默认情况下,curl应该使用tls1.2而不是tls1.3
默认情况下,curl应该使用tls1.2而不是tls1.3
提问于 2021-09-27 06:57:46
我有一个https服务端点,它公开类似于prometheus的指标,它只能在tls1.2上工作
curl -v --tlsv1.2 --tls-max 1.2 --key keys/client.key --cert certs/client.crt https://172.99.197.118:5000/metrics -k现在,我尝试使用curl命令,但不指定任何tls版本,但是默认情况下,curl采用tls1.3。有没有办法将curl或openssl包配置为默认使用tls1.2。
$ curl -v --key keys/client.key --cert certs/client.crt https://172.99.197.118:5000/metrics -k
* Trying 172.99.197.118:5000...
* TCP_NODELAY set
* Connected to 172.99.197.118 (172.99.197.118) port 5000 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=New York; L=Armonk; OU=Cloud; CN=pod.cluster.local
* start date: Jan 21 16:35:29 2021 GMT
* expire date: Jan 21 16:35:59 2022 GMT
* issuer: CN=Operator Vault Intermediary CA
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x56483c873e10)
> GET /metrics HTTP/2
> Host: 172.99.197.118:5000
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (OUT), TLS alert, illegal parameter (559):
* OpenSSL SSL_read: error:14160098:SSL routines:read_state_machine:excessive message size, errno 0
* Failed receiving HTTP2 data
* OpenSSL SSL_write: SSL_ERROR_SYSCALL, errno 0
* Failed sending HTTP2 data
* Connection #0 to host 172.99.197.118 left intact
curl: (56) OpenSSL SSL_read: error:14160098:SSL routines:read_state_machine:excessive message size, errno 0回答 2
Stack Overflow用户
发布于 2021-10-19 16:32:33
可以通过向~/.curlrc添加以下行来更改TLS版本
https://everything.curl.dev/usingcurl/tls#ssl-and-tls-versions
在本例中,您要寻找的选项是--tlsv1.2
Stack Overflow用户
发布于 2021-10-19 19:40:28
如果只支持TLS1_2,那么在客户端和服务器问候消息中可以看到,双方都不会在TLS1_3上达成一致。
您收到的错误可能是由于服务器尝试验证客户端证书而导致的。如果确实是这样的话,您应该检查它失败的原因。它可能是服务器不信任的自签名证书吗?
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/69342379
复制相关文章
相似问题
腾讯云开发者
