今天我发现curl不再将一些SSL证书识别为有效证书,尽管事实上firefox和wget能够像openssl的s_client一样正确地处理它们。
为了复制它:
1.第一个月
1.然后在in-container bash中:apt update && apt install curl ca-certificates -y -qq && curl -I -vvv https://google.com && curl -I -vvv https://download.docker.com个
对于google.com,它的工作效果和预期的一样(我已经删掉了不有趣的内容)
/stuff here/
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.google.com
* start date: Jul 3 08:19:15 2023 GMT
* expire date: Sep 25 08:19:14 2023 GMT
* subjectAltName: host "google.com" matched cert's "google.com"
* issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
* SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x561f0ab84e90)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> HEAD / HTTP/2
> Host: google.com
> user-agent: curl/7.81.0
> accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
< HTTP/2 301
HTTP/2 301
< location: https://www.google.com/
location: https://www.google.com/
< content-type: text/html; charset=UTF-8
content-type: text/html; charset=UTF-8
< content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-rYqyrna6LnqByUwO50wixQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-rYqyrna6LnqByUwO50wixQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
< date: Wed, 19 Jul 2023 18:33:24 GMT
date: Wed, 19 Jul 2023 18:33:24 GMT
< expires: Wed, 19 Jul 2023 18:33:24 GMT
expires: Wed, 19 Jul 2023 18:33:24 GMT
< cache-control: private, max-age=2592000
cache-control: private, max-age=2592000
/rest here/字符串
对于download.docker.com:
* Connected to download.docker.com (18.66.26.34) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.docker.com
* start date: Feb 22 00:00:00 2023 GMT
* expire date: Nov 30 23:59:59 2023 GMT
* subjectAltName does not match download.docker.com
* SSL: no alternative certificate subject name matches target host name 'download.docker.com'
* Closing connection 0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'download.docker.com'
More details here: https://curl.se/docs/sslcerts.html型
同时openssl s_client在同一容器中运行正常
root@e4fec8ad4adf:/# openssl s_client -connect download.docker.com:443
CONNECTED(00000003)
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, CN = Amazon RSA 2048 M02
verify return:1
depth=0 CN = *.docker.com
verify return:1
---
Certificate chain
0 s:CN = *.docker.com
i:C = US, O = Amazon, CN = Amazon RSA 2048 M02
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Feb 22 00:00:00 2023 GMT; NotAfter: Nov 30 23:59:59 2023 GMT
1 s:C = US, O = Amazon, CN = Amazon RSA 2048 M02
i:C = US, O = Amazon, CN = Amazon Root CA 1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 23 22:25:30 2022 GMT; NotAfter: Aug 23 22:25:30 2030 GMT
2 s:C = US, O = Amazon, CN = Amazon Root CA 1
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: May 25 12:00:00 2015 GMT; NotAfter: Dec 31 01:00:00 2037 GMT
3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 2 00:00:00 2009 GMT; NotAfter: Jun 28 17:39:16 2034 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGXDCCBUSgAwIBAgIQAZEc5MRcvVjHUz3fE4R5SzANBgkqhkiG9w0BAQsFADA8
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRwwGgYDVQQDExNBbWF6b24g
