[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: curl и самоподписанные сертификаты

On 16.12.2010 15:59, Ed wrote:
> Victor Wagner wrote:
>> Другой вопрос, что самоподписанный сертификат, НЕ СОДЕРЖАЩИЙ расширения
>> basicConstraints считается сертификатом CA, а рассматриваемый сертификат
>> содержал это расширение со значеним CA:FALSE.
> так что делать? ;)
Почитать мануал?
> можно как-то сказать curl'у - "этому сертификату я верю"?

1) (правильный способ) подключть сертификат подписавшено ca
--cacert <CA certificate>
(SSL) Tells curl to use the specified certificate file to verify the
peer. The file may contain multiple CA certificates. The certificate(s)
must be in PEM format. Normally curl is built to use a default
file for this, so this option is typically used to alter that default file.

curl recognizes the environment variable named 'CURL_CA_BUNDLE' if it is
set, and uses the given path as a path to a CA cert bundle. This option
overrides that variable.

The windows version of curl will automatically look for a CA certs file
named ´curl-ca-bundle.crt´, either in the same directory as curl.exe, or
in the Current Working Directory, or in any folder along
your PATH.

If curl is built against the NSS SSL library then this option tells curl
the nickname of the CA certificate to use within the NSS database
defined by the environment variable SSL_DIR (or by default
/etc/pki/nssdb). If the NSS PEM PKCS#11 module (libnsspem.so) is
available then PEM files may be loaded.

If this option is used several times, the last one will be used.

--capath <CA certificate directory>
(SSL) Tells curl to use the specified certificate directory to verify
the peer. The certificates must be in PEM format, and the directory must
have been processed using the c_rehash utility supplied with
openssl. Using --capath can allow curl to make SSL-connections much more
efficiently than using --cacert if the --cacert file contains many CA

If this option is used several times, the last one will be used.

2) (неправильный способ) игнорировать ошибки ssl

(SSL) This option explicitly allows curl to perform "insecure" SSL
connections and transfers. All SSL connections are attempted to be made
secure by using the CA certificate bundle installed by default.
This makes all connections considered "insecure" fail unless
-k/--insecure is used.

Reply to: