Mac 下 curl SSL 证书验证问题

平台

Darwin MacBookPro.local 16.0.0 Darwin Kernel Version 16.0.0: Mon Aug 29 17:56:20 PDT 2016; root:xnu-3789.1.32~3/RELEASE_X86_64 x86_64

curl https 请求

curl -vo /dev/null https://m2.mogucdn.com/p1/160725/upload_ifrtenzsgq4gcodghezdambqhayde_217x278.jpg
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 183.134.101.194...
* Connected to m2.mogucdn.com (183.134.101.194) port 443 (#0)
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.mogucdn.com
* Server certificate: Symantec Class 3 Secure Server CA - G4
* Server certificate: VeriSign Class 3 Public Primary Certification Authority - G5
> GET /p1/160725/upload_ifrtenzsgq4gcodghezdambqhayde_217x278.jpg HTTP/1.1
> Host: m2.mogucdn.com
> User-Agent: curl/7.49.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: marco/0.18
< Date: Mon, 17 Oct 2016 01:35:10 GMT
< Content-Type: image/jpeg
< Content-Length: 14567
< Connection: keep-alive
< X-Source: C/200
< Content-Disposition: inline; filename="upload_ifrtenzsgq4gcodghezdambqhayde_217x278.jpg"
< X-Reqid: xG4AAMPudKhtCX0U
< Cache-Control: public, max-age=31536000
< ETag: "FrEoguEfkogJg6isWcHDYxZUY11n"
< X-Log: mc.g:1/404;mc.g/404;rs24_14.sel/not found;rdb.g;bs.r.31.212.1458505593;DBD;v4.get;qtbl.get:1;RS.dbs:1;mc.s;RS:2;mc.s;IO:22
< Content-Transfer-Encoding: binary
< Access-Control-Expose-Headers: X-Log, X-Reqid
< Access-Control-Allow-Origin: *
< X-Qiniu-Zone: 0
< Last-Modified: Mon, 25 Jul 2016 09:17:27 GMT
< Access-Control-Max-Age: 2592000
< Accept-Ranges: bytes
< Age: 321492
< X-Cache: HIT from mix-hz-fdi-165; HIT from ctn-zj-lna-196
< X-Request-Id: f21941237599a1607a1ce9269a2218f6; 5332a25e863cd10e64e2b85437d89684
< Via: S.mix-hz-fdi-171, T.101165.H.1, V.mix-hz-fdi-165, T.101197.H.1, M.ctn-zj-lna-196
<
{ [14567 bytes data]
100 14567  100 14567    0     0  28797      0 --:--:-- --:--:-- --:--:-- 28788
* Connection #0 to host m2.mogucdn.com left intact

可以看到正常请求了，改换成同样环境下的 wget 测试

wget https://m2.mogucdn.com/p1/160725/upload_ifrtenzsgq4gcodghezdambqhayde_217x278.jpg
--2016-10-17 09:35:20--  https://m2.mogucdn.com/p1/160725/upload_ifrtenzsgq4gcodghezdambqhayde_217x278.jpg
Resolving m2.mogucdn.com... 183.134.101.194, 183.158.35.57, 183.158.35.59, ...
Connecting to m2.mogucdn.com|183.134.101.194|:443... connected.
ERROR: cannot verify m2.mogucdn.com's certificate, issued by 'CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US':
  Unable to locally verify the issuer's authority.
To connect to m2.mogucdn.com insecurely, use `--no-check-certificate'.

切换到本地的虚拟机，环境

Linux localhost.localdomain 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

使用 curl 测试：

curl -vo /dev/null https://m2.mogucdn.com/p1/160725/upload_ifrtenzsgq4gcodghezdambqhayde_217x278.jpg
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 183.158.35.59...
* TCP_NODELAY set
* Connected to m2.mogucdn.com (183.158.35.59) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Server certificate:
*       subject: CN=*.mogucdn.com,OU=RD,O=Hangzhou Juangua Network Limited,L=Hangzhou,ST=Zhejiang,C=CN
*       start date: Mar 02 00:00:00 2015 GMT
*       expire date: Mar 01 23:59:59 2018 GMT
*       common name: *.mogucdn.com
*       issuer: CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Curl_http_done: called premature == 1
* stopped the pause stream!
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

为什么 OSX 下的 curl 能验证证书成功，而同环境下的 wget 和 Linux 下的 curl 就不行？（PS：证书是有问题的，证书链不完整）