CURL 显示 "No required SSL certificate was sent" 前夕

CURL showing "No required SSL certificate was sent" eve

我正在使用来自 WINDOWS 的 CURL 命令。 我已经在下面发布了命令。 我还发布了命令的结果。 在我看来,服务器在发送证书之前终止了连接。 但我可能错了。 知道为什么没有发送证书吗?

curl -v --cert C:\Users\myFolder\Downloads\hs_test_cert.pem --key C:\Users\myFolder\Downloads\hst_test_key.pem https://myAPIGEEhost.apigee.net/MyBackendName_CCDA_API?apikey=MyAssignedAPIKey

 *   Trying 00.00.00...
* TCP_NODELAY set
* Connected to myAPIGEEhost.apigee.net (00.00.00) port 443 (#0)
* schannel: SSL/TLS connection with myAPIGEEhost.apigee.net port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 203 bytes...
* schannel: sent initial handshake data: sent 203 bytes
* schannel: SSL/TLS connection with myAPIGEEhost.apigee.net port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with myAPIGEEhost.apigee.net port 443 (step 2/3)
* schannel: encrypted data got 4096
* schannel: encrypted data buffer: offset 4096 length 4096
* schannel: encrypted data length: 4026
* schannel: encrypted data buffer: offset 4026 length 4096
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with myAPIGEEhost.apigee.net port 443 (step 2/3)
* schannel: encrypted data got 964
* schannel: encrypted data buffer: offset 4990 length 5050
* schannel: a client certificate has been requested
* schannel: SSL/TLS connection with myAPIGEEhost.apigee.net port 443 (step 2/3)
* schannel: encrypted data buffer: offset 4990 length 6014
* schannel: sending next handshake data: sending 133 bytes...
* schannel: SSL/TLS connection with myAPIGEEhost.apigee.net port 443 (step 2/3)
* schannel: encrypted data got 274
* schannel: encrypted data buffer: offset 274 length 6014
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with myAPIGEEhost.apigee.net port 443 (step 3/3)
* schannel: stored credential handle in session cache
> GET /MyBackendName_CCDA_API?apikey=MyAssignedAPIKey HTTP/1.1
> Host: myAPIGEEhost.apigee.net
> User-Agent: curl/7.55.1
> Accept: */*
>
* schannel: client wants to read 102400 bytes
* schannel: encdata_buffer resized 103424
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: encrypted data got 421
* schannel: encrypted data buffer: offset 421 length 103424
* schannel: decrypted data length: 361
* schannel: decrypted data added: 361
* schannel: decrypted data cached: offset 361 length 102400
* schannel: encrypted data length: 31
* schannel: encrypted data cached: offset 31 length 103424
* schannel: server closed the connection
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 361
* schannel: decrypted data buffer: offset 0 length 102400
< HTTP/1.1 400 Bad Request
< Date: Mon, 27 Sep 2021 18:22:21 GMT
< Content-Type: text/html
< Content-Length: 231
< Connection: close
<
<html>
<head><title>400 No required SSL certificate was sent</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
<hr><center>server</center>
</body>
</html>
* Closing connection 0
* schannel: shutting down SSL/TLS connection with myAPIGEEhost.apigee.net port 443
* schannel: clear security context handle

It appears to me, the server is terminating the connection before sending the certificate. But I could wrong.

HTTPS 连接的 TLS 握手成功,否则服务器无法发送 HTTP 响应 - 它显然已经发送了。

* schannel: a client certificate has been requested

此调试消息表明服务器向客户端请求证书,即相互身份验证。此证书请求在服务器已将其自己的证书发送给客户端之后出现。

<center>No required SSL certificate was sent</center>

虽然您在命令行上提供了客户端证书和密钥,但实际上已发送 none。原因是 curl 7.55.1(您正在使用的)中的 SChannel 不支持客户端证书,请参阅 TODO:

15.1 Add support for client certificate authentication

 WinSSL/SChannel currently makes use of the OS-level system and user
 certificate and private key stores. This does not allow the application
 or the user to supply a custom client certificate using curl or libcurl.

 Therefore support for the existing -E/--cert and --key options should be
 implemented by supplying a custom certificate to the SChannel APIs, see:
 - Getting a Certificate for Schannel
   https://msdn.microsoft.com/en-us/library/windows/desktop/aa375447.aspx

在较新的版本中添加了对客户端证书的更好支持,但即使使用当前最新版本 (7.79.),也无法使用 SChannel TLS 后端将 PEM 文件作为证书或密钥提供。