未知SSL协议错误

Question

升级到15.10后，我得到了错误35‘未知SSL协议错误连接到.’当我试图使用PHP脚本(PHP5-fpm)的CURL访问SSL安全服务器时。在升级之前一切都很好。知道怎么解决这个问题吗？

apt-cache policy curl
curl:
  Installed: 7.43.0-1ubuntu2
  Candidate: 7.43.0-1ubuntu2
  Version table:
 *** 7.43.0-1ubuntu2 0
        500 http://ua.archive.ubuntu.com/ubuntu/ wily/main amd64 Packages
        100 /var/lib/dpkg/status

访问https://w3s.webmoney.ru:443

Answer 1

服务器https://w3s.webmoney.ru:443是不可信任的。

% curl https://w3s.webmoney.ru:443
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

跑

curl --insecure https://w3s.webmoney.ru:443

而且起作用了。

来自man curl

-k, --insecure
    (SSL) This option explicitly allows curl to perform "insecure" SSL
    connections and transfers. All SSL connections are attempted to be
    made secure by using the CA certificate  bundle  installed  by
    default. This makes all connections considered "insecure" fail unless
    -k, --insecure is used.

添加受信任的证书

1. 将证书的路径添加到/etc/ca-证书.ca使用相对于/usr/share/ca-certificates的路径
2. 运行sudo update-ca-certificates

请将进一步说明改为man update-ca-certificates

摘自评论意见：

FYI:同一个站点启用了SSLv3和SSLv2 --因为这一点，它很糟糕，根本不值得信任