当我尝试 CURL 一个网站时，我收到 SSL 错误

Question

我在我的 VPS 上安装了 Ubuntu 20。这就是为什么我要尝试这样做：

curl -v https://imenik.tportal.hr/show?action=pretraga&type=bijeleStranice
[1] 438975
root@vps:/var/www/html/tportal# *   Trying 195.29.166.100:443...
* TCP_NODELAY set
* Connected to imenik.tportal.hr (195.29.166.100) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS alert, protocol version (582):
* error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
* Closing connection 0
curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

但是当我这样尝试时，它有点工作

curl -v http://imenik.tportal.hr/show?action=pretraga&type=bijeleStranice
[1] 438977
root@vps:/var/www/html/tportal# *   Trying 195.29.166.100:80...
* TCP_NODELAY set
* Connected to imenik.tportal.hr (195.29.166.100) port 80 (#0)
> GET /show?action=pretraga HTTP/1.1
> Host: imenik.tportal.hr
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Date: Tue, 16 Jun 2020 07:44:32 GMT
< Server: Apache/2.2.3 (CentOS)
< Location: https://imenik.tportal.hr/show?action=pretraga
< Content-Length: 336
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://imenik.tportal.hr/show?action=pretraga">here</a>.</p>
<hr>
<address>Apache/2.2.3 (CentOS) Server at imenik.tportal.hr Port 80</address>
</body></html>
* Closing connection 0

我找不到此 SSL 问题的解决方案

Answer 1

该网站使用旧的 TLS 协议版本 1.0，自 Ubuntu 20.04 以来默认情况下已禁用。

要临时覆盖curl命令的默认值，您可以在某处创建一个配置文件（例如，~/.openssl_allow_tls1.0.cnf包含以下内容：

openssl_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT@SECLEVEL=1

然后像这样运行你的命令：

OPENSSL_CONF=~/.openssl_allow_tls1.0.cnf curl -v https://imenik.tportal.hr/show?action=pretraga&type=bijeleStranice

（这只会OPENSSL_CONF为该单个命令设置）

或者

export OPENSSL_CONF=~/.openssl_allow_tls1.0.cnf
curl -v https://imenik.tportal.hr/show?action=pretraga&type=bijeleStranice

（这只会OPENSSL_CONF为当前会话或脚本设置）

您可能还设置它在全球范围内/etc/ssl/openssl.cnf，但它已经有很好的理由禁止，我只覆盖在必要的时候。

(通过)