Curl
從公共伺服器下載:SSL 證書問題:無法獲取本地頒發者證書
我想通過 R 命令從公共伺服器下載文件( https://discovery.ucl.ac.uk/1575442/1/Palmisanoetal.zip )
temp <- tempfile() utils::download.file(db_url, temp, method = 'curl')這不適用於我的 Ubuntu 18.04.3 LTS(仿生海狸)系統。我收到以下錯誤:
curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. Error in utils::download.file(db_url, temp, method = "curl") : 'curl' call had nonzero exit status我在命令行上使用 curl (
curl https://discovery.ucl.ac.uk/1575442/1/Palmisanoetal.zip) 得到相同的錯誤。我做了一些實驗和Google搜尋,發現我的瀏覽器(Chromium)可以毫無問題地訪問該文件。我的系統/curl 似乎缺少我的瀏覽器擁有的 CA 證書。我試圖確定該伺服器正在使用哪個證書
openssl s_client -showcerts -servername discovery.ucl.ac.uk -connect discovery.ucl.ac.uk:443並將結果(QuoVadis EV SSL ICA G3)添加到我的/etc/ssl/certs/ca-certificates.crt文件中。這並沒有解決問題。我不想用 curl
--insecure標誌解決這個問題。我也無法控制https://discovery.ucl.ac.uk。我只想用 R 訪問文件。
Curl 失敗,因為該站點配置不正確
證書用於簽署其他證書,形成鏈。CA 有一個根證書,它受作業系統和瀏覽器的信任。此根證書最常用於簽署一個或多個中間證書,這些中間證書又用於簽署葉證書(不能簽署其他證書),這是網站使用的。
瀏覽器和作業系統往往只攜帶根證書,但要驗證葉證書(並建立安全連接),客戶端需要整個證書鏈。實際上,這意味著網站不僅必須提供其葉子證書,還必須提供使用的中間證書。並且
discovery.ucl.ac.uk沒有做到這一點。我會給你看。
發現問題
openssl是一把 X509 / SSL 瑞士軍刀,在這裡非常有用:% openssl s_client -connect discovery.ucl.ac.uk:443 -servername discovery.ucl.ac.uk -showcerts CONNECTED(00000003) depth=0 jurisdictionC = GB, businessCategory = Government Entity, serialNumber = November-15-77, C = GB, ST = London, L = London, O = University College London, CN = discovery.ucl.ac.uk verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 jurisdictionC = GB, businessCategory = Government Entity, serialNumber = November-15-77, C = GB, ST = London, L = London, O = University College London, CN = discovery.ucl.ac.uk verify error:num=21:unable to verify the first certificate verify return:1 140212799304832:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2150: --- Certificate chain 0 s:jurisdictionC = GB, businessCategory = Government Entity, serialNumber = November-15-77, C = GB, ST = London, L = London, O = University College London, CN = discovery.ucl.ac.uk i:C = BM, O = QuoVadis Limited, CN = QuoVadis EV SSL ICA G3 -----BEGIN CERTIFICATE----- MIIH4DCCBcigAwIBAgIUWsWTIuklFQIki5zk7SzvkyYF4MswDQYJKoZIhvcNAQEL BQAwSTELMAkGA1UEBhMCQk0xGTAXBgNVBAoMEFF1b1ZhZGlzIExpbWl0ZWQxHzAd BgNVBAMMFlF1b1ZhZGlzIEVWIFNTTCBJQ0EgRzMwHhcNMTkwOTExMTAyNDExWhcN MjEwOTExMTAzNDAwWjCBuzETMBEGCysGAQQBgjc8AgEDEwJHQjEaMBgGA1UEDwwR R292ZXJubWVudCBFbnRpdHkxFzAVBgNVBAUTDk5vdmVtYmVyLTE1LTc3MQswCQYD VQQGEwJHQjEPMA0GA1UECAwGTG9uZG9uMQ8wDQYDVQQHDAZMb25kb24xIjAgBgNV BAoMGVVuaXZlcnNpdHkgQ29sbGVnZSBMb25kb24xHDAaBgNVBAMME2Rpc2NvdmVy eS51Y2wuYWMudWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvh4j4 ub+jjytAuayjz1jXpFooMEgg09Opvruzy1Vkz8KT7VYFurfQpp7xO0kDJV9bz4U6 vVUmqd9R2NaJDs0TtpKjyDFwNq1XR2+39L6JlJuIxdGRUMNLh1geNfBB7QJHac0I xwstH/mXU9H4eU1JyS8TuVnpCbDZnSqCaQ08hl4137FGrloSL+EHqErzrmz8NzNd 725EKSG1/XP8d8O1FJDaAyvES2JfJWuhrcwa6WPPQdCu2cI4GzMRzPes3aD+IjJl 8tGVep5ketM+Kgsrn9tjiZhFcSOcxO0apRAAAYOA6NBoZvPCLr16CGQSJM/0e2N2 PM/PUh14db39Me79AgMBAAGjggNLMIIDRzAMBgNVHRMBAf8EAjAAMB8GA1UdIwQY