我使用CURL命令从WINDOWS。我把命令贴在下面。我也发布了命令的结果。在我看来,服务器在发送证书之前终止了连接。但我可能错了。知道为什么没有发送证书吗?
curl -v --cert C:UsersmyFolderDownloadshs_test_cert.pem --key C:UsersmyFolderDownloadshst_test_key.pem https://myAPIGEEhost.apigee.net/MyBackendName_CCDA_API?apikey=MyAssignedAPIKey
* Trying 00.00.00...
* TCP_NODELAY set
* Connected to myAPIGEEhost.apigee.net (00.00.00) port 443 (#0)
* schannel: SSL/TLS connection with myAPIGEEhost.apigee.net port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 203 bytes...
* schannel: sent initial handshake data: sent 203 bytes
* schannel: SSL/TLS connection with myAPIGEEhost.apigee.net port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with myAPIGEEhost.apigee.net port 443 (step 2/3)
* schannel: encrypted data got 4096
* schannel: encrypted data buffer: offset 4096 length 4096
* schannel: encrypted data length: 4026
* schannel: encrypted data buffer: offset 4026 length 4096
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with myAPIGEEhost.apigee.net port 443 (step 2/3)
* schannel: encrypted data got 964
* schannel: encrypted data buffer: offset 4990 length 5050
* schannel: a client certificate has been requested
* schannel: SSL/TLS connection with myAPIGEEhost.apigee.net port 443 (step 2/3)
* schannel: encrypted data buffer: offset 4990 length 6014
* schannel: sending next handshake data: sending 133 bytes...
* schannel: SSL/TLS connection with myAPIGEEhost.apigee.net port 443 (step 2/3)
* schannel: encrypted data got 274
* schannel: encrypted data buffer: offset 274 length 6014
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with myAPIGEEhost.apigee.net port 443 (step 3/3)
* schannel: stored credential handle in session cache
> GET /MyBackendName_CCDA_API?apikey=MyAssignedAPIKey HTTP/1.1
> Host: myAPIGEEhost.apigee.net
> User-Agent: curl/7.55.1
> Accept: */*
>
* schannel: client wants to read 102400 bytes
* schannel: encdata_buffer resized 103424
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: encrypted data got 421
* schannel: encrypted data buffer: offset 421 length 103424
* schannel: decrypted data length: 361
* schannel: decrypted data added: 361
* schannel: decrypted data cached: offset 361 length 102400
* schannel: encrypted data length: 31
* schannel: encrypted data cached: offset 31 length 103424
* schannel: server closed the connection
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 361
* schannel: decrypted data buffer: offset 0 length 102400
< HTTP/1.1 400 Bad Request
< Date: Mon, 27 Sep 2021 18:22:21 GMT
< Content-Type: text/html
< Content-Length: 231
< Connection: close
<
<html>
<head><title>400 No required SSL certificate was sent</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
<hr><center>server</center>
</body>
</html>
* Closing connection 0
* schannel: shutting down SSL/TLS connection with myAPIGEEhost.apigee.net port 443
* schannel: clear security context handle
在我看来,服务器在发送证书之前终止了连接。但我可能错了。
HTTPS连接的TLS握手成功,否则服务器不可能发送HTTP响应——而它显然发送了。
* schannel: a client certificate has been requested
此调试消息表明服务器向客户端请求证书,即相互认证。此证书请求发生在服务器已经向客户端发送了自己的证书之后。
<center>No required SSL certificate was sent</center>
虽然您在命令行上提供了客户端证书和密钥,但实际上没有发送。原因是curl 7.55.1中的channel不支持客户端证书(您正在使用的),请参阅TODO:
15.1 Add support for client certificate authentication
WinSSL/SChannel currently makes use of the OS-level system and user
certificate and private key stores. This does not allow the application
or the user to supply a custom client certificate using curl or libcurl.
Therefore support for the existing -E/--cert and --key options should be
implemented by supplying a custom certificate to the SChannel APIs, see:
- Getting a Certificate for Schannel
https://msdn.microsoft.com/en-us/library/windows/desktop/aa375447.aspx
在较新的版本中添加了对客户端证书的更好支持,但即使是当前的最新版本(7.79)。在通道TLS后端不能提供PEM文件作为证书或密钥。