C:Userscasta>curl https://c5.ppy.sh
curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
I’ve made my own CA, and I made a certificate from this CA.
The problem is, when I tried to access website with this certificate, It works fine!
but If I tried with curl or C# applications, It returns error.
C# error is here:
2019-02-28T09:20:33: System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel
2019-02-28T09:20:33: 위치: #=zGFbxUFU_LnBci6wJmmCy1$E=.#=z0YcFrd6MZP1A()
2019-02-28T09:20:33: 위치: #=zuFHGCPNOLQmjQEcRmqQHLnQ=.#=z3NGNjJ0=()
asked Mar 1, 2019 at 4:39
1
I’ve been using curl through a mitm proxy for pen-testing and getting the same issue.
I finally figured that curl needs a parameter telling it not to check certificate revocation, so the command looks something like this:
curl "https://www.example.com" --ssl-no-revoke -x 127.0.0.1:8081
The -x parameter passes the proxy details — you may not need this.
hth
answered Jun 7, 2019 at 0:31
riemannzzriemannzz
1,3211 gold badge11 silver badges8 bronze badges
2
You can use the --ssl flag and omit the https like this
curl --ssl c5.ppy.sh
answered Mar 18, 2020 at 11:08
MaxMax
6,6323 gold badges43 silver badges58 bronze badges
3
You need to create a CRL list, and publish it to webserver.
answered Feb 23, 2020 at 14:05
LPOPYuiLPOPYui
5871 gold badge9 silver badges13 bronze badges
0
When running initial-setup.bat, i get this error again and again:
C:WindowsSystem32mods>curl https://media.forgecdn.net/files/3109/915/terrestria-2.1.5%2Bbuild.28.jar -O % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
This error happens every time a mod is trying to be downloaded by initial-setup.bat
Also, i tried running the .bat file as admin.
The latest release is currently very outdated compared to the latest commit. PolyPack been refactored to use packwiz instead of a bunch of curl commands where this issue doesn’t exist. I don’t know if and when I will make a new release due to there being very few functional changes. For now you can try downloading and running packwiz/update-server.bat instead which should theoretically work.
Ok, so you said
The latest release is currently very outdated compared to the latest commit
But then you said
I don’t know if and when I will make a new release due to there being very few functional changes.
So should I use the latest release or the latest commit (wich if I’m not mistaken is the master branch)?
Also, I tried running initial-setup.bat in packwiz, wich I think means renaming the folder with the files downloaded from Releases to packwiz? and it didn’t work, I also tried copying initial-setup.bat to another folder that I named packwiz and neither did that work.
I have tried Downloading ZIP and following the Cloning tutorial and I got these errors when i reached step 4
I have tested both the latest release and the latest commit and both work completely fine. It looks like the issue has nothing to do with PolyPack and instead has something to do with your curl command. I have no idea what is wrong with it as it should work so I am closing this issue. I suggest you look for help on something like Stack Overflow or superuser to diagnose and fix the problem on your end.
i had the same problem on windows 10.
Change in the update-server.bat
in the first line
curl https://github.com/comp500/packwiz-installer-bootstrap/releases/download/v0.0.3/packwiz-installer-bootstrap.jar -L -O
to
curl https://github.com/comp500/packwiz-installer-bootstrap/releases/download/v0.0.3/packwiz-installer-bootstrap.jar --ssl-no-revoke -L -O
(—ssl-no-revoke Disable cert revocation checks (WinSSL))
Содержание
- Setup cURL in Windows
- Setup cURL in Windows
- cURL in Windows 10 version 1803 or higher
- Most Common Errors with Secure Websites
- curl: (35) schannel: next InitializeSecurityContext failed
- curl: (60) SSL certificate problem
- curl: (60) schannel: CertGetCertificateChain trust error
- Setup the latest version of cURL in Windows
- Certificate Setup for cURL
- curl-library
- Man-in-the-middle proxies dont work with CURL + WinSSL #3727
- Comments
- I did this
- Also tested with custom proxy server instead of Fiddler
- curl version
- operating system
- These are configurations that I know don’t work and produces 0x80092012 error:
- These work without any errors with CURL + WinSSL and default revocation checks:
Setup cURL in Windows
Setup cURL in Windows
Table of Contents
cURL (client URL) is a command line tool that system admins and developers use to transfer data between server and client in the form of a URL. It supports several different protocols and has a variety of applications. I will not cover the details and applications of cRUL here. If you’re already on this page, I am assuming you know how to use it. Learn how to use curl in Windows if you are just getting started with it.
