cURL 不尊重密码
cURL not respecting ciphers
我想用 cURL 测试某些密码的使用,但它似乎不遵守 --ciphers
选项:
curl -vvv --tlsv1.0 --ciphers 'RC4-SHA' https://my.url.com/alive
* Hostname was NOT found in DNS cache
* Trying ip...
* Connected to my.url.com (ip) port 443 (#0)
* TLS 1.0 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate: *.url.com
* Server certificate: DigiCert SHA2 Secure Server CA
* Server certificate: DigiCert Global Root CA
> GET /alive HTTP/1.1
> User-Agent: curl/7.37.1
> Host: my.url.com
> Accept: */*
>
< HTTP/1.1 200 OK
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Fri, 13 Mar 2015 20:33:46 GMT
< Content-Type: application/json; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Status: 200 OK
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-UA-Compatible: chrome=1
< ETag: "561750c34ae7a13fe0c237e9fa9e3fbd"
< Cache-Control: max-age=0, private, must-revalidate
< X-Request-Id: da72f82b-32f9-4e43-8118-9e5122b9ab96
< X-Runtime: 0.025375
< Strict-Transport-Security: max-age=63072000
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
<
* Connection #0 to host my.url.com left intact
{"alive":true,"timestamp":"2015-03-13T20:33:46+00:00","requested_by":"myip"}
我知道 RC4-SHA
是 weak and should not be used,但这就是我想用我的服务器测试拒绝的原因。
在 Nginx 中设置的允许密码如下:
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-DSS-AES128-GCM-SHA256
kEDH+AESGCM
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA256
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA
DHE-RSA-AES256-SHA
AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-SHA256
AES256-SHA256
AES128-SHA
AES256-SHA
AES
CAMELLIA
DES-CBC3-SHA
!aNULL
!eNULL
!EXPORT
!DES
!RC4
!MD5
!PSK
!aECDH
!EDH-DSS-DES-CBC3-SHA
!EDH-RSA-DES-CBC3-SHA
!KRB5-DES-CBC3-SHA
为什么要把算法改成TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
?它不应该只是拒绝连接吗?
这是我使用的 cURL 版本:
curl -V
curl 7.37.1 (x86_64-apple-darwin14.0) libcurl/7.37.1 SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IPv6 Largefile NTLM NTLM_WB SSL libz
编辑: --ciphers
选项好像是OSX里的ignored when using Apple's Secure Transport Layer.
从(不是很详细的)查看 curl 的源代码我建议,--ciphers
选项没有实现 SecureTransport 后端(Mac OS X),即无论您指定什么,它都会被忽略。
我想用 cURL 测试某些密码的使用,但它似乎不遵守 --ciphers
选项:
curl -vvv --tlsv1.0 --ciphers 'RC4-SHA' https://my.url.com/alive
* Hostname was NOT found in DNS cache
* Trying ip...
* Connected to my.url.com (ip) port 443 (#0)
* TLS 1.0 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate: *.url.com
* Server certificate: DigiCert SHA2 Secure Server CA
* Server certificate: DigiCert Global Root CA
> GET /alive HTTP/1.1
> User-Agent: curl/7.37.1
> Host: my.url.com
> Accept: */*
>
< HTTP/1.1 200 OK
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Fri, 13 Mar 2015 20:33:46 GMT
< Content-Type: application/json; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Status: 200 OK
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-UA-Compatible: chrome=1
< ETag: "561750c34ae7a13fe0c237e9fa9e3fbd"
< Cache-Control: max-age=0, private, must-revalidate
< X-Request-Id: da72f82b-32f9-4e43-8118-9e5122b9ab96
< X-Runtime: 0.025375
< Strict-Transport-Security: max-age=63072000
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
<
* Connection #0 to host my.url.com left intact
{"alive":true,"timestamp":"2015-03-13T20:33:46+00:00","requested_by":"myip"}
我知道 RC4-SHA
是 weak and should not be used,但这就是我想用我的服务器测试拒绝的原因。
在 Nginx 中设置的允许密码如下:
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-DSS-AES128-GCM-SHA256
kEDH+AESGCM
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA256
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA
DHE-RSA-AES256-SHA
AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-SHA256
AES256-SHA256
AES128-SHA
AES256-SHA
AES
CAMELLIA
DES-CBC3-SHA
!aNULL
!eNULL
!EXPORT
!DES
!RC4
!MD5
!PSK
!aECDH
!EDH-DSS-DES-CBC3-SHA
!EDH-RSA-DES-CBC3-SHA
!KRB5-DES-CBC3-SHA
为什么要把算法改成TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
?它不应该只是拒绝连接吗?
这是我使用的 cURL 版本:
curl -V
curl 7.37.1 (x86_64-apple-darwin14.0) libcurl/7.37.1 SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IPv6 Largefile NTLM NTLM_WB SSL libz
编辑: --ciphers
选项好像是OSX里的ignored when using Apple's Secure Transport Layer.
从(不是很详细的)查看 curl 的源代码我建议,--ciphers
选项没有实现 SecureTransport 后端(Mac OS X),即无论您指定什么,它都会被忽略。