

，那么您就受到了攻击。@Bruno:我想您找到了什么。检查来自Chrome的有效SSL证书时，表明该证书是从我们的一个代理服务器颁发的。@user3238014虽然没有直接关系，但其原因可能或多或少与相同。@jww:不幸的是，我在Windows计算机上运行

openssl

，要么崩溃，要么给我一个文件errno:9。这两件事我现在都没办法解决。

* Adding handle: conn: 0x130cdf8
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x130cdf8) send_pipe: 1, recv_pipe: 0
* About to connect() to proxy PROXY port 8080 (#0)
*   Trying 192.168.135.80...
* Connected to PROXY (PROXY_IP) port 8080 (#0)
* Establish HTTP proxy tunnel to google.com:443
> CONNECT google.com:443 HTTP/1.1
> Host: google.com:443
> User-Agent: curl/7.30.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* successfully set certificate verify locations:
*   CAfile: c:\temp\curl-ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use the
-k (or --insecure) option.