使用国密版cURL访问国密https网站

简介: 国密版cURL使用指南

1.curl是什么

cURL(客户端URL)是一个开放源代码的命令行工具,用来请求 Web和其他各种类型的服务器。curl有着大量的参数,常用来测试/调试服务器的开发和排查等,堪称一个网络“神器”。

w3.png

2.国密curl是什么

w2.png

curl自身不支持国密SSL协议(TLCP)。程序员说:要有国密版curl,于是就有了国密版curl,哈哈,程序员就是软件世界的上帝啊。国密版curl,简称gmcurl,由国密SSL实验室(www.gmssl.cn)移植,并提供免费下载和使用。

3.国密curl使用(单向国密SSL)

3.1 简单执行

[root@206test ~]# ./gmcurl
GM Version: 1.0.0 Ported by www.gmssl.cn
Options:
--gmssl, use TLCP protocol
--cert,  use sm2 sig pem cert
--key,  use sm2 sig pem key
--cert2, use sm2 enc pem cert
--key2,  use sm2 enc pem key
curl: try 'curl --help' or 'curl --manual' for more information

3.2 简单访问

[root@206test ~]# ./gmcurl --gmssl -k https://ebssec.boc.cn
GM Version: 1.0.0 Ported by www.gmssl.cn
Options:
--gmssl, use TLCP protocol
--cert,  use sm2 sig pem cert
--key,  use sm2 sig pem key
--cert2, use sm2 enc pem cert
--key2,  use sm2 enc pem key

注释:

1)--gmssl表示启用国密SSL

2)-k表示不验证服务端证书

3.3 验证证书

[root@206test ~]# ./gmcurl --gmssl --cacert boc.ca.pem https://ebssec.boc.cn
GM Version: 1.0.0 Ported by www.gmssl.cn
Options:
--gmssl, use TLCP protocol
--cert,  use sm2 sig pem cert
--key,  use sm2 sig pem key
--cert2, use sm2 enc pem cert
--key2,  use sm2 enc pem key

注释:

1)--cacert表示加载本地可信证书链

2)boc.ca.pem下载地址为https://www.gmssl.cn/gmssl/down/boc.ca.pem

3.4 简单调试

[root@206test ~]# ./gmcurl --gmssl -k --verbose https://ebssec.boc.cn
GM Version: 1.0.0 Ported by www.gmssl.cn
Options:
--gmssl, use TLCP protocol
--cert,  use sm2 sig pem cert
--key,  use sm2 sig pem key
--cert2, use sm2 enc pem cert
--key2,  use sm2 enc pem key
*  Trying 123.124.191.183:443...
* Connected to ebssec.boc.cn (123.124.191.183) port 443 (#0)
* ALPN, offering http/1.1
* (101) (OUT), , Unknown (1):
* (101) (IN), , Unknown (2):
* (101) (IN), , Unknown (11):
* (101) (IN), , Unknown (12):
* (101) (IN), , Unknown (14):
* (101) (OUT), , Unknown (16):
* (101) (OUT), , Change cipher spec (1):
* (101) (OUT), , Unknown (20):
* (101) (IN), , Unknown (20):
* SSL connection using GMSSLv1.1 / ECC-SM4-CBC-SM3
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=CN; ST=\U5317\U4EAC; L=\U5317\U4EAC; O=\U4E2D\U56FD\U94F6\U884C\U80A1\U4EFD\U6709\U9650\U516C\U53F8; OU=Local RA; OU=SSL; CN=ebssec.boc.cn
*  start date: Jun 11 09:05:20 2021 GMT
*  expire date: Jun 19 08:16:56 2026 GMT
*  issuer: C=CN; O=CFCA SM2 OCA1
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET / HTTP/1.1
> Host: ebssec.boc.cn
> User-Agent: curl/7.82.0
> Accept: \*/*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sun, 17 Jul 2022 04:06:39 GMT
< Last-Modified: Sat, 27 Jun 2015 16:48:38 GMT
< Accept-Ranges: bytes
< Content-Length: 156
< Cache-Control: max-age=300
< Expires: Sun, 17 Jul 2022 04:11:39 GMT
< Vary: Accept-Encoding,User-Agent
< Content-Type: text/html
< 
* Connection #0 to host ebssec.boc.cn left intact
<!DOCTYPE html><html><head><meta http-equiv="refresh" content="0;url=/boc15/login.html"><meta name="renderer" content="ie-stand"></head><body></body></html>

注释:

1) 可以看到协议GMSSLv1.1和算法ECC-SM4-CBC-SM3

2) 可以看到服务器证书信息

3) 可以看到HTTPS请求头和应答头

4) -–verbose可以简写为-v,

即./gmcurl --gmssl -k -v https://ebssec.boc.cn

3.5 深度调试(包含SSL过程)