cURL in Windows 10 version 1803 or higher
Starting with Windows 10 (version 1803) or Server 2019, you will find curl.exe pre-installed in your %systemroot%System32 directory by default. This guide is useful if you are on an older Windows version or you want to use the latest curl version from official website, which supports more protocols than the built-in curl version. I will also cover how to fix some most common errors that you might face while using cURL in Windows.
Most Common Errors with Secure Websites
You will get a whole lot of different errors while using secure URLs with cURL. So if you’re getting any error among the below mentioned errors, you are on the right page.
curl: (35) schannel: next InitializeSecurityContext failed
If you get this error message, it indicates that curl was unable to check revocation for the certificate which is the default behavior when it comes to communication with secure websites. Even though you could easily circumvent this error by using the —ssl-no-revoke argument with curl command but it becomes tedious when you use curl command a lot. The following command shows how to bypass this error:
To learn how to get around this error once and for all – without having to specify the —ssl-no-revoke argument each time, see the Setup the latest version of cURL in Windows section.
curl: (60) SSL certificate problem
If you get this error, it means there is something wrong with root certificate that curl is using on your local system. To get around this error, you could use the —insecure (or -k for short) argument with curl command as shown in the following command:
Again, to learn how to get around this error once and for all, see the Setup the latest version of cURL in Windows section.
curl: (60) schannel: CertGetCertificateChain trust error
If you see this error, it means the root CA that curl is configured to use is untrusted. It may be using a self-signed certificate or the certificate is no longer valid. This error can also be bypassed by using the —insecure argument with curl command as shown in previous example.
Setup the latest version of cURL in Windows
Depending upon the edition of your Windows, you can download the latest version of cURL from the official website using the following links:
It will download a zip archive. There is no installer in this file so you will have to manually set the PATH environment for curl.exe binary. Once downloaded, you can extract the zip archive to any folder of your choice. I extracted mine inside D:WORKSOFTWAREcurl-7.81.0-win64 directory. Your directory should look like shown in the following screenshot:
Now to set the PATH environment variable, open RUN dialog (WinLogoKey+R), type “sysdm.cpl ,3” without quotes and press enter. This will open up advanced system properties page. Now follow the steps mentioned in the screenshot and click on OK thrice to save the changes.
Make sure you specify the correct path to bin directory in STEP 5. I added D:WORKSOFTWAREcurl-7.81.0-win64bin in my case.
When this is done, curl is ready to be used on your system. To confirm, you can open the command prompt and type curl —version command. If you see the curl version as shown in the following image, you’re all set to go to next step: 
If you get an error that says ‘curl’ is not recognized as an internal or external command, operable program or batch file, it means something is wrong with the PATH environment variable you created. 
If you see this error, please follow the steps mentioned in this video to properly setup your PATH environment variable.
Certificate Setup for cURL
Now comes the most important part. At this point, when you try any secure URL with curl command, you will most probably get an error as we discussed in past sections. To permanently fix those SSL errors, you need to download the CA certificate file from official website and configure the curl on your system to use that certificate file. To do that, follow these steps:
- First of all, download the CA certificate file and copy it into the same directory where curl.exe file is available. To get the location of curl.exe, you could simply type where curl command in your command prompt.
