libcurl с клиентским ssl-сертификатом возвращает 403, но curl работает нормально

Я пытаюсь использовать REST API управления службами Azure в Ubuntu, при этом culr и curl работают нормально:

curl --libcurl mylibcurl.c -v -H "Content-Type: application / xml" -H "x-ms-version: 2012-08-01" -E /home/azure/tmp/cert.pem : https://management.core.windows.net/your_subscription_id/services/hostedservices/your_service/deployments/your_vm

* Hostname was NOT found in DNS cache
*   Trying 157.55.195.251...
* Connected to management.core.windows.net (157.55.195.251) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES128-SHA256
* Server certificate:
*        subject: C=US; ST=WA; L=Redmond; O=Microsoft; OU=OrganizationName; CN=ussouth2.management.core.windows.net
*        start date: 2013-06-07 19:45:29 GMT
*        expire date: 2015-06-07 19:45:29 GMT
*        subjectAltName: management.core.windows.net matched
*        issuer: DC=com; DC=microsoft; DC=corp; DC=redmond; CN=MSIT Machine Auth CA 2
*        SSL certificate verify ok.
> GET /your_subscription_id/services/hostedservices/shchVmFromCUrl/deployments/shchVmFromCUrl HTTP/1.1
> User-Agent: curl/7.35.0
> Host: management.core.windows.net
> Accept: */*
> Content-Type: application/xml
> x-ms-version: 2012-08-01
>
* SSLv3, TLS handshake, Hello request (0):
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS handshake, CERT verify (15):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
< HTTP/1.1 200 OK
< Cache-Control: no-cache
< Content-Length: 2865
< Content-Type: application/xml; charset=utf-8
* Server 1.0.6198.110 (rd_rdfe_stable.140729-1337) Microsoft-HTTPAPI/2.0 is not blacklisted
< Server: 1.0.6198.110 (rd_rdfe_stable.140729-1337) Microsoft-HTTPAPI/2.0
< x-ms-servedbyregion: ussouth2
< x-ms-request-id: 0d64fdafdce8c30c8ef517d1a97635af
< Date: Thu, 07 Aug 2014 20:57:13 GMT
<
<Deployment xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><Name>
... 
</Deployment>

Но тот же запрос с libcurl возвращает 403 Forbidden.

Как видите, я использовал флаг --libcurl mylibcurl.c в curl, чтобы он создал файл c для использования с libculr

вот как выглядит этот файл:

/********* Sample code generated by the curl command line tool **********
 * All curl_easy_setopt() options are documented at:
 * http://curl.haxx.se/libcurl/c/curl_easy_setopt.html
 ************************************************************************/
#include <curl/curl.h>

int main(int argc, char *argv[])
{
  CURLcode ret;
  CURL *hnd;
  struct curl_slist *slist1;

  slist1 = NULL;
  slist1 = curl_slist_append(slist1, "Content-Type: application/xml");
  slist1 = curl_slist_append(slist1, "x-ms-version: 2012-08-01");

  hnd = curl_easy_init();
  curl_easy_setopt(hnd, CURLOPT_URL, "https://management.core.windows.net/your_subscription_id/services/hostedservices/your_service/deployments/your_vm")
  curl_easy_setopt(hnd, CURLOPT_NOPROGRESS, 1L);
  curl_easy_setopt(hnd, CURLOPT_USERAGENT, "curl/7.35.0");
  curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, slist1);
  curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
  curl_easy_setopt(hnd, CURLOPT_SSLCERT, "/home/azure/tmp/cert.pem");
  curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
  curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);

  /* Here is a list of options the curl code used that cannot get generated
     as source easily. You may select to either not use them or implement
     them yourself.

  CURLOPT_WRITEDATA set to a objectpointer
  CURLOPT_WRITEFUNCTION set to a functionpointer
  CURLOPT_READDATA set to a objectpointer
  CURLOPT_READFUNCTION set to a functionpointer
  CURLOPT_SEEKDATA set to a objectpointer
  CURLOPT_SEEKFUNCTION set to a functionpointer
  CURLOPT_ERRORBUFFER set to a objectpointer
  CURLOPT_STDERR set to a objectpointer
  CURLOPT_DEBUGFUNCTION set to a functionpointer
  CURLOPT_DEBUGDATA set to a objectpointer
  CURLOPT_HEADERFUNCTION set to a functionpointer
  CURLOPT_HEADERDATA set to a objectpointer

  */

  ret = curl_easy_perform(hnd);

  curl_easy_cleanup(hnd);
  hnd = NULL;
  curl_slist_free_all(slist1);
  slist1 = NULL;

  return (int)ret;
}
/**** End of sample code ****/

Я построил это

gcc mylibcurl.c -o mylibcurl -lcurl

и запустите

mylibcurl

* Hostname was NOT found in DNS cache
*   Trying 157.55.195.251...
* Connected to management.core.windows.net (157.55.195.251) port 443 (#0)
* found 164 certificates in /etc/ssl/certs/ca-certificates.crt
*        server certificate verification OK
*        common name: ussouth2.management.core.windows.net (matched)
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: RSA
*        certificate version: #3
*        subject: C=US,ST=WA,L=Redmond,O=Microsoft,OU=OrganizationName,CN=ussouth2.management.core.windows.net
*        start date: Fri, 07 Jun 2013 19:45:29 GMT

*        expire date: Sun, 07 Jun 2015 19:45:29 GMT

*        issuer: DC=com,DC=microsoft,DC=corp,DC=redmond,CN=MSIT Machine Auth CA 2
*        compression: NULL
*        cipher: AES-128-CBC
*        MAC: SHA256
> GET /your_subscription_id/services/hostedservices/shchVmFromCUrl/deployments/shchVmFromCUrl HTTP/1.1
User-Agent: curl/7.35.0
Host: management.core.windows.net
Accept: */*
Content-Type: application/xml
x-ms-version: 2012-08-01

< HTTP/1.1 403 Forbidden
< Content-Length: 288
< Content-Type: application/xml; charset=utf-8
* Server Microsoft-HTTPAPI/2.0 is not blacklisted
< Server: Microsoft-HTTPAPI/2.0
< Date: Thu, 07 Aug 2014 23:57:17 GMT
<
* Connection #0 to host management.core.windows.net left intact
<Error xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><Code>Forb
ddenError</Code><Message>The server failed to authenticate the request. Verify that the certificate is valid and is ass
ciated with this subscription.</Message></Error>

Что я пропустил?


libcurl sslv3
person vlshch    schedule 07.08.2014    source источник

Ответы (2)


arrow_upward
1
arrow_downward

Добавь это. Вероятно, ваш локальный SSL-сертификат не проверяет:

curl_easy_setopt(hnd,  CURLOPT_SSL_VERIFYPEER, 0);

Он говорит ему игнорировать проверку действительности сертификата. Есть более безопасный и сложный способ сделать это, но он, по крайней мере, позволит выявить ошибку и запустить ее.

person Kchun    schedule 15.01.2015

arrow_upward
0
arrow_downward

Единственное, что я могу придумать, это просто добавить следующую строку

curl_easy_setopt(hnd, CURLOPT_CAPATH, "/etc/ssl/certs");

Согласно журналам, когда вы выполняете curl в командной строке, используется CApath: / etc / ssl / certs. Вместо этого при использовании libcurl он проверяет что-то еще.

person ipinyol    schedule 08.08.2014
comment
Спасибо за ответ, но это не помогает. - person vlshch; 08.08.2014