UlNBIDIwNDggTTAyMB4XDTIzMDIyMjAwMDAwMFoXDTIzMTEzMDIzNTk1OVowFzEV
MBMGA1UEAwwMKi5kb2NrZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAyLUr9IFdiNhMGFrsGUYW56FCukkdapcxLT2++t+cOlCrCYsDqa8K8Q3o
yfiOksKxRBP1see4Z031epkFeZbO8J/XDWA6tCx4ewyCBlPWCdBWs1z+4TJL4Cvi
51JyzFS93X4FxSdHNmTTcsJOQHl6mR/TBgncZsK/YALEliQNmyWVhG50KGclBasN
HYud+pRhiqXFQ0wNDMjBfzzX9o2e99giO7fRT6siPOV/Ext4gEvEBcpFpZzOQZUQ
1DJlbFzFOLPyHB6zemG5mSlaE+b2kmxQ7wfXhlEPYnflbCJwEUbCBALi20IXD8/2
q/MugGzAD/yRnYi8CBEmzEvnfWWnNwIDAQABo4IDfTCCA3kwHwYDVR0jBBgwFoAU
wDFSzVpQw4J8dHHOy+mc+XrrguIwHQYDVR0OBBYEFLYYlOa0FFmYapvkOcH01D/a
kgzLMIGuBgNVHREEgaYwgaOCDCouZG9ja2VyLmNvbYIKZG9ja2VyLmNvbYIQKi5o
dWIuZG9ja2VyLmNvbYITKi5kb2NrZXJwcm9qZWN0Lm9yZ4IJZG9ja2VyLmlvggsq
LmRvY2tlci5pb4ISKi5jbG91ZC5kb2NrZXIuY29tghoqLm1hc3Rlci5kb2NrZXJw
cm9qZWN0Lm9yZ4IYKi5jbG91ZC1zdGFnZS5kb2NrZXIuY29tMA4GA1UdDwEB/wQE
AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwOwYDVR0fBDQwMjAw
oC6gLIYqaHR0cDovL2NybC5yMm0wMi5hbWF6b250cnVzdC5jb20vcjJtMDIuY3Js
MBMGA1UdIAQMMAowCAYGZ4EMAQIBMHUGCCsGAQUFBwEBBGkwZzAtBggrBgEFBQcw
AYYhaHR0cDovL29jc3AucjJtMDIuYW1hem9udHJ1c3QuY29tMDYGCCsGAQUFBzAC
hipodHRwOi8vY3J0LnIybTAyLmFtYXpvbnRydXN0LmNvbS9yMm0wMi5jZXIwDAYD
VR0TAQH/BAIwADCCAX4GCisGAQQB1nkCBAIEggFuBIIBagFoAHYA6D7Q2j71BjUy
51covIlryQPTy9ERa+zraeF3fW0GvW4AAAGGeMc3mwAABAMARzBFAiEAztgFNyaG
UHzuTrBt1dWV7GfkNGkL7HsLTKA7v05P8lwCIFlgVPQJYlgMflKL52kMUq3wfSy0
R2vSc64FVGHLQxRhAHcAs3N3B+GEUPhjhtYFqdwRCUp5LbFnDAuH3PADDnk2pZoA
AAGGeMc4DQAABAMASDBGAiEAtiLoobDXC5fPu70Iam9wXcNpVg90SuBvU5odNETX
msMCIQCPOmIkpAVug3nMKH/TWqaedw/9b2t+gfAXvvvV1qDy4AB1ALc++yTfnE26
dfI5xbpY9Gxd/ELPep81xJ4dCYEl7bSZAAABhnjHN74AAAQDAEYwRAIgf08PLq4L
TMLIik0XH7iIrE/3beMHDNXQ8p8dvnO7DhICIG9zjpArb+WyE6irWArlbRCLTJzz
FXMVz16L5Go7WMLUMA0GCSqGSIb3DQEBCwUAA4IBAQASfvNhv9sVS1O7W4sZjdeX
2R6ZArbWyu2x/LqRWXEMEsDsIvJJibs1QZA/Ta6omeF2z9N++ADb6H4GAvoRBIvC
64mNVwBIk0jmg4w7sGM6skvNiXwSvK5uadakSlO3Jd2DW+sE88wbJfsAkmHglDDk
tmI8kIELB8MKCdY6YM3Ue1kXXPhOuyghsCMTWrkIjjlJWFm0TkfhmIc7p9TA/ZEv
TdaNpO8FE8ToGNIbo1179rB4C8HWl2yuxfeK5ktd9P/RRB6NTbfmfxmtmOqeqiQ7
lI/5Fkd9hJuRcniU+1x127QxPAKCUDGJcFUEpX2SpVo2MBSIFLITr4L5wQgw5MeT
-----END CERTIFICATE-----
subject=CN = *.docker.com
issuer=C = US, O = Amazon, CN = Amazon RSA 2048 M02
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5632 bytes and written 385 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_128_GCM_SHA256
Session-ID: B273720D995A9494B0393E22D63D265CDFFAEC69975BA108C90B600794789CC6
Session-ID-ctx:
Resumption PSK: E2F2056DF95274055C7646F88CE444BF83941BED39D3C8FAF3CC27D94375AEFE
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 86400 (seconds)
TLS session ticket:
0000 - 31 36 38 39 37 36 33 39-33 31 30 30 30 00 00 00 1689763931000...
0010 - 12 8f d8 f7 a4 55 0a c3-cf 63 5b 34 d5 ff 62 d9 .....U...c[4..b.
0020 - 6a 34 54 ef 99 d6 9f f2-e0 34 14 3d 9a 29 3f 04 j4T......4.=.)?.
0030 - e8 3d d1 b4 48 13 1c 2b-19 88 7c ab 5b 0d 20 98 .=..H..+..|.[. .
0040 - 9d 78 88 79 d1 32 18 8b-1f c7 12 eb 40 6f 14 ce .x.y.2......@o..
0050 - 4c 5a 7a cb 95 16 85 c6-b8 e1 06 9e e7 9c 13 a1 LZz.............
0060 - f9 70 65 e8 e2 e2 83 91-16 .pe......
