cURL不尊重密码

时间:2015-03-13 20:38:32

标签: ssl curl nginx starttls

我想测试某些cURL密码的使用情况,但它似乎不尊重--ciphers选项:

curl -vvv --tlsv1.0 --ciphers 'RC4-SHA' https://my.url.com/alive
* Hostname was NOT found in DNS cache
*   Trying ip...
* Connected to my.url.com (ip) port 443 (#0)
* TLS 1.0 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate: *.url.com
* Server certificate: DigiCert SHA2 Secure Server CA
* Server certificate: DigiCert Global Root CA
> GET /alive HTTP/1.1
> User-Agent: curl/7.37.1
> Host: my.url.com
> Accept: */*
> 
< HTTP/1.1 200 OK
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Fri, 13 Mar 2015 20:33:46 GMT
< Content-Type: application/json; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Status: 200 OK
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-UA-Compatible: chrome=1
< ETag: "561750c34ae7a13fe0c237e9fa9e3fbd"
< Cache-Control: max-age=0, private, must-revalidate
< X-Request-Id: da72f82b-32f9-4e43-8118-9e5122b9ab96
< X-Runtime: 0.025375
< Strict-Transport-Security: max-age=63072000
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< 
* Connection #0 to host my.url.com left intact
{"alive":true,"timestamp":"2015-03-13T20:33:46+00:00","requested_by":"myip"}

我知道RC4-SHAweak and should not be used,但这就是我想用我的服务器测试拒绝的原因。

在Nginx中设置的允许密码如下:

ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-DSS-AES128-GCM-SHA256
kEDH+AESGCM
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA256
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA
DHE-RSA-AES256-SHA
AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-SHA256
AES256-SHA256
AES128-SHA
AES256-SHA
AES
CAMELLIA
DES-CBC3-SHA
!aNULL
!eNULL
!EXPORT
!DES
!RC4
!MD5
!PSK
!aECDH
!EDH-DSS-DES-CBC3-SHA
!EDH-RSA-DES-CBC3-SHA
!KRB5-DES-CBC3-SHA

为什么将算法更改为TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA?难道它不能拒绝连接吗?

这是我使用的cURL版本:

curl -V
curl 7.37.1 (x86_64-apple-darwin14.0) libcurl/7.37.1 SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp 
Features: AsynchDNS GSS-Negotiate IPv6 Largefile NTLM NTLM_WB SSL libz

修改:在OS X中使用ignored时似乎--ciphers选项为Apple's Secure Transport Layer

1 个答案:

答案 0 :(得分:6)

从一个(不是非常详细的)看一下curl的源代码我建议,--ciphers选项没有SecureTransport后端(Mac OS X)的实现,即无论你指定什么它被忽略了。

相关问题
最新问题