MBaAFOWEVNCQSZ84uvLJ4SoIxU6foEg/MHgGCCsGAQUFBwEBBGwwajA5BggrBgEF BQcwAoYtaHR0cDovL3RydXN0LnF1b3ZhZGlzZ2xvYmFsLmNvbS9xdmV2c3NsZzMu Y3J0MC0GCCsGAQUFBzABhiFodHRwOi8vZXYub2NzcC5xdW92YWRpc2dsb2JhbC5j b20wMQYDVR0RBCowKIITZGlzY292ZXJ5LnVjbC5hYy51a4IRZXByaW50cy51Y2wu YWMudWswWgYDVR0gBFMwUTBGBgwrBgEEAb5YAAJkAQIwNjA0BggrBgEFBQcCARYo aHR0cDovL3d3dy5xdW92YWRpc2dsb2JhbC5jb20vcmVwb3NpdG9yeTAHBgVngQwB ATAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwPAYDVR0fBDUwMzAxoC+g LYYraHR0cDovL2NybC5xdW92YWRpc2dsb2JhbC5jb20vcXZldnNzbGczLmNybDAd BgNVHQ4EFgQU0+IV/WaITVrZeCsIddZvFZSkuUswDgYDVR0PAQH/BAQDAgWgMIIB fwYKKwYBBAHWeQIEAgSCAW8EggFrAWkAdgC72d+8H4pxtZOUI5eqkntHOFeVCqtS 6BqQlmQ2jh7RhQAAAW0f40mRAAAEAwBHMEUCIQDYLCvmTrDxh16qE30yqTirA3A+ Xv6TZlpUssZxI+ApqgIgSGicwtcECtcjsSnKmEwUVv6hQnvksG7dH5AqPZ7jbQ0A dwBWFAaaL9fC7NP14b1Esj7HRna5vJkRXMDvlJhV1onQ3QAAAW0f40m4AAAEAwBI MEYCIQCPhcwTIoiYCt6Esw49b7bcvRyREX29fRuaX36wJxQ6TAIhAJyPt8r3g++L xWdb/sWRfF7Jn4zlyA7iUWFTF84dwK5xAHYAb1N2rDHwMRnYmQCkURX/dxUcEdkC wQApBo2yCJo32RMAAAFtH+NKoAAABAMARzBFAiB/85erYq3OelUTEYpdJdIK//2N AUG6EtuDCR/UspBmnQIhANbyKv+L+b02o5YIRqRKJ49LJEyJFyRxHrRM8lH9qRk8 MA0GCSqGSIb3DQEBCwUAA4ICAQAjJurMYSd9KFvcOcMZNO1DLsKytJ3N6SIkHXph J2fpXD4sfBHxxG37r7a3hWi7vqNb4PTL8VIixKw+u/Si0tknJIyHsVf64eI4tfMD kPDJGxMgr9qEsNukwVXgsnerqXYQRAcgYsnMLEdrgo+7SW7caTnm/adfqrc6r9Ar 4fHRidr9p7RuEM/eRCCmBqswHI7hpsE6miKLh1aXqF6I6JiSCApz3X7mJ4OiLVFN GKw8rZHGEJUsLQBWIW0qZPjrzNG3M/LF5chVhS9D7HcUtXEFP7smNPdNGgbVTtfY 3+sXpFFdhED5ooRJCkX2/JfylXN3LT8v0iNI04HNQ1/fS27k9Q5QBahEBsvSzh88 OdHP/2jyyQwiGqNH9Q+UGGrYBW50OJB13ztobAeEWITPwI40nf3wU3qoCvM/nvJu 8kO0lD3kD4AyLqWnOYvwgjCzgVe2zuLI9F/BZiZnmXaiJq2SSzgTmIzv/HB0zSHF BWQpgZpacZok7AhZ3vzpbOdJfgcSOCe/W6+drLyA5wTzV3m4+taU5eKvnI9NN5Xb iUHXmqLElHVZYakpDAJkT20Uud5uIGHGwiHFYvyHgHlNBxa77Bn2gYxKtH95y3o/ C0SaHauNL7ghuyZVxNRWsKcVWlZ+1/TrOlEp00nTFyoWqxbFgwVP9WarCRDX/rZ/ Yzr/sQ== -----END CERTIFICATE----- --- Server certificate subject=jurisdictionC = GB, businessCategory = Government Entity, serialNumber = November-15-77, C = GB, ST = London, L = London, O = University College London, CN = discovery.ucl.ac.uk issuer=C = BM, O = QuoVadis Limited, CN = QuoVadis EV SSL ICA G3 --- No client certificate CA names sent --- SSL handshake has read 2653 bytes and written 318 bytes Verification error: unable to verify the first certificate --- New, (NONE), Cipher is (NONE) Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: 0BEE74506F0378851356FE55F7EA41ACE0E5C5C065C19C8EE24F5A1607BAD1FC Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1578589105 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no ---與我們相關的是 之後的部分
Certificate chain。它只顯示一個證書。通過提供該
