尝试使用 cacertinpem.c curl c 代码使用 ca 证书加载 https 页面时出现 NSS -12286 错误。我在带有路径的代码中使用 cacert.pem 文件。但是当我尝试使用 curl -v“ https://sampleserve.com:443 ”时,同样的事情也在起作用,在这种情况下,ssl 将默认 ca 路径作为“/etc/tls/certs/ca.budle.crt”
但是此 c 代码不适用于默认 ca 位置和 ca 的外部路径选择。
这个错误的原因是什么(NSS -12286)。
Error:
* About to connect() to fiservices.sterlingbankng.com port 443 (#0)
* Trying 1.1.1.1... * Connection timed out
* Trying 1.1.1.2... * connected
* Connected to fiservices.sterlingbankng.com (1.1.1.2) port 443 (#0)
* Initializing NSS with certpath: /etc/pki/nssdb
* CAfile: ./cacert.pem CApath: ./cacert.pem
* NSS error -12286
* Error in TLS handshake, trying SSLv3...
GET /CanFI/ HTTP/1.1
Host: sampleserver.com
Accept: */*
* Connection died, retrying a fresh connect
* Closing connection #0
* Issue another request to this URL: 'https://sampleserver.com'
* About to connect() to sampleserver.com port 443 (#0)
* Trying 1.1.1.1... * Connection timed out
* Trying 1.1.1.2... * connected
* Connected to sampleserver.com (1.1.1.2) port 443 (#0)
* TLS disabled due to previous handshake failure
* CAfile: ./cacert.pem
CApath: ./cacert.pem
* NSS error -12286
* Closing connection #0
* SSL connect error
示例代码:
size_t writefunction( void *ptr, size_t size, size_t nmemb, void *stream)
{
fwrite(ptr,size,nmemb,stream);
return(nmemb*size);
}
static CURLcode sslctx_function(CURL * curl, void * sslctx, void * parm)
{
X509_STORE * store;
X509 * cert=NULL;
BIO * bio;
char * mypem = "-----BEGIN CERTIFICATE-----\n"\ "-----END CERTIFICATE-----\n"; //public certificate
}
int main(void)
{
CURL * ch;
CURLcode rv;
rv=curl_global_init(CURL_GLOBAL_ALL);
ch=curl_easy_init();
rv=curl_easy_setopt(ch,CURLOPT_VERBOSE, 1L);
rv=curl_easy_setopt(ch,CURLOPT_HEADER, 0L);
rv=curl_easy_setopt(ch,CURLOPT_NOPROGRESS, 1L);
rv=curl_easy_setopt(ch,CURLOPT_NOSIGNAL, 1L);
rv=curl_easy_setopt(ch,CURLOPT_WRITEFUNCTION, *writefunction);
rv=curl_easy_setopt(ch,CURLOPT_WRITEDATA, stdout);
rv=curl_easy_setopt(ch,CURLOPT_HEADERFUNCTION, *writefunction);
rv=curl_easy_setopt(ch,CURLOPT_WRITEHEADER, stderr);
rv=curl_easy_setopt(ch,CURLOPT_SSLCERTTYPE,"PEM");
rv=curl_easy_setopt (ch, CURLOPT_CAPATH, "./cacert.pem" );
rv=curl_easy_setopt (ch, CURLOPT_CAINFO, "./cacert.pem" );
rv=curl_easy_setopt(ch,CURLOPT_SSL_VERIFYPEER,1L);
rv=curl_easy_setopt(ch, CURLOPT_URL, "https://");
rv=curl_easy_perform(ch);
if (rv==CURLE_OK)
printf("*** transfer succeeded ***\n");
else
printf("*** transfer failed ***\n");
rv=curl_easy_setopt(ch,CURLOPT_SSL_CTX_FUNCTION, *sslctx_function);
rv=curl_easy_perform(ch);
if (rv==CURLE_OK)
printf("*** transfer succeeded ***\n");
else
printf("*** transfer failed ***\n");
curl_easy_cleanup(ch);
curl_global_cleanup();
return rv;
}
谢谢