Início / computer / Perguntas / 1869548
Accepted
U. Windl
Asked: 2025-01-07 22:11:54 +0800 CST

Posso fazer com que o curl aborte uma conexão TLS se a CA certificadora for desconhecida?

  • 772

Configurando curlpara estabelecer uma conexão SMTP autenticada via STARTTLSGostaria curlde abortar a conexão antes de enviar dados de autenticação quando a CA que assinou o certificado do servidor não for conhecida (ou seja: não for listada nos arquivos da CA local).

Isso é possível?

authentication

1 respostas

  1. Best Answer

    Sim, de fato esse já é o comportamento padrão, a menos que você especifique --insecure.

    $ cat /etc/ssl/certs/ISRG_Root_X1.pem > ./cacert.pem
$ curl -v -u User:Pass --ssl --cacert ./cacert.pem smtp://smtp.gmail.com:587
Warning: --ssl is an insecure option, consider --ssl-reqd instead
* Host smtp.gmail.com:587 was resolved.
* IPv6: 2a00:1450:4013:c02::6d
* IPv4: 142.251.9.108
*   Trying [2a00:1450:4013:c02::6d]:587...
* Connected to smtp.gmail.com (2a00:1450:4013:c02::6d) port 587
< 220 smtp.gmail.com ESMTP 4fb4d7f45d1cf-5d80679f0e4sm24420236a12.42 - gsmtp
> EHLO ember
< 250-smtp.gmail.com at your service, [...]
> STARTTLS
< 220 2.0.0 Ready to start TLS
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ISRG_Root_X1.pem
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* closing connection #0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.
    • 1

relate perguntas