使用 cURL 的 HTTPS,使用 openssl 和 capi 引擎
我尝试使用 cURL 7.21.1 和 OpenSSL 1.0.0d 来使用 https,使用 OpenSSL 的内置 capi 引擎进行证书颁发机构检查,但它在curl_easy_perform() 上返回 CURLE_SSL_CACERT (60)。
#include <openssl/conf.h>
#include <openssl/engine.h>
#include <openssl/ssl.h>
#define CURL_NO_OLDIES
#define CURL_STATICLIB
#include <curl.h>
// Don't forget libeay32.lib, ssleay32.lib, curl.lib
#pragma comment(lib, "ws2_32.lib")
#pragma comment(lib, "wldap32.lib")
#pragma comment(lib, "crypt32.lib")
int main(int argc, char* argv[])
{
OPENSSL_no_config();
ENGINE_load_capi();
// Same effect, despite ok = 1 both times:
// ENGINE* capi = ENGINE_by_id("capi");
// int ok = ENGINE_init(capi);
// ok = ENGINE_register_complete(capi);
CURLcode e = curl_global_init(CURL_GLOBAL_DEFAULT);
CURL* curl = curl_easy_init();
e = curl_easy_setopt(curl, CURLOPT_URL, "https://www.google.com/");
e = curl_easy_perform(curl); // returns CURLE_SSL_CACERT
return 0;
}
如果我使用以下配置测试“openssl s_client -connect www.google.com:443”:
openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
capi = capi_config
[capi_config]
engine_id = capi
init=1
基于http://www.mail-archive.com/[email protected]/msg62249.html,我收到:
verify error:num=20:unable to get local issuer certificate
令我困惑的是,当我第一次编写实际程序时,它失败了,它有同样的失败,直到我添加了 ENGINE_load_capi()。 我想避免使用 CA 捆绑包,因为实际程序可能在随机的公司网络内运行,并且它们可能使用私有 CA。
I'm attempting to use https using cURL 7.21.1 with OpenSSL 1.0.0d, using OpenSSL's builtin capi engine for certificate authority checking, but it returns CURLE_SSL_CACERT (60) on curl_easy_perform().
#include <openssl/conf.h>
#include <openssl/engine.h>
#include <openssl/ssl.h>
#define CURL_NO_OLDIES
#define CURL_STATICLIB
#include <curl.h>
// Don't forget libeay32.lib, ssleay32.lib, curl.lib
#pragma comment(lib, "ws2_32.lib")
#pragma comment(lib, "wldap32.lib")
#pragma comment(lib, "crypt32.lib")
int main(int argc, char* argv[])
{
OPENSSL_no_config();
ENGINE_load_capi();
// Same effect, despite ok = 1 both times:
// ENGINE* capi = ENGINE_by_id("capi");
// int ok = ENGINE_init(capi);
// ok = ENGINE_register_complete(capi);
CURLcode e = curl_global_init(CURL_GLOBAL_DEFAULT);
CURL* curl = curl_easy_init();
e = curl_easy_setopt(curl, CURLOPT_URL, "https://www.google.com/");
e = curl_easy_perform(curl); // returns CURLE_SSL_CACERT
return 0;
}
If I test "openssl s_client -connect www.google.com:443" with the following config:
openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
capi = capi_config
[capi_config]
engine_id = capi
init=1
based on http://www.mail-archive.com/[email protected]/msg62249.html, I receive:
verify error:num=20:unable to get local issuer certificate
The thing that is confusing me, is that when I first wrote the actual program this is failing in, it had the same failure until I added ENGINE_load_capi().
I would like to avoid using a CA bundle, since the actual program may be running inside random corporate networks, and they might be using private CAs.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
听起来 OpenSSL 在查找默认证书存储时遇到问题?以下SO问题通过显式指定CA文件解决了类似的错误,但听起来您想避免该配置。
OpenSSL 无法获取本地颁发者证书,除非CAfile被明确指定
Sounds like OpenSSL is having an issue finding the default certificate store? The following SO question resolved a similar error by specifying the CA file explicitly, but it sounds like you'd like to avoid that configuration.
OpenSSL unable to get local issuer certificate unless CAfile is explicitly specified
也许您可以尝试在您有权访问域的文件中添加以下行。
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, false);
Maybe you can try to add the following line in your file on which you have access the domain.
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, false);