當我們使用 curl 命令訪問網站的時候,有時候可能會得到一個 SSL 證書錯誤:
這是因為在默認情況下,cURL 使用 SSL 證書進行連接,如果指定的網站配置錯誤或證書過期,則會引發錯誤。
下面我們看一下如何忽略其中的 SSL 證書錯誤。
使用 cURL 忽略 SSL 證書錯誤
一般來說,直接忽略錯誤然后繼續連接故障網站是不推薦的。但是如果你信任該網站,那就可以。
使用 curl 的時候,附帶 --insecure 選項可以忽略 ssl 證書錯誤,如下代碼:
$ curl https://expired.badssl.com
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
另外,也可以使用 -k 選項,其與 --insecure 的效果是相同的:
$ curl --insecure https://expired.badssl.com
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="shortcut icon" href="/icons/favicon-red.ico"/>
<link rel="apple-touch-icon" href="/icons/icon-red.png"/>
<title>expired.badssl.com</title>
<link rel="stylesheet" href="/style.css">
<style>body { background: red; }</style>
</head>
<body>
<div id="content">
<h1 style="font-size: 12vw;">
expired.<br>badssl.com
</h1>
</div>
</body>
</html>
對所有 SSL 連接都使用 --insecure 選項
注意:除非在隔離或測試環境下可以執行此操作,否則不建議這樣做。
你可以使用如下命令將 insecure 添加到 curl 配置文件中:
echo "insecure" >> ~/.curlrc
然后,在不使用 --insecure 選項的情況下,再次直接使用 curl 連接 html地址,也是可以成功的:
$ curl https://expired.badssl.com
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="shortcut icon" href="/icons/favicon-red.ico"/>
<link rel="apple-touch-icon" href="/icons/icon-red.png"/>
<title>expired.badssl.com</title>
<link rel="stylesheet" href="/style.css">
<style>body { background: red; }</style>
</head>
<body>
<div id="content">
<h1 style="font-size: 12vw;">
expired.<br>badssl.com
</h1>
</div>
</body>
</html>
忽略 wget 的 SSL 證書錯誤
如果某個指定的網站配置錯誤或證書過期,而使用 wget 命令下載該網站中的文件時,也會出現 SSL 證書錯誤:
$ wget https://expired.badssl.com
--2022-11-17 14:35:55-- https://expired.badssl.com/
Resolving expired.badssl.com (expired.badssl.com)... 104.154.89.105
Connecting to expired.badssl.com (expired.badssl.com)|104.154.89.105|:443... connected.
ERROR: cannot verify expired.badssl.com's certificate, issued by ‘CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB’:
Issued certificate has expired.
To connect to expired.badssl.com insecurely, use `--no-check-certificate'.
默認情況下,wget會檢查有效的SSL證書,以便您可以建立可靠的連接,如果沒有,則會拋出一個錯誤,表示頒發的證書已過期。
要忽略 ssl 錯誤,可以使用 --no-check-certificate 選項,讓它不檢查 ssl 證書:
$ wget --no-check-certificate https://expired.badssl.com
--2022-11-17 15:18:07-- https://expired.badssl.com/
Resolving expired.badssl.com (expired.badssl.com)... 104.154.89.105
Connecting to expired.badssl.com (expired.badssl.com)|104.154.89.105|:443... connected.
WARNING: cannot verify expired.badssl.com's certificate, issued by ‘CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB’:
Issued certificate has expired.
HTTP request sent, awaiting response... 200 OK
Length: 494 [text/html]
Saving to: ‘index.html.1’
index.html.1 100%[===================>] 494 --.-KB/s in 0s
2022-11-17 15:18:08 (209 MB/s) - ‘index.html.1’ saved [494/494]
跳過認證檢查
要在每次訪問損壞的 SSL 站點的時候跳過證書檢查,只需要在 wget 配置文件中添加 check-certificate = off 即可,這樣在訪問的時候就可以不添加 --no-check-certificate 選項了:
$ wget https://expired.badssl.com
--2022-11-17 15:41:50-- https://expired.badssl.com/
Resolving expired.badssl.com (expired.badssl.com)... 104.154.89.105
Connecting to expired.badssl.com (expired.badssl.com)|104.154.89.105|:443... connected.
WARNING: cannot verify expired.badssl.com's certificate, issued by ‘CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB’:
Issued certificate has expired.
HTTP request sent, awaiting response... 200 OK
Length: 494 [text/html]
Saving to: ‘index.html.2’
index.html.2 100%[===================>] 494 --.-KB/s in 0s
2022-11-17 15:41:51 (191 MB/s) - ‘index.html.2’ saved [494/494]
