为什么curl需要根证书和中间证书才能安全地连接到HTTP服务器?
为什么curl需要根证书和中间证书才能安全地连接到HTTP服务器?
提问于 2018-11-12 13:15:27
我创建了根证书、中间证书和服务器证书:
root (ca.cert.pem)
|
+---intermediate (intermediate/certs/intermediate.cert.pem)
|
+---www.example.com
↳ certificate: (intermediate/certs/www.example.com.cert.pem)
↳ private key: (intermediate/private/www.example.com.key.pem)我使用www.example.com的私钥和公共证书来使用Node创建HTTPS服务器:
var tls = require('tls');
var fs = require('fs');
var options = {
key: fs.readFileSync('intermediate/private/www.example.com.key.pem'),
cert: fs.readFileSync('intermediate/certs/www.example.com.cert.pem')
};
tls.createServer(options, function (s) {
s.write("welcome!\n");
s.pipe(s);
}).listen(8000);我想验证一下,如果客户端能够访问根证书(ca.cert.pem),它可以成功地向https://www.example.com:8000发送安全请求。
如果我试着:
$ curl -v --cacert certs/ca.cert.pem https://www.example.com:8000如果出现错误消息,它将失败:
* Rebuilt URL to: https://www.example.com:8000/
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to www.example.com (127.0.0.1) port 8000 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /certs/ca.cert.pem
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* NPN, no overlap, use HTTP1.1
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.但是,如果我创建了一个证书链:
$ cat intermediate/certs/intermediate.cert.pem \
certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem使用它作为curl的--cacert,一切都如预期的那样工作:
$ curl -v --cacert intermediate/certs/ca-chain.cert.pem https://www.example.com:8000
* Rebuilt URL to: https://www.example.com:8000/
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to www.example.com (127.0.0.1) port 8000 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /intermediate/certs/ca-chain.cert.pem
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* NPN, no overlap, use HTTP1.1
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Unknown (67):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=AU; ST=Victoria; L=Melbourne; O=ACME; OU=ACME Web; CN=www.example.com; emailAddress=web@example.com
* start date: Nov 12 11:32:59 2018 GMT
* expire date: Nov 22 11:32:59 2019 GMT
* common name: www.example.com (matched)
* issuer: C=AU; ST=Victoria; O=ACME; OU=ACME Certificate Authority; CN=ACME Intermediate CA; emailAddress=contact2@example.com
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.example.com:8000
> User-Agent: curl/7.58.0
> Accept: */*
>
welcome!
GET / HTTP/1.1
Host: www.example.com:8000
User-Agent: curl/7.58.0
