curl 命令行工具可以用于发起 HTTPS 请求,但是不支持国密 TLCP 协议,铜锁 curl项目在 curl 的基础上,基于 Tongsuo 支持 curl 命令行国密 HTTPS 通信,即 HTTPS over TLCP,同时支持 libcurl 的国密 HTTPS 通信。
1. 铜锁官网下载 curl
https://www.tongsuo.net/releases/
2. 基于源码构建铜锁 curl
2.1. 基于Tongsuo,需要先构建Tongsuo
git clone https://github.com/Tongsuo-Project/Tongsuo
cd Tongsuo
./config --prefix=/opt/tongsuo enable-ntls
(1)如果报错,是因为缺少依赖
Tongsuo 是基于 OpenSSL 的国密改版,构建脚本依赖不少 Perl 模块,比如 Text::Template、IPC::Cmd,缺了就会报类似的找不到 xxx.pm 的错误。每次报缺哪个模块,按提示安装即可。
(2)如果想一次性安装构建依赖
yum install perl-IPC-Cmd perl-Text-Template
(3)yum 安装模块时被第三方仓库 city-fan.org 的 GPG key 错误阻断
(4)临时绕开 GPG 验证,直接用 yum 装
这里在自己机器上编译:非生产安全交换,不需要 CPAN 环境,最快出结果:
yum install --nogpgcheck perl-IPC-Cmd perl-ExtUtils-MakeMaker perl-ExtUtils-Manifest perl-ExtUtils-ParseXS
(5)安装完后验证
perl -MIPC::Cmd -e 'print "OK\n"'
(6)认 IPC::Cmd.pm 在哪,并确认路径是否在 @INC 中
find /usr -name Cmd.pm
/usr/bin/perl -e 'print join("\n", @INC), "\n";'
如果输出 OK,再执行:/usr/bin/perl ./config --prefix=/opt/tongsuo enable-ntls
make -j
make install
cd ../
git clone https://github.com/Tongsuo-Project/curl.git
cd curl
git apply tongsuo.patch
2.2. 依赖autoconf, automake, libtool
autoreconf -fi
# 依赖pkg-config,否则可能出现configure: error: --with-openssl was given but OpenSSL could not be detected
# 如果configure失败,可能是curl依赖的库不存在,比如brotli,可以安装依赖库,或者关闭该选项,例如增加--without-brotli
LDFLAGS=-Wl,-rpath=/opt/tongsuo/lib64 ./configure --enable-warnings --enable-werror --with-openssl=/opt/tongsuo
报错执行:yum install --nogpgcheck libpsl-devel 安装libpsl-devel后重新编译curl和Tongsuo
make -j
# 默认curl命令行会安装到/usr/local/bin,libcurl会安装到/usr/local/lib
make install
make install 已完成且无错误,curl 已成功编译并安装到 /usr/local/bin/curl,并且链接的是在 /opt/tongsuo 装的 Tongsuo(替代系统 OpenSSL)
2.3. 验证curl编译成功并且链接到 Tongsuo
/usr/local/bin/curl --version
ldd /usr/local/bin/curl | grep ssl
ldd /usr/local/bin/curl | grep crypto
3. curl 命令行使用国密 HTTPS
#/usr/local/bin/curl --tlcp -kv https://a1.esa-test5.alicdn-test.com --sign-cert gm.sign.crt --sign-key gm.sign.key --enc-cert gm.enc.crt --enc-key gm.enc.key
* Host a1.esa-test5.alicdn-test.com:443 was resolved.
* IPv6: (none)
* IPv4: 14.215.30.146
* Trying 14.215.30.146:443...
* ALPN: curl offers h2,http/1.1
* (101) (OUT), , Unknown (1):
* (101) (IN), , Unknown (2):
* (101) (IN), , Unknown (11):
* (101) (IN), , Unknown (12):
* (101) (IN), , Unknown (14):
* (101) (OUT), , Unknown (16):
* (101) (OUT), , Change cipher spec (1):
* (101) (OUT), , Unknown (20):
* (101) (IN), , Unknown (20):
* SSL connection using NTLSv1.1 / ECC-SM2-SM4-CBC-SM3 / UNDEF / SM2
* ALPN: server accepted h2
* Server certificate:
* subject: CN=a1.esa-test5.alicdn-test.com
* start date: Nov 25 07:31:10 2025 GMT
* expire date: Dec 2 07:31:10 2025 GMT
* issuer: CN=a1.esa-test5.alicdn-test.com
* SSL certificate verify result: self-signed certificate (18), continuing anyway.
* Certificate level 0: Public key type SM2/SM2 (256/128 Bits/secBits), signed using SM2-with-SM3
* Certificate level 1: Public key type SM2/SM2 (256/128 Bits/secBits), signed using SM2-with-SM3
* Connected to a1.esa-test5.alicdn-test.com (14.215.30.146) port 443
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://a1.esa-test5.alicdn-test.com/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: a1.esa-test5.alicdn-test.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.12.0-DEV]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: a1.esa-test5.alicdn-test.com
> User-Agent: curl/8.12.0-DEV
> Accept: */*
>
* Request completely sent off
< HTTP/2 200
< server: ESA
< content-type: text/plain
< set-cookie: acw_tc=0ed71ea117640666951962581e21bf8ba5452ddec18e35bd56a81ea062;path=/;HttpOnly;Max-Age=3600
< set-cookie: cdn_sec_tc=0ed71ea117640666951962581e21bf8ba5452ddec18e35bd56a81ea062;path=/;HttpOnly;Max-Age=3600
< strict-transport-security: max-age=2592000; includeSubDomains; preload
< cache-control: no-cache
< date: Tue, 25 Nov 2025 10:31:35 GMT
< vary: Accept-Encoding
< via: ens-cache2.cn6659[109,0,DP], ens-cache2.cn6659[110,110,200-0,M], ens-cache8.cn6659[113,0]
< x-site-perf-l4: ens-cache2.cn6659[PP,42752->47.98.167.0:443,1|84|0|0]
< x-site-perf-l7: ens-cache2.cn6659[H1S,2|0|111]
< x-site-perf-conn-time: 84
< x-site-perf-conn-count: 1
< port: 443
< ali-swift-global-savetime: 1764066695
< x-site-cache-status: BYPASS
< x-swift-savetime: Tue, 25 Nov 2025 10:31:35 GMT
< x-swift-cachetime: 0
< timing-allow-origin: *
< eagleid: 0ed71ea117640666951962581e
<
GET / HTTP/1.1
User-Agent: curl/8.12.0-DEV
Accept: */*
Eagleeye-Traceid: 0ed71ea117640666951962581e
X-Forwarded-For: 106.11.32.74
cdn-loop: esa;loop=1
Host: a1.esa-test5.alicdn-test.com
Remote-Address: 14.215.30.155
Scheme: https
SNI: a1.esa-test5.alicdn-test.com* Connection #0 to host a1.esa-test5.alicdn-test.com left intact
扫一扫
2473
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
