乐闻世界logo
搜索文章和话题

How does cURL handle HTTPS and SSL/TLS certificate verification?

3月6日 21:53

HTTPS and SSL/TLS certificate verification are core to cURL secure communication. Properly configuring SSL parameters ensures data transmission security.

Basic HTTPS Request

bash
# Standard HTTPS request (automatic certificate verification)
curl https://api.example.com

# Display SSL handshake information
curl -v https://api.example.com 2>&1 | grep -A 20 "SSL connection"

SSL Certificate Verification Options

bash
# Ignore certificate verification (insecure, testing only)
curl -k https://self-signed.badssl.com
curl --insecure https://api.example.com

# Specify CA certificate file
curl --cacert /path/to/ca.crt https://api.example.com

# Specify CA certificate directory
curl --capath /etc/ssl/certs/ https://api.example.com

# Use system default certificate store
curl https://api.example.com

Client Certificate Authentication

bash
# Use client certificate (mutual SSL)
curl --cert /path/to/client.crt \
     --key /path/to/client.key \
     https://api.example.com

# Client certificate with password
curl --cert /path/to/client.crt:password \
     --key /path/to/client.key \
     https://api.example.com

# PKCS#12 format certificate
curl --cert /path/to/cert.p12:password \
     https://api.example.com

SSL Protocol and Cipher Suites

bash
# Specify minimum SSL version
curl --ssl-version tls1.2 https://api.example.com

# Specify SSL version range
curl --ssl-allow-beast \
     --tlsv1.2 \
     --tls-max tls1.3 \
     https://api.example.com

# List supported cipher suites
curl --ciphers 'HIGH:!aNULL:!MD5' https://api.example.com

# Force TLS 1.3
curl --tlsv1.3 https://api.example.com

Certificate Chain Verification

bash
# View server certificate information
curl -v https://api.example.com 2>&1 | openssl x509 -text -noout

# Verify certificate chain
curl --cacert /path/to/ca-bundle.crt \
     -v https://api.example.com 2>&1 | grep "SSL certificate verify"

# Export server certificate
openssl s_client -connect api.example.com:443 -showcerts

# Test specific certificate
curl --cacert <(echo | openssl s_client -connect api.example.com:443 2>/dev/null | openssl x509) \
     https://api.example.com

SSL Debugging Techniques

bash
# Detailed SSL information
curl -v --trace-ascii ssl-debug.txt https://api.example.com

# View SSL handshake process
curl -v https://api.example.com 2>&1 | grep -E "(SSL|TLS|certificate)"

# Test SSL connection
openssl s_client -connect api.example.com:443 -servername api.example.com

# Check certificate expiration
echo | openssl s_client -servername api.example.com -connect api.example.com:443 2>/dev/null | openssl x509 -noout -dates

Common SSL Issues

bash
# Issue 1: Self-signed certificate
# Solution: Add to trust list or use -k (testing only)
curl --cacert /path/to/self-signed.crt https://internal.example.com

# Issue 2: Incomplete certificate chain
# Solution: Provide complete CA chain
curl --cacert /path/to/fullchain.crt https://api.example.com

# Issue 3: Hostname mismatch
# Solution: Use correct hostname or resolve
curl --resolve api.example.com:443:192.168.1.100 https://api.example.com

# Issue 4: Expired certificate
# Solution: Update certificate or temporarily skip verification
curl -k https://api.example.com

# Issue 5: Missing intermediate certificate
# Solution: Download and specify intermediate certificate
curl --cacert /path/to/intermediate.crt https://api.example.com

Security Best Practices

bash
# Recommended: Always verify certificates
curl https://api.example.com

# Recommended: Use latest TLS version
curl --tlsv1.2 --tls-max tls1.3 https://api.example.com

# Recommended: Specify certificate pinning
curl --pinnedpubkey sha256//BASE64ENCODED= https://api.example.com

# Recommended: Check certificate revocation
curl --crlfile /path/to/crl.pem https://api.example.com

# Recommended: Use OCSP stapling
curl --cert-status https://api.example.com

SSL Parameters Summary

ParameterPurposeExample
-k or --insecureIgnore certificate verification-k
--cacertSpecify CA certificate--cacert ca.crt
--capathSpecify CA directory--capath /etc/ssl/certs
--certClient certificate--cert client.crt
--keyClient private key--key client.key
--tlsv1.2Use TLS 1.2--tlsv1.2
--tlsv1.3Use TLS 1.3--tlsv1.3
--ciphersCipher suites--ciphers 'HIGH:!aNULL'

Complete HTTPS Example

bash
# Secure API call
curl -X POST https://api.example.com/v1/data \
     --tlsv1.2 \
     --cacert /path/to/ca-bundle.crt \
     --cert /path/to/client.crt \
     --key /path/to/client.key \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer token123" \
     -d '{"action":"secure_transfer"}' \
     -v

标签:cURL
热门标签
更多
Git(114)C语言(23)C++(15)React(34)前端(148)Cypress(30)JavaScript(56)Linux(20)Docker(65)Rust(10)TypeScript(27)Mongoose(18)MySQL(8)Vue(13)Tailwind CSS(29)CSS(19)ElasticSearch(24)网络(12)TypeORM(31)