Re: curl и самоподписанные сертификаты

To: debian-russian@lists.debian.org
Subject: Re: curl и самоподписанные сертификаты
From: Alex Kuklin <alex@kuklin.ru>
Date: Thu, 16 Dec 2010 16:10:37 +0200
Message-id: <[🔎] 4D0A1DDD.8070102@kuklin.ru>
In-reply-to: <[🔎] 4D0A1B30.3020204@yandex.ru>
References: <[🔎] 4D08FE13.8070400@yandex.ru> <[🔎] ied4rk$54v$1@dough.gmane.org> <[🔎] 20101216135532.GA27912@wagner.pp.ru> <[🔎] 4D0A1B30.3020204@yandex.ru>

On 16.12.2010 15:59, Ed wrote:
> Victor Wagner wrote:
>> Другой вопрос, что самоподписанный сертификат, НЕ СОДЕРЖАЩИЙ расширения
>> basicConstraints считается сертификатом CA, а рассматриваемый сертификат
>> содержал это расширение со значеним CA:FALSE.
>
> так что делать? ;)
Почитать мануал?
> можно как-то сказать curl'у - "этому сертификату я верю"?

1) (правильный способ) подключть сертификат подписавшено ca
--cacert <CA certificate>
(SSL) Tells curl to use the specified certificate file to verify the
peer. The file may contain multiple CA certificates. The certificate(s)
must be in PEM format. Normally curl is built to use a default
file for this, so this option is typically used to alter that default file.

curl recognizes the environment variable named 'CURL_CA_BUNDLE' if it is
set, and uses the given path as a path to a CA cert bundle. This option
overrides that variable.

The windows version of curl will automatically look for a CA certs file
named ´curl-ca-bundle.crt´, either in the same directory as curl.exe, or
in the Current Working Directory, or in any folder along
your PATH.

If curl is built against the NSS SSL library then this option tells curl
the nickname of the CA certificate to use within the NSS database
defined by the environment variable SSL_DIR (or by default
/etc/pki/nssdb). If the NSS PEM PKCS#11 module (libnsspem.so) is
available then PEM files may be loaded.

If this option is used several times, the last one will be used.

--capath <CA certificate directory>
(SSL) Tells curl to use the specified certificate directory to verify
the peer. The certificates must be in PEM format, and the directory must
have been processed using the c_rehash utility supplied with
openssl. Using --capath can allow curl to make SSL-connections much more
efficiently than using --cacert if the --cacert file contains many CA
certificates.

If this option is used several times, the last one will be used.

2) (неправильный способ) игнорировать ошибки ssl

-k/--insecure
(SSL) This option explicitly allows curl to perform "insecure" SSL
connections and transfers. All SSL connections are attempted to be made
secure by using the CA certificate bundle installed by default.
This makes all connections considered "insecure" fail unless
-k/--insecure is used.

Reply to:

Follow-Ups:
- Re: curl и самоподписанные сертификаты
  - From: Ed <spied@yandex.ru>

References:
- curl и самоподписанные сертификаты
  - From: Ed <spied@yandex.ru>
- Re: curl и самоподписанные сертификаты
  - From: Nicholas <spam@networkgate.us>
- Re: curl и самоподписанные сертификаты
  - From: Victor Wagner <vitus@wagner.pp.ru>
- Re: curl и самоподписанные сертификаты
  - From: Ed <spied@yandex.ru>

Prev by Date: Re: curl и самоподписанные сертификаты
Next by Date: Re: Шустрый плеер для воспроизведения H264 на процессоре Atom
Previous by thread: Re: curl и самоподписанные сертификаты
Next by thread: Re: curl и самоподписанные сертификаты
Index(es):
- Date
- Thread