- Now create a new file named .curlrc in the same directory as that of curl.exe. In the end, your curl directory should look like shown in the following image:
- Now open the .curlrc file in notepad (or any other text editor) and set the complete path of root certificate file that you downloaded in first step. See the screenshot for reference:
Please remember to use the forward slash (/) while specifying directory path as shown below otherwise it won’t work:
[optional] If you’re using Windows 10 (version 1803) or higher, your system will most likely have curl.exe in %systemroot%System32 directory as well. When you will run curl command without explicitly specifying the complete path to curl.exe executable, your system will use the default executable located in %systemroot%System32. If this is true you will see curl.exe twice when you run where curl command. See the following image for reference: 
If you see the same, you need to get rid of default curl.exe that comes with Windows. You can take the ownership of file, set the permissions and then rename the file with the help of following commands:
Make sure you run these commands in an elevated command prompt. See the following screenshot for reference: 
Источник
curl-library
I know people have had problems with this before and I did my googling about it, but I don’t really understand how to solve this problem because in my case it’s particularly weird. Consider this little snippet:
static void tryconnect(const char *address)
<
CURL *curl = curl_easy_init();
CURLcode res;
char buf[CURL_ERROR_SIZE];
curl_easy_setopt(curl, CURLOPT_URL, address);
curl_easy_setopt(curl, CURLOPT_CONNECT_ONLY, 1);
curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, buf);
printf(«Trying %s «, address);
if(!(res = curl_easy_perform(curl))) <
printf(«OK!n»);
> else <
printf(«FAIL: %d %sn», res, buf);
>
int main(int argc, char *argv[])
<
curl_global_init(CURL_GLOBAL_DEFAULT);
tryconnect(«https://www.hollywood-mal.de/»); —> works!
tryconnect(«https://www.hollywood-mal.com/»); —> fails with schannel error
curl_global_cleanup();
return 0;
>
Why on earth does https://www.hollywood-mal.de/ work fine and https://www.hollywood-mal.com/ doesn’t work at all? I’m the owner of both domains and they are hosted by the very same company with the very same settings, yet one works, and the other one doesn’t. Of course, in a browser both work fine, but with curl only the *.de one works, the *.com one fails.
This is the output:
Trying https://www.hollywood-mal.de/ OK!
Trying https://www.hollywood-mal.com/ FAIL: 35 schannel: next InitializeSecurityContext failed: Unknown error (0x80092013) — Die Sperrfunktion konnte die Sperrung nicht ГјberprГјfen, da der Sperrserver offline war. (NB: In English the error is probably «schannel: next InitializeSecurityContext failed: Unknown error (0x80092013) — The revocation function was unable to check revocation because the revocation server was offline.»)
How can I solve this please? Some people seem to be suggesting to use the OpenSSL backend instead of schannel but is this really the only way to go? Isn’t this possible with in-house Windows solutions?
Источник
Man-in-the-middle proxies dont work with CURL + WinSSL #3727
We have users that use company wide man-in-the-middle proxies for internal security. However client software with libCURL + WinSSL reports following error in their environments:
schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) — The revocation function was unable to check revocation for the certificate.
All other Windows software work fine. It is also reproducable with Fiddler acting as decrypting proxy — as discussed in this issue #264
While solution was implemented:
curl_easy_setopt(m_curl, CURLOPT_SSL_OPTIONS, CURLSSLOPT_NO_REVOKE);
I would argue that this is not enough, especially as it makes CURL + WinSSL software act different from other Windows based software and reduces security.
I did this
- Run Fiddler
- set CURL_SSL_BACKEND=Schannel
- curl https://google.com -x 127.0.0.1:8888
(Got 0x80092012 error) - curl https://google.com -x 127.0.0.1:8888 —ssl-no-revoke
(Succeeded as expected) - curl https://revoked.badssl.com/ —ssl-no-revoke
(Succeeded, but there should be option to not allow this)
Also tested with custom proxy server instead of Fiddler
- Self signed Root CA certificate
OpenSSL can be used to generate it.