[root@206test ~]# ./gmcurl --gmssl -k --trace - https://ebssec.boc.cn
GM Version: 1.0.0 Ported by www.gmssl.cn
Options:
--gmssl, use TLCP protocol
--cert,  use sm2 sig pem cert
--key,  use sm2 sig pem key
--cert2, use sm2 enc pem cert
--key2,  use sm2 enc pem key
== Info:  Trying 123.124.191.183:443...
== Info: Connected to ebssec.boc.cn (123.124.191.183) port 443 (#0)
== Info: ALPN, offering http/1.1
=> Send SSL data, 5 bytes (0x5)
0000: 16 01 01 00 80                  .....
== Info: (101) (OUT), , Unknown (1):
=> Send SSL data, 128 bytes (0x80)
0000: 01 00 00 7c 01 01 04 8c 21 8f c5 fc d8 1e 9b 15 ...|....!.......
0010: 54 11 1b 7b cc 4f de bf 56 46 f7 30 85 b6 32 46 T..{.O..VF.0..2F
0020: 28 b5 03 7a 80 17 00 00 0e e0 53 e0 51 e0 13 e0 (..z......S.Q...
0030: 11 e0 03 e0 01 00 ff 01 00 00 45 00 00 00 12 00 ..........E.....
0040: 10 00 00 0d 65 62 73 73 65 63 2e 62 6f 63 2e 63 ....ebssec.boc.c
0050: 6e 00 0b 00 04 03 00 01 02 00 0a 00 0c 00 0a 00 n...............
0060: 1d 00 17 00 1e 00 19 00 18 33 74 00 00 00 10 00 .........3t.....
0070: 0b 00 09 08 68 74 74 70 2f 31 2e 31 00 16 00 00 ....http/1.1....
<= Recv SSL data, 5 bytes (0x5)
0000: 16 01 01 00 39                  ....9
== Info: (101) (IN), , Unknown (2):
<= Recv SSL data, 57 bytes (0x39)
0000: 02 00 00 35 01 01 62 d3 8c 34 7c a3 f0 aa e3 da ...5..b..4|.....
0010: 61 85 fd 8e 05 77 98 f0 9e 3e f0 82 3d 57 70 cf a....w...>..=Wp.
0020: e1 74 dc 19 54 44 00 e0 13 00 00 0d ff 01 00 01 .t..TD..........
0030: 00 00 0b 00 04 03 00 01 02            .........
<= Recv SSL data, 5 bytes (0x5)
0000: 16 01 01 05 b2                  .....
== Info: (101) (IN), , Unknown (11):
<= Recv SSL data, 1458 bytes (0x5b2)
0000: 0b 00 05 ae 00 05 ab 00 02 d3 30 82 02 cf 30 82 ..........0...0.
0010: 02 72 a0 03 02 01 02 02 05 13 36 39 33 70 30 0c .r........693p0.
0020: 06 08 2a 81 1c cf 55 01 83 75 05 00 30 25 31 0b ..\*...U..u..0%1.
0030: 30 09 06 03 55 04 06 13 02 43 4e 31 16 30 14 06 0...U....CN1.0..
0040: 03 55 04 0a 0c 0d 43 46 43 41 20 53 4d 32 20 4f .U....CFCA SM2 O
0050: 43 41 31 30 1e 17 0d 32 31 30 36 31 31 30 39 30 CA10...210611090
0060: 35 32 30 5a 17 0d 32 36 30 36 31 39 30 38 31 36 520Z..2606190816
0070: 35 36 5a 30 81 91 31 0b 30 09 06 03 55 04 06 13 56Z0..1.0...U...
0080: 02 43 4e 31 0f 30 0d 06 03 55 04 08 0c 06 e5 8c .CN1.0...U......
0090: 97 e4 ba ac 31 0f 30 0d 06 03 55 04 07 0c 06 e5 ....1.0...U.....
00a0: 8c 97 e4 ba ac 31 27 30 25 06 03 55 04 0a 0c 1e .....1'0%..U....
00b0: e4 b8 ad e5 9b bd e9 93 b6 e8 a1 8c e8 82 a1 e4 ................
00c0: bb bd e6 9c 89 e9 99 90 e5 85 ac e5 8f b8 31 11 ..............1.
00d0: 30 0f 06 03 55 04 0b 0c 08 4c 6f 63 61 6c 20 52 0...U....Local R
00e0: 41 31 0c 30 0a 06 03 55 04 0b 0c 03 53 53 4c 31 A1.0...U....SSL1
00f0: 16 30 14 06 03 55 04 03 0c 0d 65 62 73 73 65 63 .0...U....ebssec
0100: 2e 62 6f 63 2e 63 6e 30 59 30 13 06 07 2a 86 48 .boc.cn0Y0...\*.H
0110: ce 3d 02 01 06 08 2a 81 1c cf 55 01 82 2d 03 42 .=....\*...U..-.B
0120: 00 04 fb 0d 52 7a 19 40 cf 42 4a 7b c2 e7 b4 db ....Rz.@.BJ{....
0130: bd d7 f2 39 30 ae 3c e4 a5 66 63 c0 cb 10 4a 16 ...90.<..fc...J.
0140: 3f 98 d5 01 ff c6 5b 9b 1d d5 5f e5 7a 87 ac ed ?.....[..._.z...
0150: 63 08 34 62 ed a3 79 20 a1 97 40 5d 78 f7 67 3c c.4b..y ..@]x.g<
0160: d3 73 a3 82 01 1e 30 82 01 1a 30 1f 06 03 55 1d .s....0...0...U.
0170: 23 04 18 30 16 80 14 5c 93 58 20 5a 24 73 56 10 #..0...\.X Z$sV.
0180: 1b 64 50 10 ec e9 a7 ca 07 41 11 30 0c 06 03 55 .dP......A.0...U
0190: 1d 13 01 01 ff 04 02 30 00 30 48 06 03 55 1d 20 .......0.0H..U.
01a0: 04 41 30 3f 30 3d 06 08 60 81 1c 86 ef 2a 01 01 .A0?0=..`....\*..