Accept: */*如果我没有错,类似于浏览器,curl应该只需要根证书来验证www.example.com证书的签名。那么,为什么curl需要同时使用根证书和中间证书来验证它确实与正确的服务器通信呢?
文件
以下是此设置中使用的PEM文件的内容(丢弃未加密的PEM文件):
ca.cert.pem
-----BEGIN CERTIFICATE-----
MIIGKDCCBBCgAwIBAgIJAI6dJpvVkggoMA0GCSqGSIb3DQEBCwUAMIGgMQswCQYD
VQQGEwJBVTERMA8GA1UECAwIVmljdG9yaWExEjAQBgNVBAcMCU1lbGJvdXJuZTEN
MAsGA1UECgwEQUNNRTEjMCEGA1UECwwaQUNNRSBDZXJ0aWZpY2F0ZSBBdXRob3Jp
dHkxFTATBgNVBAMMDEFDTUUgUm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQYWNtZUBl
eGFtcGxlLmNvbTAeFw0xODExMTIxMTAzMzJaFw0zODExMDcxMTAzMzJaMIGgMQsw
CQYDVQQGEwJBVTERMA8GA1UECAwIVmljdG9yaWExEjAQBgNVBAcMCU1lbGJvdXJu
ZTENMAsGA1UECgwEQUNNRTEjMCEGA1UECwwaQUNNRSBDZXJ0aWZpY2F0ZSBBdXRo
b3JpdHkxFTATBgNVBAMMDEFDTUUgUm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQYWNt
ZUBleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALu1
CZdb6GuJ9Rg/IUr5pp1EDn0d7NzflzH2F4Pe9dSpLqPP7ntW+pPDwWFjEfaz9LUH
yS41GxjPGMDZiQvL8G6gEWKXZkqGoHouzKnaB/49XqKgZoVHLyhwDd4Bj+89tj36
Qsfv+qNAG6Dq7mB9DvJMs/ZvyGb94AbwRuSJYurBbOGmrQjm22wfVCTybGPBrq66
8y2ff0bk9rBDdSI1v4jW0xvF7lztg/sZO/a7Yg1PbcH/B+bPitWf458Xe2MFsL7P
ZqGvvQv9+xuyqbTiBJg1iPiU5FQ6LwI94N99TIHXG2B/j9vxlLOG7jmX55sIY24r
SmHdF6aMkxcp3jiEusx1knbtXZpzJIyB/VBKb9iM2DUMXFw27fSq0WGCEHJjsykF
Aj67IDlU2kcORJHtfTnchyTBrPGf6XewQw2Ah4Q7Ct1wX/8iAWGzm487uOmgaKzJ
YLGN+GQd7EKlKL+XZeGgVNoNdtazogvPnm87wm9RSES0oUYLa29Vl94Ui1oezkD3
z9bBjAGyJOcz5ssYsEEeF9EE4P2t+KnMA+Y5lmS1Nwu6klarXzrSo+nHuF7YcYbT
kIEfFkBmZiKwiprfeAWkEmAP+1MS9xJA+OAwT1zZf/Bb7VHQNJZKTk9l/CnRd2Q4
sMpYAI8dS6bG1+KXk0/cJcxEmS5BCPxZPKNkMKcRAgMBAAGjYzBhMB0GA1UdDgQW
BBSIXku6n3PndN1U4VN/CHaU71sI3TAfBgNVHSMEGDAWgBSIXku6n3PndN1U4VN/
CHaU71sI3TAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG
9w0BAQsFAAOCAgEAS1BNWdgbZR/aOvYNxcT1LgypVJ8HrRV/k6v/Lc1uaUdhEIS6
x3Ot+z8KkreaRuHSdeDL8QMwhL/bPVptxrPctx6KzCimuHsVN25zl7mkUlPaxluZ
9E4DGUNTE75lE//4af96CoWoS8QycXuh/RLb+dryMW9CuT7sAEylNxMmoDBCSzen
AZ4mVrVtUG0AnRCyTS+nqCaHN3eiQtR0gRObihhm3JGJtXJzNJOdHjzCggCuSXXv
+/IqihSnL9b5ruGzKdqIInAeTGkZubD32f7CmJUwNlZqsiMCgBbk5IpaPnP5j8gu
Cs2FT6Md5JdlNzQItFa6rPe6YeCKPeeYZl7VEYuSvXgHWnDlOQkzqWHIAypEEkiF
Qm9BdXZhLMBgLtL9QRiiQAPEK4RrBhEUmDBw2csDUJXqzQbnB34j5Dpv2tNO6JsP
54ldknoDoHOj2YaHzGuwh69lrUQbhMvjE8OoCjy09Vk5FPWFU2VjeTacm0CrUtZc
MSmGCJyYsNb10coWvuN7iMfTRc2fsWtMgaOIFzy5pgfNuU6Xaus3IbP4gCD+Kt/B
+q9Vsquj9wun2CVOx8hpnvJvv4Z5nzRjg0KrtHzjDWksPc0WzM0sfUx0dTZtIUbx
luj5eIVgzlxxk2mvM7vScntK13JMSpKr/cZCLWbtLgwj2JIEZLaYMWATYDA=
-----END CERTIFICATE-----intermediate.cert.pem
-----BEGIN CERTIFICATE-----
MIIGHDCCBASgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgaAxCzAJBgNVBAYTAkFV
MREwDwYDVQQIDAhWaWN0b3JpYTESMBAGA1UEBwwJTWVsYm91cm5lMQ0wCwYDVQQK
DARBQ01FMSMwIQYDVQQLDBpBQ01FIENlcnRpZmljYXRlIEF1dGhvcml0eTEVMBMG
A1UEAwwMQUNNRSBSb290IENBMR8wHQYJKoZIhvcNAQkBFhBhY21lQGV4YW1wbGUu
Y29tMB4XDTE4MTExMjExMTkzMFoXDTI4MTEwOTExMTkzMFowgZgxCzAJBgNVBAYT
AkFVMREwDwYDVQQIDAhWaWN0b3JpYTENMAsGA1UECgwEQUNNRTEjMCEGA1UECwwa
QUNNRSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMMFEFDTUUgSW50ZXJt
ZWRpYXRlIENBMSMwIQYJKoZIhvcNAQkBFhRjb250YWN0MkBleGFtcGxlLmNvbTCC
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMTPJPqNRkRTkI7x4q6OWvwa
Mn7nqRYxzCDLLoR1mgaHJWDZ12vsNpcv/JzFem4zBDgQOmX9DAxs++SRVvj6EUjg
mNV3yPMAzAwBjn+fzmRMXcECEsOyPIZpTz6E8i0k8ULaGty0mHa1iPi4m6VYdLAL
OCMSJD9CYanUV6DmXUIBibMOXt+cdLWRIJa+Z4pGpuAkYQFAgy/kdf+H6VHzgdxM
V6+UysbI6vt5qiMf8sxQV1RwG8JoklO6B9XKcF/YCMi7gcwPNvN7utcfr6KyPenX
mSKtxo2PyhLtY+LWrSKqFtASfaR+7fvBDWzyjIleh0lvtu3LyKMFleM6fqhRpBTG
yE4qcCcN5b2TYafB+0kFWLllE/UvePBLOFxuJTquUyY+L5Qrmtt7a++7DNadma2y
LZOPZWTZv7aiC5QnaULpeBMXfGMp2Q9ibtgz0QuNye2KLMLI/SWPqOq/90QOAmow
3sJJDGstxDd6mOwwwPihNTpMHTi6Ac6l5GFBPUGAO5FJI2soC3VPPAiE5d8/N4Ho
VUeCN6ep8WINM6lMVfJqsq4MUeH7ABZdszpN4VTjXvxAgw3KEsiyiuDgDFpbqexJ
y/cJjyD+vR5q9tuk/UTxc0H3evhKJ9QE8gmDQj9ry1VrsWxjrCNXLYwSwnF0Qwy1
r2u4pmjerjcKsknGr/UhAgMBAAGjZjBkMB0GA1UdDgQWBBRVqxMd51KcVmXJ3tYT
9iJLIuHPGDAfBgNVHSMEGDAWgBSIXku6n3PndN1U4VN/CHaU71sI3TASBgNVHRMB
Af8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEA
UlAnA7LUrSUV6X7VtpUkmb/GaCGJGd0GOHEc3VZpHk95vVnC3k9lz0kgUEz2OkKw
apsFAw5yOtjeUUpJmKTev52tuu/NghdQqEk1K9Vn2mlfqf2WV2vzjdlKN0QjUvsu
sQPgbJ8XqZjBWwXi8v/9OWGdVWjXqicTpikniP4l0nBmyWuo22JwUPRNhXzSZJvf
VZngtwYE4PfQ5ExtZ+V+3zaiHiBvGz7iqBQKTDv+/SlpZ9dZjSQu8L9aXcl5W2hN
4e+owW7nYT+6Y5OO1iHYLmJKvsjbSUGlmB6eyo3FR/WvSprhd2aQR9GjTwlmNNSW
JxFwGxQ0h+3ebid0x6QQQY5GBNgBQ0vnvX0ngDzCz/MrMm/uKrpwJDtjitHTruXt
g/YNLbzxg3Ax5Z4SF5ERIw2OYrCFuGFn/g9Od5DDp5MP9pRRq+KEaXpMwphjEoYT
8QX9K3husXVIBluiEqBCb69Fmg5V0DLjsHbH3DFhOSPWfVzw9n7pTgL7eN4EiaxI
YRmd9FQyEMay92zV9EKVRsOwF7JdcifgkFVK1CzwNl+/1/asWiemDoyKvuJGOicT
4g6Nn3OX2/cnCpowEiY1mQjlEqXrW98y3GXDz3T87MZfSm+NZXrJrUkDc1gEMBZh
EiI6fKkieEWpUY5eOiC7LvnZNbgv316+lbfJw47U3vc=
-----END CERTIFICATE-----www.example.com.cert.pem
-----BEGIN CERTIFICATE-----
MIIGFDCCA/ygAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZgxCzAJBgNVBAYTAkFV
MREwDwYDVQQIDAhWaWN0b3JpYTENMAsGA1UECgwEQUNNRTEjMCEGA1UECwwaQUNN
RSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMMFEFDTUUgSW50ZXJtZWRp
