好吧,Tomatoware 1.7 已经基于 OpenSSL 1.1.1b 编译,本文可以不看了。
前文有说 Tomatoware 下基于最新的 OpenSSL 1.1.1a/b 编译 Curl 时会遇到 openssl version mismatch 的错误,因为原系统中有 OpenSSL 1.0.2 旧版存在,直接替换系统的 1.0.x 版本到 1.1.1x 有风险,所以当时就用了 WolfSSL。今天用一个丑陋的 Hack 解决了这个问题,反正是编译出了基于 OpenSSL 1.1.1b 的静态执行文件 Curl。
脚本内容如下:
#!/bin/sh [ -z "$1" ] && echo "Usage: ./openssl-fix fix|restore" [ "$1" = "fix" ] && { mv /mmc/lib/libcrypto.a /mmc/lib/libcrypto.a_ mv /mmc/lib/libcrypto.so /mmc/lib/libcrypto.so_ mv /mmc/lib/libssl.a /mmc/lib/libssl.a_ mv /mmc/lib/libssl.so /mmc/lib/libssl.so_ mv /mmc/bin/openssl /mmc/bin/openssl_ ln -s /mmc/src/openssl-1.1.1b/apps/openssl /mmc/bin/openssl ln -s /mmc/src/openssl-1.1.1b/lib/libcrypto.a /mmc/lib/libcrypto.a ln -s /mmc/src/openssl-1.1.1b/lib/libssl.a /mmc/lib/libssl.a } [ "$1" = "restore" ] && { rm /mmc/lib/libcrypto.a /mmc/lib/libssl.a mv /mmc/lib/libcrypto.a_ /mmc/lib/libcrypto.a mv /mmc/lib/libcrypto.so_ /mmc/lib/libcrypto.so mv /mmc/lib/libssl.a_ /mmc/lib/libssl.a mv /mmc/lib/libssl.so_ /mmc/lib/libssl.so rm /mmc/bin/openssl mv /mmc/bin/openssl_ /mmc/bin/openssl }
编译前运行:./openssl-fix fix ; 编译完成后运行:./openssl-fix restore 。
make clean
./configure --prefix=/opt --with-ca-bundle=/opt/etc/ssl/certs/ca-certificates.crt --with-ca-fallback --with-ssl=/mmc/src/openssl-1.1.1b --with-nghttp2 --enable-ares --disable-ldap --disable-shared --without-libpsl --disable-ntlm-wb --disable-ldap --disable-ldaps --disable-dict --disable-ipv6 --without-libssh2 --disable-gopher --without-libidn --without-libidn2 -disable-nls --disable-manual --without-krb4
结果:
curl -V
curl 7.64.0 (armv7l-unknown-linux-uclibceabi) libcurl/7.64.0 OpenSSL/1.1.1b zlib/1.2.11 c-ares/1.15.0 nghttp2/1.35.1
Release-Date: 2019-02-06
Protocols: file ftp ftps http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS Largefile NTLM SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy
调试信息比 WolfSSL 版本要详细:
curl -I -v https://www.quakemachinex.com
* Expire in 0 ms for 6 (transfer 0x2fc958)
* Expire in 5000 ms for 1 (transfer 0x2fc958)
* Expire in 5000 ms for 1 (transfer 0x2fc958)
* Expire in 300000 ms for 1 (transfer 0x2fc958)
* Trying 149.129.109.155...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x2fc958)
* Connected to www.quakemachinex.com (149.129.109.155) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /opt/etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=www.quakemachinex.com
* start date: Feb 12 06:31:41 2019 GMT
* expire date: May 13 06:31:41 2019 GMT
* subjectAltName: host "www.quakemachinex.com" matched cert's "www.quakemachinex.com"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x2fc958)
> HEAD / HTTP/2
> Host: www.quakemachinex.com
> User-Agent: curl/7.64.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
HTTP/2 200