01b0: 30 31 30 2f 06 08 2b 06 01 05 05 07 02 01 16 23 010/..+........#
01c0: 68 74 74 70 3a 2f 2f 77 77 77 2e 63 66 63 61 2e http://www.cfca.
01d0: 63 6f 6d 2e 63 6e 2f 75 73 2f 75 73 2d 31 34 2e com.cn/us/us-14.
01e0: 68 74 6d 30 37 06 03 55 1d 1f 04 30 30 2e 30 2c htm07..U...00.0,
01f0: a0 2a a0 28 86 26 68 74 74 70 3a 2f 2f 63 72 6c .\*.(.&http://crl
0200: 2e 63 66 63 61 2e 63 6f 6d 2e 63 6e 2f 53 4d 32 .cfca.com.cn/SM2
0210: 2f 63 72 6c 35 36 31 38 2e 63 72 6c 30 18 06 03 /crl5618.crl0...
0220: 55 1d 11 04 11 30 0f 82 0d 65 62 73 73 65 63 2e U....0...ebssec.
0230: 62 6f 63 2e 63 6e 30 0e 06 03 55 1d 0f 01 01 ff boc.cn0...U.....
0240: 04 04 03 02 06 c0 30 1d 06 03 55 1d 0e 04 16 04 ......0...U.....
0250: 14 9e a8 16 8f ce ac a8 03 84 71 4e 46 96 aa d3 ..........qNF...
0260: 89 17 ed 3d 4a 30 1d 06 03 55 1d 25 04 16 30 14 ...=J0...U.%..0.
0270: 06 08 2b 06 01 05 05 07 03 02 06 08 2b 06 01 05 ..+.........+...
0280: 05 07 03 01 30 0c 06 08 2a 81 1c cf 55 01 83 75 ....0...\*...U..u
0290: 05 00 03 49 00 30 46 02 21 00 af 85 2b db bf 98 ...I.0F.!...+...
02a0: 7a 11 19 75 61 c0 8b 83 e7 f3 f5 49 5e 41 b6 8f z..ua......I^A..
02b0: 7c 16 30 52 35 03 d9 d0 07 55 02 21 00 c4 42 e2 |.0R5....U.!..B.
02c0: 4f 52 fe 64 82 d1 4a 54 bc 2a a1 fc 34 02 d9 48 OR.d..JT.\*..4..H
02d0: bc 4d c7 1d e4 6d 88 81 84 ac 72 75 0d 00 02 d2 .M...m....ru....
02e0: 30 82 02 ce 30 82 02 72 a0 03 02 01 02 02 05 13 0...0..r........
02f0: 36 39 33 71 30 0c 06 08 2a 81 1c cf 55 01 83 75 693q0...\*...U..u
0300: 05 00 30 25 31 0b 30 09 06 03 55 04 06 13 02 43 ..0%1.0...U....C
0310: 4e 31 16 30 14 06 03 55 04 0a 0c 0d 43 46 43 41 N1.0...U....CFCA
0320: 20 53 4d 32 20 4f 43 41 31 30 1e 17 0d 32 31 30  SM2 OCA10...210
0330: 36 31 31 30 39 30 35 32 30 5a 17 0d 32 36 30 36 611090520Z..2606
0340: 31 39 30 38 31 36 35 36 5a 30 81 91 31 0b 30 09 19081656Z0..1.0.
0350: 06 03 55 04 06 13 02 43 4e 31 0f 30 0d 06 03 55 ..U....CN1.0...U
0360: 04 08 0c 06 e5 8c 97 e4 ba ac 31 0f 30 0d 06 03 ..........1.0...
0370: 55 04 07 0c 06 e5 8c 97 e4 ba ac 31 27 30 25 06 U..........1'0%.
0380: 03 55 04 0a 0c 1e e4 b8 ad e5 9b bd e9 93 b6 e8 .U..............
0390: a1 8c e8 82 a1 e4 bb bd e6 9c 89 e9 99 90 e5 85 ................
03a0: ac e5 8f b8 31 11 30 0f 06 03 55 04 0b 0c 08 4c ....1.0...U....L
03b0: 6f 63 61 6c 20 52 41 31 0c 30 0a 06 03 55 04 0b ocal RA1.0...U..
03c0: 0c 03 53 53 4c 31 16 30 14 06 03 55 04 03 0c 0d ..SSL1.0...U....
03d0: 65 62 73 73 65 63 2e 62 6f 63 2e 63 6e 30 59 30 ebssec.boc.cn0Y0
03e0: 13 06 07 2a 86 48 ce 3d 02 01 06 08 2a 81 1c cf ...\*.H.=....\*...
03f0: 55 01 82 2d 03 42 00 04 c9 f5 ab e8 5b 57 48 b5 U..-.B......[WH.
0400: aa 72 80 cb b4 1e 67 76 5f 00 3f a0 a8 75 f8 17 .r....gv_.?..u..
0410: 93 2a 22 1b 1a ac e0 e5 5a c6 af 7f f7 5c a6 b0 .\*".....Z...\..
0420: b4 17 6e fb cd ce 38 69 80 41 ff 7b 9c cb 83 c5 ..n...8i.A.{....
0430: a9 76 91 1d 0a 7c 3c 4c a3 82 01 1e 30 82 01 1a .v...|***
0440: 30 1f 06 03 55 1d 23 04 18 30 16 80 14 5c 93 58 0...U.#..0...\.X
0450: 20 5a 24 73 56 10 1b 64 50 10 ec e9 a7 ca 07 41  Z$sV..dP......A
0460: 11 30 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 .0...U.......0.0
0470: 48 06 03 55 1d 20 04 41 30 3f 30 3d 06 08 60 81 H..U. .A0?0=..`.
0480: 1c 86 ef 2a 01 01 30 31 30 2f 06 08 2b 06 01 05 ...\*..010/..+...
0490: 05 07 02 01 16 23 68 74 74 70 3a 2f 2f 77 77 77 .....#http://www
04a0: 2e 63 66 63 61 2e 63 6f 6d 2e 63 6e 2f 75 73 2f .cfca.com.cn/us/
04b0: 75 73 2d 31 34 2e 68 74 6d 30 37 06 03 55 1d 1f us-14.htm07..U..
04c0: 04 30 30 2e 30 2c a0 2a a0 28 86 26 68 74 74 70 .00.0,.\*.(.&http
04d0: 3a 2f 2f 63 72 6c 2e 63 66 63 61 2e 63 6f 6d 2e ://crl.cfca.com.
04e0: 63 6e 2f 53 4d 32 2f 63 72 6c 35 36 31 38 2e 63 cn/SM2/crl5618.c
04f0: 72 6c 30 18 06 03 55 1d 11 04 11 30 0f 82 0d 65 rl0...U....0...e
0500: 62 73 73 65 63 2e 62 6f 63 2e 63 6e 30 0e 06 03 bssec.boc.cn0...
0510: 55 1d 0f 01 01 ff 04 04 03 02 03 38 30 1d 06 03 U..........80...
0520: 55 1d 0e 04 16 04 14 5f da d4 91 ef cc bc db a4 U......_........
0530: 56 c1 96 35 fb 84 dc 51 a6 3f f6 30 1d 06 03 55 V..5...Q.?.0...U
0540: 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 03 02 .%..0...+.......
0550: 06 08 2b 06 01 05 05 07 03 01 30 0c 06 08 2a 81 ..+.......0...\*.
0560: 1c cf 55 01 83 75 05 00 03 48 00 30 45 02 21 00 ..U..u...H.0E.!.
0570: c2 38 58 b5 79 97 20 88 de ad fa 1e a5 c4 bc 12 .8X.y. .........
0580: 82 b0 21 dc 96 a5 97 e6 72 03 67 8f c3 ac 5c 8f ..!.....r.g...\.
0590: 02 20 37 20 ef a3 be b5 76 9c 09 85 cc 96 7f 25 . 7 ....v.....%
05a0: 42 02 76 93 7f 45 5f e0 32 d6 23 52 be 4b ba 68 B.v.E_.2.#R.K.h
05b0: 52 bf                      R.
<= Recv SSL data, 5 bytes (0x5)
0000: 16 01 01 00 4d                  ....M
== Info: (101) (IN), , Unknown (12):
<= Recv SSL data, 77 bytes (0x4d)
0000: 0c 00 00 49 00 47 30 45 02 20 07 bb 5c f7 90 d0 ...I.G0E. ..\...
0010: c0 91 fd 80 69 0f c7 78 27 7b b4 fd 55 5b 59 1b ....i..x'{..U[Y.
0020: 35 e8 14 b7 b1 72 3c 0b 04 93 02 21 00 fd 4c d7 5....r<....!..L.
0030: 5c 16 87 5f 6b 63 f3 7e a9 73 75 8b cc 56 7e fa \.._kc.~.su..V~.
0040: bc 78 bf 7a 2d cb 30 0d 3b 78 06 91 6f      .x.z-.0.;x..o
<= Recv SSL data, 5 bytes (0x5)
0000: 16 01 01 00 04                  .....
== Info: (101) (IN), , Unknown (14):
<= Recv SSL data, 4 bytes (0x4)
0000: 0e 00 00 00                   ....
=> Send SSL data, 5 bytes (0x5)
0000: 16 01 01 00 a3                  .....
== Info: (101) (OUT), , Unknown (16):
=> Send SSL data, 163 bytes (0xa3)
0000: 10 00 00 9f 00 9d 30 81 99 02 21 00 ad db a9 b8 ......0...!.....
0010: af 6f be 9e d4 78 8a d5 f6 83 e8 45 90 42 db ad .o...x.....E.B..
0020: cb 9f a0 29 2c e5 66 88 8d 27 8b 27 02 20 3d b4 ...),.f..'.'. =.
0030: dc f9 40 84 c4 02 60 96 95 a6 da f3 76 f9 d1 06 ..@...`.....v...
0040: b0 18 f5 da c6 30 2f dd da 69 d5 97 17 7f 04 20 .....0/..i....*
0050: bf 2c 65 24 97 50 7b a6 62 df 27 db 34 8f 65 bf .,e$.P{.b.'.4.e.
0060: 90 3f b9 e2 2d f0 e4 b8 17 98 c9 cf 8f 4e 78 db .?..-........Nx.
0070: 04 30 48 d8 08 d9 1e 86 31 16 82 e8 f8 bd e5 23 .0H.....1......#
0080: 0e ae 95 06 77 4f 20 ca 75 1a 43 57 05 d2 2b d6 ....wO .u.CW..+.
0090: 81 fc a5 88 b4 6e 72 6b 22 8d 87 3d 0a cd de b1 .....nrk"..=....
00a0: 6f 84 00                     o..
=> Send SSL data, 5 bytes (0x5)
0000: 14 01 01 00 01                  .....
== Info: (101) (OUT), , Change cipher spec (1):
=> Send SSL data, 1 bytes (0x1)
0000: 01                        .
=> Send SSL data, 5 bytes (0x5)
0000: 16 01 01 00 50                  ....P
== Info: (101) (OUT), , Unknown (20):
=> Send SSL data, 16 bytes (0x10)
0000: 14 00 00 0c c1 5f 9d fc 52 8d 3a 99 12 8b 4e fa ....._..R.:...N.
<= Recv SSL data, 5 bytes (0x5)
0000: 14 01 01 00 01                  .....
<= Recv SSL data, 5 bytes (0x5)
0000: 16 01 01 00 50                  ....P
== Info: (101) (IN), , Unknown (20):
<= Recv SSL data, 16 bytes (0x10)
0000: 14 00 00 0c 40 7b 25 ad a3 46 d9 8a a2 d0 27 a0 ....@{%..F....'.
== Info: SSL connection using GMSSLv1.1 / ECC-SM4-CBC-SM3
== Info: ALPN, server did not agree to a protocol
== Info: Server certificate:
== Info:  subject: C=CN; ST=\U5317\U4EAC; L=\U5317\U4EAC; O=\U4E2D\U56FD\U94F6\U884C\U80A1\U4EFD\U6709\U9650\U516C\U53F8; OU=Local RA; OU=SSL; CN=ebssec.boc.cn