YXRlIENBMSMwIQYJKoZIhvcNAQkBFhRjb250YWN0MkBleGFtcGxlLmNvbTAeFw0x
ODExMTIxMTMyNTlaFw0xOTExMjIxMTMyNTlaMIGQMQswCQYDVQQGEwJBVTERMA8G
A1UECAwIVmljdG9yaWExEjAQBgNVBAcMCU1lbGJvdXJuZTENMAsGA1UECgwEQUNN
RTERMA8GA1UECwwIQUNNRSBXZWIxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTEe
MBwGCSqGSIb3DQEJARYPd2ViQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA2nOpEEXpLRORiuznWCN7FYIiHH+1ZcjAw6qUDDxjodqf
ia3FyyisRs2Y4WVptlT6y+SyQd33lTGvTF2TUSoUZkSMAcO5MzwS3sohK+tLJ4T5
K9Qn0bLhiv74LDU3R37u9/DpnL1AK+JlWfBzATs7/yqAvhlEl1UawcbptQOx6Aff
LYewdFS80aIN+4O5swL4Fo+UPEDV+hKRM/VcNXQRPjdy9bXYMG4+Al/JUYYjdh77
FMojg5TGPOdDbhdo0DdqsC1EjQFbVAnGsY6Wq+1FvoN2CMywFqLv94kngSexBYc5
/ujLRI4/UmDNWVPaQqnbaY5kcAc2xkQVLIjbiifcAQIDAQABo4IBbDCCAWgwCQYD
VR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5T
U0wgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUO6hLePVS
8WAlKXtsXoYrxaitrpowgc4GA1UdIwSBxjCBw4AUVasTHedSnFZlyd7WE/YiSyLh
zxihgaakgaMwgaAxCzAJBgNVBAYTAkFVMREwDwYDVQQIDAhWaWN0b3JpYTESMBAG
A1UEBwwJTWVsYm91cm5lMQ0wCwYDVQQKDARBQ01FMSMwIQYDVQQLDBpBQ01FIENl
cnRpZmljYXRlIEF1dGhvcml0eTEVMBMGA1UEAwwMQUNNRSBSb290IENBMR8wHQYJ
KoZIhvcNAQkBFhBhY21lQGV4YW1wbGUuY29tggIQADAOBgNVHQ8BAf8EBAMCBaAw
EwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggIBAFCsKRB4iSWz
Irjfs2mv/AHOiWM0Jjuup11B22DhEdRB2dYSTd5NOmsNfgMsUJDlfTY8XTxi/Xa6
FIDNu6V1nnhyedSLRGHXwprDDH8i+uWq9JK4cRoaEpiifn1pC24QVPb1atJJGD3E
Edbxw4/xhpi/HX4M3dT09kFopVZ8rkWm+syWY8KNCtYQO8+oq5ObmLP7H1wxrp4h
yohe20gmvfH+L5OkxssEUfLM85IWmxnZzCxe8gVo2A84i3QKK1Rd9FB44/usPWXW
P80/f8yzeq3v+J2LBF2x9ef5ihYfo3HbRw6PQQWXTKQ2Wq+WtcQ4OCaXh1jXPOv9
FzMTCer9l6jyXfZsHnUGx+HCDGltRuY2IlnQ7Pm1DNBuoVBFzUClyPn1/YQKIJ9U
/6F5eBPmaQr7Ky1uxrKe4aHzoviaErYhvU6sdOkEiauSebe6DQpNt85XZPXkT/Zl
jb5gxkyrt0T+W7szqqvY55zPgkH7qMzVD0+PxZTS8oVzmPQpt4lJWMC2u8y3ebTO
qM5sYNA+hZP4GCOzERcUheW/LcHQpNHyRmOtVALT13h4yyKSn4jZrbZlCf0e05Pk
fmcOW4XjwsiTnDWsvGO970+yjTxMZ8mmcvss5EkG9gnd2TJajlSyRD9xk3v4x7HC
t4llpWpmYs7CIl+YYLvaO1ibhnZ8CNRi
-----END CERTIFICATE-----www.example.com.key.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA2nOpEEXpLRORiuznWCN7FYIiHH+1ZcjAw6qUDDxjodqfia3F
yyisRs2Y4WVptlT6y+SyQd33lTGvTF2TUSoUZkSMAcO5MzwS3sohK+tLJ4T5K9Qn
0bLhiv74LDU3R37u9/DpnL1AK+JlWfBzATs7/yqAvhlEl1UawcbptQOx6AffLYew
dFS80aIN+4O5swL4Fo+UPEDV+hKRM/VcNXQRPjdy9bXYMG4+Al/JUYYjdh77FMoj
g5TGPOdDbhdo0DdqsC1EjQFbVAnGsY6Wq+1FvoN2CMywFqLv94kngSexBYc5/ujL
RI4/UmDNWVPaQqnbaY5kcAc2xkQVLIjbiifcAQIDAQABAoIBAGOkH/hZOxuhcmCA