Easy-RSA utility simplifies that process, more documentation can be found here:
https://github.com/OpenVPN/easy-rsa/blob/master/README.quickstart.md
CA certificate should have revocation list configured - Burp configured as a proxy with previously generated certificate imported.
- On client machine Root CA certificate has to be installed into Trusted Root Authorities store.
- curl https://google.com -x ProxyServerUrl:ProxyPort
(Got 0x80092012 error)
curl version
curl 7.64.0 (x86_64-pc-win32) libcurl/7.64.0 (OpenSSL/1.1.1a) Schannel zlib/1.2.11 brotli/1.0.7 WinIDN libssh2/1.8.0 nghttp2/1.36.0
Release-Date: 2019-02-06
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL libz brotli TLS-SRP HTTP2 MultiSSL
operating system
Microsoft Windows [Version 10.0.17134.648]
The text was updated successfully, but these errors were encountered:
It’s possible that if a certificate in a chain does not have any revocation point and revocation checks are enabled then the call will fail. The root certificate is checked for revocation as well. Confirm by dumping the chain and inspecting it, and inspect the root certificate. Short of writing our own manual verification process and iterating through each certificate to check revocation I don’t see how we could distinguish certs with no revocation points from certs that have revocation points but aren’t available for whatever reason.
Using —ssl-no-revoke to disable revocation checking by curl schannel of your generated MITM certificates is practical for a case like this. Fiddler does its own schannel revocation check of the actual certificates if you enable it (but I think it’s only interactive). Burp may be similar.
5. curl https://revoked.badssl.com/ —ssl-no-revoke
(Succeeded, but there should be option to not allow this)
That’s exactly how it works and how it should work.
To clarify — are we are talking about «CRL Distribution Points» field in certificate? One from *.google.com:
These are configurations that I know don’t work and produces 0x80092012 error:
Fiddler overrides with certificates without any CRL values. Chain looks like:
DO_NOT_TRUST_FiddlerRoot [No CRL] -> *.service.com [No CRL]
Certificate chain from user (behind proxy):
User-root-CA [No CRL] -> User-CA [CRL] -> *.service.com [No CRL]
Certificate using our test proxy:
TestProxyRoot-CA [CRL] -> *.service.com [No CRL]
These work without any errors with CURL + WinSSL and default revocation checks:
And if connecting CURL to service directly:
DigiCert [No CRL] -> DigiCert CA [CRL] -> *.service.com [CRL]
Also we have our internal testing services like this:
Our-root-CA [No CRL] -> Our CA [CRL] -> *.test-service.com [CRL]
So there is variety of configurations, but both failing ones have no CRL in end-entity (*.service.com) certificates. Can that be what is causing it?
If the schannel backend is used and the user does not specify a bundle of certificates then libcurl uses the default OS certificate store with SCH_CRED_REVOCATION_CHECK_CHAIN which is documented as «When validating a certificate chain, check all certificates for revocation.»
Code for SCH_CRED_REVOCATION_CHECK_CHAIN
Lines 517 to 545 in 521bbbe
| if (conn-> ssl_config . verifypeer ) < |
| # ifdef HAS_MANUAL_VERIFY_API |
| if (BACKEND-> use_manual_cred_validation ) |
| schannel_cred. dwFlags = SCH_CRED_MANUAL_CRED_VALIDATION; |
| else |
| # endif |
| schannel_cred. dwFlags = SCH_CRED_AUTO_CRED_VALIDATION; |
| /* TODO s/data->set.ssl.no_revoke/SSL_SET_OPTION(no_revoke)/g */ |
| if (data-> set . ssl . no_revoke ) < |
| schannel_cred. dwFlags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK | |
| SCH_CRED_IGNORE_REVOCATION_OFFLINE; |
| DEBUGF ( infof (data, » schannel: disabled server certificate revocation « |
| » checks n » )); |
| > |
| else < |
| schannel_cred. dwFlags |= SCH_CRED_REVOCATION_CHECK_CHAIN; |
| DEBUGF ( infof (data, |
| » schannel: checking server certificate revocation n » )); |
| > |
| > |
| else < |
| schannel_cred. dwFlags = SCH_CRED_MANUAL_CRED_VALIDATION | |
| SCH_CRED_IGNORE_NO_REVOCATION_CHECK | |
| SCH_CRED_IGNORE_REVOCATION_OFFLINE; |
| DEBUGF ( infof (data, |
| » schannel: disabled server cert revocation checks n » )); |
| > |
If the schannel backend is used and the user specifies a bundle of certificates (eg CAINFO) then libcurl ignores the OS certificate store and uses the bundle with CERT_CHAIN_REVOCATION_CHECK_CHAIN which is basically the same thing, documented as «Revocation checking is done on all of the certificates in every chain.»