== Info:  start date: Jun 11 09:05:20 2021 GMT
== Info:  expire date: Jun 19 08:16:56 2026 GMT
== Info:  issuer: C=CN; O=CFCA SM2 OCA1
== Info:  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
=> Send SSL data, 5 bytes (0x5)
0000: 17 01 01 00 80                  .....
=> Send header, 77 bytes (0x4d)
0000: 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a GET / HTTP/1.1..
0010: 48 6f 73 74 3a 20 65 62 73 73 65 63 2e 62 6f 63 Host: ebssec.boc
0020: 2e 63 6e 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a .cn..User-Agent:
0030: 20 63 75 72 6c 2f 37 2e 38 32 2e 30 0d 0a 41 63  curl/7.82.0..Ac
0040: 63 65 70 74 3a 20 2a 2f 2a 0d 0a 0d 0a      cept: \*/\*....
<= Recv SSL data, 5 bytes (0x5)
0000: 17 01 01 01 e0                  .....
== Info: Mark bundle as not supporting multiuse
<= Recv header, 17 bytes (0x11)
0000: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK.
0010: 0a                        .
<= Recv header, 37 bytes (0x25)
0000: 44 61 74 65 3a 20 53 75 6e 2c 20 31 37 20 4a 75 Date: Sun, 17 Ju
0010: 6c 20 32 30 32 32 20 30 34 3a 31 32 3a 33 36 20 l 2022 04:12:36
0020: 47 4d 54 0d 0a                  GMT..
<= Recv header, 46 bytes (0x2e)
0000: 4c 61 73 74 2d 4d 6f 64 69 66 69 65 64 3a 20 53 Last-Modified: S
0010: 61 74 2c 20 32 37 20 4a 75 6e 20 32 30 31 35 20 at, 27 Jun 2015
0020: 31 36 3a 34 38 3a 33 38 20 47 4d 54 0d 0a    16:48:38 GMT..
<= Recv header, 22 bytes (0x16)
0000: 41 63 63 65 70 74 2d 52 61 6e 67 65 73 3a 20 62 Accept-Ranges: b
0010: 79 74 65 73 0d 0a                ytes..
<= Recv header, 21 bytes (0x15)
0000: 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 Content-Length:
0010: 31 35 36 0d 0a                  156..
<= Recv header, 28 bytes (0x1c)
0000: 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 6d Cache-Control: m
0010: 61 78 2d 61 67 65 3d 33 30 30 0d 0a       ax-age=300..
<= Recv header, 40 bytes (0x28)
0000: 45 78 70 69 72 65 73 3a 20 53 75 6e 2c 20 31 37 Expires: Sun, 17
0010: 20 4a 75 6c 20 32 30 32 32 20 30 34 3a 31 37 3a  Jul 2022 04:17:
0020: 33 36 20 47 4d 54 0d 0a             36 GMT..
<= Recv header, 34 bytes (0x22)
0000: 56 61 72 79 3a 20 41 63 63 65 70 74 2d 45 6e 63 Vary: Accept-Enc
0010: 6f 64 69 6e 67 2c 55 73 65 72 2d 41 67 65 6e 74 oding,User-Agent
0020: 0d 0a                      ..
<= Recv header, 25 bytes (0x19)
0000: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 Content-Type: te
0010: 78 74 2f 68 74 6d 6c 0d 0a            xt/html..
<= Recv header, 2 bytes (0x2)
0000: 0d 0a                      ..
<= Recv data, 156 bytes (0x9c)
0000: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c <!DOCTYPE html><
0010: 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 html><head><meta
0020: 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66  http-equiv="ref
0030: 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 resh" content="0
0040: 3b 75 72 6c 3d 2f 62 6f 63 31 35 2f 6c 6f 67 69 ;url=/boc15/logi
0050: 6e 2e 68 74 6d 6c 22 3e 3c 6d 65 74 61 20 6e 61 n.html"><meta na
0060: 6d 65 3d 22 72 65 6e 64 65 72 65 72 22 20 63 6f me="renderer" co
0070: 6e 74 65 6e 74 3d 22 69 65 2d 73 74 61 6e 64 22 ntent="ie-stand"
0080: 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f ></head><body></
0090: 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e             body></html>
<!DOCTYPE html><html><head><meta http-equiv="refresh" content="0;url=/boc15/login.html"><meta name="renderer" content="ie-stand"></head><body></body></html>== Info: Connection #0 to host ebssec.boc.cn left intact

