0

我正在使用来自 WINDOWS 的 CURL 命令。我已经发布了下面的命令。我还发布了命令的结果。在我看来,服务器在发送证书之前终止了连接。但我可能错了。任何想法为什么没有发送证书?

curl -v --cert C:\Users\myFolder\Downloads\hs_test_cert.pem --key C:\Users\myFolder\Downloads\hst_test_key.pem https://myAPIGEEhost.apigee.net/MyBackendName_CCDA_API?apikey=MyAssignedAPIKey

 *   Trying 00.00.00...
* TCP_NODELAY set
* Connected to myAPIGEEhost.apigee.net (00.00.00) port 443 (#0)
* schannel: SSL/TLS connection with myAPIGEEhost.apigee.net port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 203 bytes...
* schannel: sent initial handshake data: sent 203 bytes
* schannel: SSL/TLS connection with myAPIGEEhost.apigee.net port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with myAPIGEEhost.apigee.net port 443 (step 2/3)
* schannel: encrypted data got 4096
* schannel: encrypted data buffer: offset 4096 length 4096
* schannel: encrypted data length: 4026
* schannel: encrypted data buffer: offset 4026 length 4096
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with myAPIGEEhost.apigee.net port 443 (step 2/3)
* schannel: encrypted data got 964
* schannel: encrypted data buffer: offset 4990 length 5050
* schannel: a client certificate has been requested
* schannel: SSL/TLS connection with myAPIGEEhost.apigee.net port 443 (step 2/3)
* schannel: encrypted data buffer: offset 4990 length 6014
* schannel: sending next handshake data: sending 133 bytes...
* schannel: SSL/TLS connection with myAPIGEEhost.apigee.net port 443 (step 2/3)
* schannel: encrypted data got 274
* schannel: encrypted data buffer: offset 274 length 6014
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with myAPIGEEhost.apigee.net port 443 (step 3/3)
* schannel: stored credential handle in session cache
> GET /MyBackendName_CCDA_API?apikey=MyAssignedAPIKey HTTP/1.1
> Host: myAPIGEEhost.apigee.net
> User-Agent: curl/7.55.1
> Accept: */*
>
* schannel: client wants to read 102400 bytes
* schannel: encdata_buffer resized 103424
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: encrypted data got 421
* schannel: encrypted data buffer: offset 421 length 103424
* schannel: decrypted data length: 361
* schannel: decrypted data added: 361
* schannel: decrypted data cached: offset 361 length 102400
* schannel: encrypted data length: 31
* schannel: encrypted data cached: offset 31 length 103424
* schannel: server closed the connection
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 361
* schannel: decrypted data buffer: offset 0 length 102400
< HTTP/1.1 400 Bad Request
< Date: Mon, 27 Sep 2021 18:22:21 GMT
< Content-Type: text/html
< Content-Length: 231
< Connection: close
<
<html>
<head><title>400 No required SSL certificate was sent</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
<hr><center>server</center>
</body>
</html>
* Closing connection 0
* schannel: shutting down SSL/TLS connection with myAPIGEEhost.apigee.net port 443
* schannel: clear security context handle
4

1 回答 1

2

在我看来,服务器在发送证书之前终止了连接。但我可能错了。

HTTPS 连接的 TLS 握手成功,否则服务器无法发送 HTTP 响应——它显然做到了。

* schannel: a client certificate has been requested

此调试消息表明服务器向客户端请求证书,即相互认证。此证书请求是在服务器已将自己的证书发送给客户端之后发出的。

<center>No required SSL certificate was sent</center>

虽然您在命令行上提供了客户端证书和密钥,但实际上并未发送任何内容。原因是 curl 7.55.1(您正在使用的)中的 SChannel 不支持客户端证书,请参阅TODO

15.1 Add support for client certificate authentication

 WinSSL/SChannel currently makes use of the OS-level system and user
 certificate and private key stores. This does not allow the application
 or the user to supply a custom client certificate using curl or libcurl.

 Therefore support for the existing -E/--cert and --key options should be
 implemented by supplying a custom certificate to the SChannel APIs, see:
 - Getting a Certificate for Schannel
   https://msdn.microsoft.com/en-us/library/windows/desktop/aa375447.aspx

较新版本中添加了对客户端证书的更好支持,但即使使用当前最新版本 (7.79.),也无法使用 SChannel TLS 后端将 PEM 文件作为证书或密钥提供。

于 2021-09-27T19:44:40.873 回答