Code for CERT_CHAIN_REVOCATION_CHECK_CHAIN
Lines 498 to 546 in 521bbbe
| if (result == CURLE_OK) < |
| CERT_CHAIN_PARA ChainPara; |
| memset (&ChainPara, 0 , sizeof (ChainPara)); |
| ChainPara. cbSize = sizeof (ChainPara); |
| if (! CertGetCertificateChain (cert_chain_engine, |
| pCertContextServer, |
| NULL , |
| pCertContextServer-> hCertStore , |
| &ChainPara, |
| (data-> set . ssl . no_revoke ? 0 : |
| CERT_CHAIN_REVOCATION_CHECK_CHAIN), |
| NULL , |
| &pChainContext)) < |
| char buffer[STRERROR_LEN]; |
| failf (data, » schannel: CertGetCertificateChain failed: %s » , |
| Curl_strerror ( GetLastError (), buffer, sizeof (buffer))); |
| pChainContext = NULL ; |
| result = CURLE_PEER_FAILED_VERIFICATION; |
| > |
| if (result == CURLE_OK) < |
| CERT_SIMPLE_CHAIN *pSimpleChain = pChainContext-> rgpChain [ 0 ]; |
| DWORD dwTrustErrorMask = |
(DWORD)(CERT_TRUST_IS_NOT_TIME_NESTED); dwTrustErrorMask &= pSimpleChain-> TrustStatus . dwErrorStatus ; if (dwTrustErrorMask) < if (dwTrustErrorMask & CERT_TRUST_IS_REVOKED) failf (data, » schannel: CertGetCertificateChain trust error « » CERT_TRUST_IS_REVOKED » ); else if (dwTrustErrorMask & CERT_TRUST_IS_PARTIAL_CHAIN) failf (data, » schannel: CertGetCertificateChain trust error « » CERT_TRUST_IS_PARTIAL_CHAIN » ); else if (dwTrustErrorMask & CERT_TRUST_IS_UNTRUSTED_ROOT) failf (data, » schannel: CertGetCertificateChain trust error « » CERT_TRUST_IS_UNTRUSTED_ROOT » ); else if (dwTrustErrorMask & CERT_TRUST_IS_NOT_TIME_VALID) failf (data, » schannel: CertGetCertificateChain trust error « » CERT_TRUST_IS_NOT_TIME_VALID » ); else if (dwTrustErrorMask & CERT_TRUST_REVOCATION_STATUS_UNKNOWN) failf (data, » schannel: CertGetCertificateChain trust error « » CERT_TRUST_REVOCATION_STATUS_UNKNOWN » ); else failf (data, » schannel: CertGetCertificateChain error mask: 0x %08x » , dwTrustErrorMask); result = CURLE_PEER_FAILED_VERIFICATION; > > >
Whether or not certificates without revocation points (any point like AIA or CRL or whatever) are accepted is unclear. Based on what you are describing it’s likely schannel using such a revocation check must allow for root certificates without any revocation point but not leaf certificates without any revocation point, at least in Windows 10.
