我试图了解wget和curl在同一个系统上连接到同一个目的地时的行为差异。
环境
我的测试是在centos6上(我知道它已经过时了,我仍然想了解)。详细的版本是6.10(根据www.example.com的数据包更新vault.centos.org)。
测试:使用letsencrypt证书与网站建立SSL连接
我正在尝试使用letsencrypt证书连接到服务器,例如https://letsencrypt.org。
由于the expiration of a letsencrypt intermediate certificate,我认为证书验证会失败。
所以我很惊讶curl没有抱怨证书,而wget却抱怨:
wget试验
# wget --output-document=/dev/null https://letsencrypt.com --verbose
--2021-10-27 18:02:39-- https://letsencrypt.com/
Resolving letsencrypt.com... 206.189.50.215, 3.67.153.12, 2a03:b0c0:3:d0::d23:4001, ...
Connecting to letsencrypt.com|206.189.50.215|:443... connected.
ERROR: cannot verify letsencrypt.com's certificate, issued by `/C=US/O=Let\'s Encrypt/CN=R3':
Issued certificate has expired.
To connect to letsencrypt.com insecurely, use `--no-check-certificate'.curl 试验
# curl https://letsencrypt.org --output /dev/null --verbose
* About to connect() to letsencrypt.org port 443 (#0)
* Trying 3.125.252.47... connected
* Connected to letsencrypt.org (3.125.252.47) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=lencr.org
* start date: Oct 10 03:00:44 2021 GMT
* expire date: Jan 08 03:00:43 2022 GMT
* common name: lencr.org
* issuer: CN=R3,O=Let's Encrypt,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.44 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: letsencrypt.org
> Accept: */*
>
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0< HTTP/1.1 200 OK
< cache-control: public, max-age=0, must-revalidate
< content-security-policy: default-src 'none'; font-src 'self'; style-src 'unsafe-inline' 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self' data: https://www.google-analytics.com https://www.googleadservices.com https://www.googletagmanager.com https://googleads.g.doubleclick.net https://donorbox.org https://js.stripe.com/v3/ https://sdks.shopifycdn.com ; img-src 'self' data: blob: https://www.google-analytics.com https://www.paypal.com https://www.paypalobjects.com https://ak2s.abmr.net https://ak1s.abmr.net https://www.google.com https://cdn.shopify.com https://v.shopify.com ; frame-src https://donorbox.org https://www.youtube.com https://www.youtube-nocookie.com https://bid.g.doubleclick.net https://js.stripe.com/v3/ https://js.stripe.com/v2/ ; connect-src 'self' https://d4twhgtvn0ff5.cloudfront.net/ https://letsencrypt-merch.myshopify.com https://monorail-edge.shopifysvc.com ;
< content-type: text/html; charset=UTF-8
< date: Tue, 26 Oct 2021 16:00:55 GMT
< etag: "f9fe2f13bc4ea4cc3ad994a763b6113c-ssl"
< permissions-policy: geolocation=(), midi=(), notifications=(), push=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), speaker=(self), vibrate=(), fullscreen=(self), interest-cohort=()
< referrer-policy: no-referrer
< strict-transport-security: max-age=31536000
< x-xss-protection: 1; mode=block
< age: 86183
< server: Netlify
< x-nf-request-id: 01FK17GMX7JW56W5ABGPH06ZP3
< content-length: 32108
< x-content-type-options: nosniff
< x-frame-options: DENY
<
{ [data not shown]
100 32108 100 32108 0 0 79841 0 --:--:-- --:--:-- --:--:-- 407k* Connection #0 to host letsencrypt.org left intact
* Closing connection #0我已经在wget(wget --ca-certificate=/etc/pki/tls/certs/ca-bundle.crt https://letsencrypt.org -O /dev/null)上用强制ca文件做了一些测试,但没有差异。
有什么提示吗?谢谢你的时间=)
2条答案
按热度按时间nmpmafwu1#
在debian 10上有一个类似的问题,curl可以工作,但wget返回了证书错误。curl和wget使用不同的库。更新wget依赖的包修复了这个问题。
j9per5c42#
我在Centos7上也遇到了同样的问题。多亏了Ali,我才能让WGET再次工作。