注释:

1)可以看到国密SSL国产的完整数据

2)可以把日志输出到文件

​ 即./gmcurl --gmssl -k --trace ssl.log https://ebssec.boc.cn

4.国密curl使用(双向国密SSL)

4.1 生成用户国密双证书

w1.png

4.2 使用用户国密双证书访问

[root@206test ~]# ./gmcurl --gmssl -k --cert ./sm2.user1.sig.crt.pem --key ./sm2.user1.sig.key.pem --cert2 ./sm2.user1.enc.crt.pem --key2 ./sm2.user1.enc.key.pem https://demo.gmssl.cn:1443
GM Version: 1.0.0 Ported by www.gmssl.cn
Options:
--gmssl, use TLCP protocol
--cert,  use sm2 sig pem cert
--key,   use sm2 sig pem key
--cert2, use sm2 enc pem cert
--key2,  use sm2 enc pem key

<!DOCTYPE html>
<HTML>
<HEAD>
<TITLE>恭喜</TITLE>
<META http-equiv=Content-Type content="text/html; charset=UTF-8">
<STYLE type=text/css>
.style1 
{
    font-family: Consolas,monospace; 
    font-size: 14px; 
    white-space: nowrap;
}
</STYLE>
</HEAD>
<BODY>
    <BR>
    <BR>
    <CENTER>
        <TABLE cellPadding=5 width=400>
            <TBODY>
                <TR>
                    <TD align=middle>
                        <p class="style1">成功访问了受HTTPS保护的页面。</p>
                    </TD>
                </TR>
                <TR>
                    <TD align=middle>
                        <span class="style1"><b>SSL信息:</b>GMSSLv1.1,ECC-SM4-GCM-SM3</span>
                    </TD>
                </TR>
                