Also review Can’t connect to Fiddler proxy if using WinSSL backend which is why I added —ssl-no-revoke (I had forgot or I would’ve mentioned it yesterday). You’ll notice in that issue I said:
schannel is returning CRYPT_E_NO_REVOCATION_CHECK likely because we pass SCH_CRED_REVOCATION_CHECK_CHAIN in schannel_connect_step1 and in that case schannel requires all root CAs to have some sort of revocation detail when that flag is passed.
Based on what you describe I guess I’m wrong or it’s not consistent between OS versions.
P.S. I fixed my top issue description to refer to #264 . pasted wrong link before. I was aware about that issue/fix and wanted followup — as it affects more usual proxy configurations, not only Fiddler.
It seems that original issue #264 was not related to root certificate CRLs at all, Fiddler would also make end-entity (leaf) certificates without CRLs as well. Or was there clarification that exactly root certificate checks caused #264 ?
Is there any way to skip end-entity certificate revocation checks if there is none in curl/winssl?
Major reason for this is that all Windows based software works fine with these configurations, but then software that is built on top of CURL + WinSSL is seen as wrong at the end user.
On related note, CRL server offline errors are usually ignored by most of Windows software, but not CURL + WinSSL. While this is much less important, it is inconsistency as well.
It seems that original issue #264 was not related to root certificate CRLs at all, Fiddler would also make end-entity (leaf) certificates without CRLs as well. Or was there clarification that exactly root certificate checks caused #264 ?
The reporter in #264 didn’t respond to the report so I don’t know. It’s not documented what happens when a certificate is missing any revocation point and revocation checks are enabled. It most likely falls under the no revocation check error. We have some empirical results here and in the other issue but that’s about it. It may be different depending on OS version.
Is there any way to skip end-entity certificate revocation checks if there is none in curl/winssl?
Disable revocation checks in curl using —ssl-no-revoke. Whether or not your MITM does actual revocation checks is outside of curl’s control.
Major reason for this is that all Windows based software works fine with these configurations, but then software that is built on top of CURL + WinSSL is seen as wrong at the end user.
Yeah I’d imagine most developers implement soft revocation checking where it tries and if it cannot succeed it continues with the connection anyway. curl does not do that as I discussed in the other issue, you can have it either fully on or fully off when Schannel is used as the backend in Windows.
Источник
Форум КриптоПро
»
Общие вопросы
»
Общие вопросы
»
Подключение к АСОИ ФИНЦЕРТ из Linux
dear_igor@mail.ru |
|
|
Статус: Новичок Группы: Участники
|
Коллеги, привет. Установил CryptoPro 5 rc2 на Debian Buster. Установил сертификаты АСОИ ФИНЦЕРТ: Цитата: user@computer:/opt/cprocsp/bin/amd64$ ./certmgr -install -file /home/cacert.cer При проверке подключения выдается ошибка: Цитата: user@computer:/opt/cprocsp/bin/amd64$ ./curl https://portal.fincert.cbr.ru И еще вопрос, как сделать так, чтобы браузер узнал о криптопровайдере и перестал выдавать сообщение: Цитата: This site can’t provide a secure connectionportal.fincert.cbr.ru uses an unsupported protocol. |
 |
|
|
dear_igor@mail.ru |
|
|
Статус: Новичок Группы: Участники
|
Добавил корневой сертификат в доверенные: Цитата: root@computer:/opt/cprocsp/bin/amd64# ./certmgr -install -store mRoot -file /home/cacert.cer Теперь ошибка изменилась: Цитата: user@computer:/opt/cprocsp/bin/amd64$ ./curl https://portal.fincert.cbr.ru |