4KEWRf0wh2iiY9ZSdIKLWs4d+YAJHX4KMk8RdUsyWkptHIPbTS4VWa2rllOJ/yCB
CkIaRIXFPGtNoDsbaqwOXIUQ5Q3YnGL+eU8wHapt1Dst5tIItu2HCLfCpvOdZ4dX
os1r/FjORTzwf5XbbsH2fgFf9xUTMlqeTB2VLv2vZs2LfiJfenjwP53JbrYDe0Ve
Kz46NJz6drvJZ3bBYECQbui594d/Nx3ZMHtyzFcnA1g3KORgU30VHSHG1CY9JbO3
E8Cw+izQfZGSbtNOK9U9N7ibyarR4pwQ3LmcXNGqPChDYMN/+LwB+tuBAGOy2uB6
EqwPJsECgYEA7+/0rHCpZF15KKRtFoQe1EQcmx960yT/cp/Bmld3jrrDgqln0skC
C2txrwVdkbAVpZwFKkxv34QX338ihzxniioweplbwRKTMwzOSvwidQc1elGGxEj5
Ce3gwQrd3UsgL4u38SeSKkO7pBqV0zxcA1EN71sDerS4mlOUa1RGglkCgYEA6RN8
XdMioHoiTCiXtNWf536aQmkK/1Wd6WpoHJKEg53c/FQC1jCh4D1lvp6sKOepEhUB
lfaR8ml62iFOzzzPSYwbABoiHzn5z2Lnx5lzjyCIJ4c2byiLJzAtfecjiR1LHnA/
1zBa/fXPOEdr5k2XkYvx/5cRHMHdS1LcsH1j4ekCgYBz1G1TydecohtZaXdYRVP0
uSTuJhZPVC8VkNYPwmXvO24i59E9Sth31ti822Q+brkkh9tefiQLzWMQ+/kZPCnn
41If/WT0Ihl5rZbxUCL6SA6jDDR5EZlYF8RGrQ5KRHg3O8YC302KpcQyBruJjDwH
RdvqTw+w7wmnRu4Bml+nkQKBgQCyH18rQSE0bUJq25bc72mN/BYd7LMn4aGV8ejw
9RRqlal9+SJV2MLNYX6xSAggFrMCC6WzmsV88hmePFhDTqDH/1ffIxmyrZb5ZAfo
ZaCH4H/NXas/FkgKQepyTsO8lPOEpppTdTQE4+dihkqyrdfItp/SCfxc8teRKhlY
k+tSiQKBgQCYMRBErv5O88aJbzePkTdv2xGyp1/p4tkvpwZ6bZDbI2W3YAv89F+K
3yWhzrP5kqNr3aHVChuKu4IFiL8D4NxT9dMqtC3M1OgZ5cD3YXlQBZBp7e5pOv43
AxFqQoilp/4VTcFmzYvKjUE262ekT60hZT7qqAfoI3r2vEF3gd4Kbw==
-----END RSA PRIVATE KEY-----回答 2
Cryptography用户
回答已采纳
发布于 2018-11-13 10:11:01
(0)这实际上不是关于密码的,而且可能在security.SX上会更好,因为它有很多关于证书链接、HTTPS浏览器和服务器使用的Qs,但是.
(1)虽然目前使用的友邦比过去更多,而且是可以接受的解决办法,但官方的标准解决方案是,服务器必须将包含中间证书(S)的链发送到但不一定包括根证书,请参阅https://www.rfc-editor.org/rfc/rfc5246#section-7.4.2 et pred (注意: TLS1.3 rfc8446略有更改)或标题证书和身份验证处的熊史诗https://security.stackexchange.com/questions/20803/how-does-ssl-tls-work,以及
(2)在几个堆栈中,有许多关于如何配置各种服务器以根据需要发送证书链的Qs;对于nodejs,请从https://stackoverflow.com/questions/19104215/node-js-express-js-chain-certificate-not-working https://stackoverflow.com/questions/16224064/running-ssl-node-js-server-with-godaddy-gd-bundle-crt https://stackoverflow.com/questions/32777760/how-to-fix-missing-an-intermediate-chain-certificate-in-nodejs开始。
Cryptography用户
发布于 2018-11-12 14:17:09
如果我没有错,类似于浏览器,curl应该只需要root证书来验证www.example.com的SSL证书的签名。
你错了。根据维基百科关于证书链验证的文章 (而且网络上还有几十个类似的页面):
从信任锚开始,对路径中的每个证书执行以下步骤。如果对任何证书进行检查失败,则算法终止,路径验证失败。
报告接着列出了核查所需的若干步骤。关键是必须对整个链进行验证,只有当整个链存在于系统中时才能进行验证。在验证过程中,无法从联机源检索链中的证书。
页面原文内容由Cryptography提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://crypto.stackexchange.com/questions/63907
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号