Start Time: 1689792073
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
asdf
HTTP/1.1 400 Bad Request
Server: CloudFront
Date: Wed, 19 Jul 2023 18:41:55 GMT
Content-Type: text/html
Content-Length: 915
Connection: close
X-Cache: Error from cloudfront
Via: 1.1 eadf79e9c2d5c2d1c323c9bb914a92d4.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: LHR61-P2
X-Amz-Cf-Id: dTRRSDK4LH1iDVJMsgMiIxNY8yl19xFmDAYzM7cRFgDg5GE_04Nbrg==
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>400 ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
Bad request.
We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
<BR clear="all">
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
<BR clear="all">
<HR noshade size="1px">
<PRE>
Generated by cloudfront (CloudFront)
Request ID: dTRRSDK4LH1iDVJMsgMiIxNY8yl19xFmDAYzM7cRFgDg5GE_04Nbrg==
</PRE>
<ADDRESS>
</ADDRESS>
</BODY></HTML>802B2B66CB7F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:308:型
为了完整起见,这里是curl --inscure输出。
root@e4fec8ad4adf:/# curl --insecure -I -vvv https://download.docker.com
* Trying 108.138.51.102:443...
* Connected to download.docker.com (108.138.51.102) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.docker.com
* start date: Feb 22 00:00:00 2023 GMT
* expire date: Nov 30 23:59:59 2023 GMT
* issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M02
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x558f43654e90)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> HEAD / HTTP/2
> Host: download.docker.com
> user-agent: curl/7.81.0
> accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200
HTTP/2 200
< content-type: text/html
content-type: text/html
< content-length: 223
content-length: 223
< date: Wed, 19 Jul 2023 02:52:10 GMT
date: Wed, 19 Jul 2023 02:52:10 GMT
< last-modified: Fri, 07 Jul 2023 20:46:33 GMT
last-modified: Fri, 07 Jul 2023 20:46:33 GMT
< etag: "5a2449544577bdf952c47cdc248220b4"
etag: "5a2449544577bdf952c47cdc248220b4"
< server: AmazonS3
server: AmazonS3
< x-cache: Hit from cloudfront
x-cache: Hit from cloudfront
< via: 1.1 45475ab9ce2a228a3ebbe21b677a304a.cloudfront.net (CloudFront)
via: 1.1 45475ab9ce2a228a3ebbe21b677a304a.cloudfront.net (CloudFront)
< x-amz-cf-pop: WAW51-P2
x-amz-cf-pop: WAW51-P2
< x-amz-cf-id: WUZsGV_LOe8zMns-I68z7MTJ2qpWZP-7uMhrR2uS4ec4DBHq_4tPCw==
x-amz-cf-id: WUZsGV_LOe8zMns-I68z7MTJ2qpWZP-7uMhrR2uS4ec4DBHq_4tPCw==
< age: 58017
age: 58017
<
* Connection #0 to host download.docker.com left intact型
Wget也能工作
root@e4fec8ad4adf:/# wget https://download.docker.com
--2023-07-19 19:02:01-- https://download.docker.com/
Resolving download.docker.com (download.docker.com)... 108.138.51.126, 108.138.51.60, 108.138.51.102, ...
Connecting to download.docker.com (download.docker.com)|108.138.51.126|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 223 [text/html]
Saving to: 'index.html.1'
index.html.1 100%[==================================>] 223 --.-KB/s in 0s
2023-07-19 19:02:01 (125 MB/s) - 'index.html.1' saved [223/223]型
好像最近就有问题。我只是(星期三,July 19,2023 ~20:00 CEST)运行apt upgrade和问题是重现在我的ubuntu主机以及.
我想澄清一下Wget和openssl s_client也可以在主机上工作。
有趣的是,我在apt upgrade之前在主机上运行curl --version,我能够滚动终端。澄清:apt已经将curl作为更新的软件包之一
curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.14
Release-Date: 2022-01-05
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd型
而且它似乎没有改变(下面是我刚刚复制的curl --version更新后的输出)
curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.14
Release-Date: 2022-01-05
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd型
我也能够重现https://objects.githubusercontent.com的问题。
我如何让curl在ubuntu docker conainers和我的主机上工作,而没有--insecure标志和一些模糊的降级(我还没有专门测试降级)?
1条答案
按热度按时间vybvopom1#
几天前,curl的更新中引入了一个安全修复程序,该安全修复程序的后端出现了故障。此错误是关于使用通配符证书时的证书验证-因此在检查www.example.com时相关download.docker.com,但在检查google.com时不相关。
应在7.81.0-1ubuntu1.13修复7.81.0 - 1ubuntu1.11的www.example.com中修复。https://launchpad.net/ubuntu/jammy/+source/curl/+changelog:
字符串