|
|
|
|
dear_igor@mail.ru |
|
|
Статус: Новичок Группы: Участники
|
Проблема оказалась в том, что я не установил список отозванных сертификатов: Цитата: root@computer:/opt/cprocsp/bin/amd64# ./certmgr -install -store mca -file /home/cacert.cer Теперь доступ появился: Цитата: user@computer:/opt/cprocsp/bin/amd64$ ./curl https://portal.fincert.cbr.ru <!doctype html> <meta charset=»utf-8″> <title> — ФинЦЕРТ</title> <link rel=»stylesheet» href=»/css/umbraco-starterkit-style.css» /> </head> Осталось решить проблему с браузером, который по прежнему не видит криптопро CSP |
|
|
|
|
Александр Лавник |
|
|
Статус: Сотрудник Группы: Участники Сказал «Спасибо»: 53 раз |
Автор: dear_igor@mail.ru Проблема оказалась в том, что я не установил список отозванных сертификатов: Цитата: root@computer:/opt/cprocsp/bin/amd64# ./certmgr -install -store mca -file /home/cacert.cer Теперь доступ появился: Цитата: user@computer:/opt/cprocsp/bin/amd64$ ./curl https://portal.fincert.cbr.ru <!doctype html> <meta charset=»utf-8″> <title> — ФинЦЕРТ</title> <link rel=»stylesheet» href=»/css/umbraco-starterkit-style.css» /> </head> Осталось решить проблему с браузером, который по прежнему не видит криптопро CSP Здравствуйте. На Linux x64 используйте Chromium GOST с поддержкой ГОСТ TLS. |
|
Техническую поддержку оказываем тут |
|
|
|
|
|
Depers81 |
|
|
Статус: Новичок Группы: Участники
|
Спасибо за информацию, под Ubuntu 18.04 и CSP 4 ./curl https://lk.fincert.cbr.ru получилось страницу получить, но Код: api.fincert.cbr.ru.cer до этого прогрузил. Код: |
|
|
|
|
Александр Лавник |
|
|
Статус: Сотрудник Группы: Участники Сказал «Спасибо»: 53 раз |
Автор: Depers81 Спасибо за информацию, под Ubuntu 18.04 и CSP 4 ./curl https://lk.fincert.cbr.ru получилось страницу получить, но Код: api.fincert.cbr.ru.cer до этого прогрузил. Код: Здравствуйте. Как и написано ранее установите корневой сертификат в хранилище root, а списки отзыва в хранилище ca: Код: |
|
Техническую поддержку оказываем тут |
|
|
|
|
| Пользователи, просматривающие эту тему |
|
Guest |
Форум КриптоПро
»
Общие вопросы
»
Общие вопросы
»
Подключение к АСОИ ФИНЦЕРТ из Linux
Быстрый переход
Вы не можете создавать новые темы в этом форуме.
Вы не можете отвечать в этом форуме.
Вы не можете удалять Ваши сообщения в этом форуме.
Вы не можете редактировать Ваши сообщения в этом форуме.
Вы не можете создавать опросы в этом форуме.
Вы не можете голосовать в этом форуме.
C:Userscasta>curl https://c5.ppy.sh
curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
Я сделал свой собственный центр сертификации и получил сертификат от этого центра сертификации.
Проблема в том, что когда я пытался зайти на сайт с этим сертификатом, он работает нормально!
Но если я попытался с curl или C # приложений, он возвращает ошибку.
Ошибка C # здесь:
2019-02-28T09:20:33: System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel
2019-02-28T09:20:33: 위치: #=zGFbxUFU_LnBci6wJmmCy1$E=.#=z0YcFrd6MZP1A()
2019-02-28T09:20:33: 위치: #=zuFHGCPNOLQmjQEcRmqQHLnQ=.#=z3NGNjJ0=()
2 ответа
Лучший ответ
Я использовал curl через mitm proxy для тестирования пера и получил ту же проблему.
Я наконец-то понял, что curl нужен параметр, который говорит ему не проверять отзыв сертификата, поэтому команда выглядит примерно так:
curl "https://www.example.com" --ssl-no-revoke -x 127.0.0.1:8081
Параметр -x передает данные прокси — вам это может не понадобиться.
Hth
12
riemannzz
7 Июн 2019 в 00:31
Вы можете использовать флаг --ssl и опустить https , как это
curl --ssl c5.ppy.sh
1
Max
18 Мар 2020 в 11:08