On 16.12.2010 15:59, Ed wrote: > Victor Wagner wrote: >> Другой вопрос, что самоподписанный сертификат, НЕ СОДЕРЖАЩИЙ расширения >> basicConstraints считается сертификатом CA, а рассматриваемый сертификат >> содержал это расширение со значеним CA:FALSE. > > так что делать? ;) Почитать мануал? > можно как-то сказать curl'у - "этому сертификату я верю"?
1) (правильный способ) подключть сертификат подписавшено ca --cacert <CA certificate> (SSL) Tells curl to use the specified certificate file to verify the peer. The file may contain multiple CA certificates. The certificate(s) must be in PEM format. Normally curl is built to use a default file for this, so this option is typically used to alter that default file. curl recognizes the environment variable named 'CURL_CA_BUNDLE' if it is set, and uses the given path as a path to a CA cert bundle. This option overrides that variable. The windows version of curl will automatically look for a CA certs file named ´curl-ca-bundle.crt´, either in the same directory as curl.exe, or in the Current Working Directory, or in any folder along your PATH. If curl is built against the NSS SSL library then this option tells curl the nickname of the CA certificate to use within the NSS database defined by the environment variable SSL_DIR (or by default /etc/pki/nssdb). If the NSS PEM PKCS#11 module (libnsspem.so) is available then PEM files may be loaded. If this option is used several times, the last one will be used. --capath <CA certificate directory> (SSL) Tells curl to use the specified certificate directory to verify the peer. The certificates must be in PEM format, and the directory must have been processed using the c_rehash utility supplied with openssl. Using --capath can allow curl to make SSL-connections much more efficiently than using --cacert if the --cacert file contains many CA certificates. If this option is used several times, the last one will be used. 2) (неправильный способ) игнорировать ошибки ssl -k/--insecure (SSL) This option explicitly allows curl to perform "insecure" SSL connections and transfers. All SSL connections are attempted to be made secure by using the CA certificate bundle installed by default. This makes all connections considered "insecure" fail unless -k/--insecure is used. -- To UNSUBSCRIBE, email to debian-russian-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d0a1ddd.8070...@kuklin.ru