                <TR>
                    <TD align=left>
                        <span class="style1"><b>证书信息</b></span>
                    </TD>
                </TR>
                <TR>
                    <TD align=left>
                        <span class="style1">&nbsp;&nbsp;[0]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Version:&nbsp;3<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;SerialNumber:&nbsp;1658039001384<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;IssuerDN:&nbsp;C=CN,O=GMSSL,OU=PKI/SM2,CN=MiddleCA&nbsp;for&nbsp;Test<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Start&nbsp;Date:&nbsp;Sun&nbsp;Jul&nbsp;17&nbsp;00:00:00&nbsp;CST&nbsp;2022<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Final&nbsp;Date:&nbsp;Mon&nbsp;Jul&nbsp;17&nbsp;00:00:00&nbsp;CST&nbsp;2023<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;SubjectDN:&nbsp;C=CN,CN=user1<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Public&nbsp;Key:&nbsp;EC&nbsp;Public&nbsp;Key<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;X:&nbsp;97c5e022cd46ff344da14c59c97d1d71d67b4daf2c5b1c6687adde3fd3e3d051<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Y:&nbsp;97015282f9dc49ea209aebc5b0c1b4f81b8018b391d5195438bdab9251fe1341<br>&nbsp;&nbsp;Signature&nbsp;Algorithm:&nbsp;1.2.156.10197.1.501<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Signature:<br>&nbsp;3045022100f7937695e82f349cc00fe94cc07988<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0ecd5ff1b36bcf25b144f1a150889bd89b022075<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;f9cae85fdcd0ad30e6b4cd2cbd95686ee1310f89<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;56605827f6501148800988<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Extensions:&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;critical(false)&nbsp;2.5.29.35&nbsp;value&nbsp;=&nbsp;Sequence<br>&nbsp;&nbsp;&nbsp;&nbsp;Tagged&nbsp;[0]&nbsp;IMPLICIT&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;DER&nbsp;Octet&nbsp;String[16]&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;critical(false)&nbsp;2.5.29.14&nbsp;value&nbsp;=&nbsp;DER&nbsp;Octet&nbsp;String[16]&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;critical(false)&nbsp;BasicConstraints:&nbsp;isCa(false)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;critical(true)&nbsp;KeyUsage:&nbsp;0xc0<br></span>
                    </TD>
                </TR>
                
                
                <TR>
                    <TD align=left>
                        <span class="style1"><b>证书PEM</b></span>
                    </TD>
                </TR>
                <TR>
                    <TD align=left>
                        <span class="style1">-----BEGIN&nbsp;CERTIFICATE-----<br>MIIBuTCCAV2gAwIBAgIGAYIK02EoMAwGCCqBHM9VAYN1BQAwSzELMAkGA1UEBhMC<br>Q04xDjAMBgNVBAoTBUdNU1NMMRAwDgYDVQQLEwdQS0kvU00yMRowGAYDVQQDExFN<br>aWRkbGVDQSBmb3IgVGVzdDAiGA8yMDIyMDcxNjE2MDAwMFoYDzIwMjMwNzE2MTYw<br>MDAwWjAdMQswCQYDVQQGEwJDTjEOMAwGA1UEAxMFdXNlcjEwWTATBgcqhkjOPQIB<br>BggqgRzPVQGCLQNCAASXxeAizUb/NE2hTFnJfR1x1ntNryxbHGaHrd4/0+PQUZcB<br>UoL53EnqIJrrxbDBtPgbgBizkdUZVDi9q5JR/hNBo1UwUzAbBgNVHSMEFDASgBD5<br>f1W0J5QzYqZWym/MXRr/MBkGA1UdDgQSBBBTZ9eBZ4tYvhe+Sj2oeI4xMAkGA1Ud<br>EwQCMAAwDgYDVR0PAQH/BAQDAgDAMAwGCCqBHM9VAYN1BQADSAAwRQIhAPeTdpXo<br>LzScwA/pTMB5iA7NX/Gza88lsUTxoVCIm9ibAiB1+croX9zQrTDmtM0svZVobuEx<br>D4lWYFgn9lARSIAJiA==<br>-----END&nbsp;CERTIFICATE-----<br></span>
                    </TD>
                </TR>
                
            </TBODY>
        </TABLE>
    </CENTER>
</BODY>
</HTML>

注释:

1)https://demo.gmssl.cn:1443同时也支持单向国密SSL,不带客户端证书也可以访问,但页面不显示客户端证书信息

5.国密curl下载

1) XP/Win7/Win10

https://www.gmssl.cn/gmssl/down/gmcurl.exe

2) CentOS7/8

https://www.gmssl.cn/gmssl/down/gmcurl

3) MacOS x86_64

https://www.gmssl.cn/gmssl/down/gmcurl_macos_x64

目录
相关文章
|
1天前
|
应用服务中间件 Linux 网络安全
nginx安装部署ssl证书,同时支持http与https方式访问
为了使HTTP服务支持HTTPS访问,需生成并安装SSL证书,并确保Nginx支持SSL模块。首先,在`/usr/local/nginx`目录下生成RSA密钥、证书申请文件及自签名证书。接着,确认Nginx已安装SSL模块,若未安装则重新编译Nginx加入该模块。最后,编辑`nginx.conf`配置文件,启用并配置HTTPS服务器部分,指定证书路径和监听端口(如20000),保存后重启Nginx完成部署。
90 6
|
1月前
|
安全 网络协议 应用服务中间件
内网ip申请SSL证书实现https访问
内网IP地址虽不能直接申请公网SSL证书,但可通过IP SSL证书保障数据安全。流程包括:确定固定内网IP,选择支持内网IP的CA,注册申请证书,生成CSR,验证IP所有权,下载部署证书至Web服务器,测试HTTPS访问,确保配置正确及证书有效。此方法适用于内网环境,提升数据传输安全性。
内网ip申请SSL证书实现https访问
|
1月前
|
安全 应用服务中间件 Linux
判断一个网站是否使用HTTPS协议
判断一个网站是否使用HTTPS协议
57 4
|
1月前
|
存储 安全 搜索推荐
应该使用HTTPS的一些网站
应该使用HTTPS的一些网站
28 3
|
1月前
|
Web App开发 算法 应用服务中间件
nginx开启局域网https访问
【10月更文挑战第22天】为了调试WebRTC功能,需要在局域网内搭建HTTPS协议。具体步骤包括:在已部署Nginx和安装OpenSSL的环境中生成私钥、证书签名请求和自签名证书;将生成的文件放置到Nginx的证书目录并修改Nginx配置文件,最后重启Nginx服务。注意,自签名证书不受第三方机构认可,如需正式使用,需向CA申请签名。
|
1月前
|
安全 网络安全 数据安全/隐私保护
政务内网实现https访问教程
政务内网实现HTTPS访问需经过多个步骤:了解HTTPS原理,选择并申请适合的SSL证书,配置SSL证书至服务器,设置端口映射与访问控制,测试验证HTTPS访问功能,注意证书安全性和兼容性,定期备份与恢复。这些措施确保了数据传输的安全性,提升了政务服务的效率与安全性。
|
1月前
|
安全 网络安全 数据安全/隐私保护
内网IP地址实现HTTPS加密访问教程
在内网环境中,为确保数据传输的安全性,绑定SSL证书搭建HTTPS服务器至关重要。本文介绍了内网IP地址的前期准备、申请SSL证书的步骤以及客户端配置方法。具体包括选择合适的CA、注册账号、提交申请、下载证书,并在客户端导入根证书,确保通信数据的安全加密。推荐使用JoySSL提供的技术解决方案,确保内网设备通信安全。
内网IP地址实现HTTPS加密访问教程
|
1月前
|
存储 网络安全
Curl error (60): SSL peer certificate or SSH remote key was not OK for https://update.cs2c.com.cn/NS/V10/V10SP2/os/adv/lic/base/x86_64/repodata/repomd.xml [SSL: no alternative certificate subject name matches target host name 'update.cs2c.com.cn']
【10月更文挑战第30天】在尝试从麒麟软件仓库(ks10-adv-os)下载元数据时,遇到 SSL 证书验证问题。错误提示为:`Curl error (60): SSL peer certificate or SSH remote key was not OK`。可能原因包括证书不被信任、证书与域名不匹配或网络问题。解决方法包括检查网络连接、导入 SSL 证书、禁用 SSL 证书验证(不推荐)、联系仓库管理员、检查系统时间和尝试其他镜像。
297 1
|
1月前
|
安全 网络协议 网络安全
怎么给ip地址配置https访问
为了配置公网IP地址的HTTPS访问,首先需明确需求并选择受信任的证书颁发机构(如JoySSL)。接着,在JoySSL官网注册并登录,填写特定注册码230922以获取免费IP证书的测试权限。提交证书申请时,填写IP地址及相关验证信息,并完成IP地址验证。验证通过后,下载证书文件。最后,使用浏览器访问IP地址,检查安全连接标志,确保无证书错误。通过以上步骤,可成功配置IP地址的HTTPS访问,提升数据传输安全性和可信度。
|
2月前
|
存储 网络安全 对象存储
缺乏中间证书导致通过HTTPS协议访问OSS异常
【10月更文挑战第4天】缺乏中间证书导致通过HTTPS协议访问OSS异常
142 4