-----BEGIN CERTIFICATE-----塊openssl x509 -text -noout以更易讀的形式呈現證書:Certificate: Data: Version: 3 (0x2) Serial Number: 5a:c5:93:22:e9:25:15:02:24:8b:9c:e4:ed:2c:ef:93:26:05:e0:cb Signature Algorithm: sha256WithRSAEncryption Issuer: C = BM, O = QuoVadis Limited, CN = QuoVadis EV SSL ICA G3 Validity Not Before: Sep 11 10:24:11 2019 GMT Not After : Sep 11 10:34:00 2021 GMT Subject: jurisdictionC = GB, businessCategory = Government Entity, serialNumber = November-15-77, C = GB, ST = London, L = London, O = University College London, CN = discovery.ucl.ac.uk Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:af:87:88:f8:b9:bf:a3:8f:2b:40:b9:ac:a3:cf: 58:d7:a4:5a:28:30:48:20:d3:d3:a9:be:bb:b3:cb: 55:64:cf:c2:93:ed:56:05:ba:b7:d0:a6:9e:f1:3b: 49:03:25:5f:5b:cf:85:3a:bd:55:26:a9:df:51:d8: d6:89:0e:cd:13:b6:92:a3:c8:31:70:36:ad:57:47: 6f:b7:f4:be:89:94:9b:88:c5:d1:91:50:c3:4b:87: 58:1e:35:f0:41:ed:02:47:69:cd:08:c7:0b:2d:1f: f9:97:53:d1:f8:79:4d:49:c9:2f:13:b9:59:e9:09: b0:d9:9d:2a:82:69:0d:3c:86:5e:35:df:b1:46:ae: 5a:12:2f:e1:07:a8:4a:f3:ae:6c:fc:37:33:5d:ef: 6e:44:29:21:b5:fd:73:fc:77:c3:b5:14:90:da:03: 2b:c4:4b:62:5f:25:6b:a1:ad:cc:1a:e9:63:cf:41: d0:ae:d9:c2:38:1b:33:11:cc:f7:ac:dd:a0:fe:22: 32:65:f2:d1:95:7a:9e:64:7a:d3:3e:2a:0b:2b:9f: db:63:89:98:45:71:23:9c:c4:ed:1a:a5:10:00:01: 83:80:e8:d0:68:66:f3:c2:2e:bd:7a:08:64:12:24: cf:f4:7b:63:76:3c:cf:cf:52:1d:78:75:bd:fd:31: ee:fd Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Authority Key Identifier: keyid:E5:84:54:D0:90:49:9F:38:BA:F2:C9:E1:2A:08:C5:4E:9F:A0:48:3F Authority Information Access: CA Issuers - URI:http://trust.quovadisglobal.com/qvevsslg3.crt OCSP - URI:http://ev.ocsp.quovadisglobal.com X509v3 Subject Alternative Name: DNS:discovery.ucl.ac.uk, DNS:eprints.ucl.ac.uk X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.8024.0.2.100.1.2 CPS: http://www.quovadisglobal.com/repository Policy: 2.23.140.1.1 X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 CRL Distribution Points: Full Name: URI:http://crl.quovadisglobal.com/qvevsslg3.crl X509v3 Subject Key Identifier: D3:E2:15:FD:66:88:4D:5A:D9:78:2B:08:75:D6:6F:15:94:A4:B9:4B X509v3 Key Usage: critical Digital Signature, Key Encipherment CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : BB:D9:DF:BC:1F:8A:71:B5:93:94:23:97:AA:92:7B:47: 38:57:95:0A:AB:52:E8:1A:90:96:64:36:8E:1E:D1:85 Timestamp : Sep 11 10:34:12.241 2019 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:21:00:D8:2C:2B:E6:4E:B0:F1:87:5E:AA:13: 7D:32:A9:38:AB:03:70:3E:5E:FE:93:66:5A:54:B2:C6: 71:23:E0:29:AA:02:20:48:68:9C:C2:D7:04:0A:D7:23: B1:29:CA:98:4C:14:56:FE:A1:42:7B:E4:B0:6E:DD:1F: 90:2A:3D:9E:E3:6D:0D Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 56:14:06:9A:2F:D7:C2:EC:D3:F5:E1:BD:44:B2:3E:C7: 46:76:B9:BC:99:11:5C:C0:EF:94:98:55:D6:89:D0:DD Timestamp : Sep 11 10:34:12.280 2019 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:8F:85:CC:13:22:88:98:0A:DE:84:B3: 0E:3D:6F:B6:DC:BD:1C:91:11:7D:BD:7D:1B:9A:5F:7E: B0:27:14:3A:4C:02:21:00:9C:8F:B7:CA:F7:83:EF:8B: C5:67:5B:FE:C5:91:7C:5E:C9:9F:8C:E5:C8:0E:E2:51: 61:53:17:CE:1D:C0:AE:71 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77: 15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13 Timestamp : Sep 11 10:34:12.512 2019 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:20:7F:F3:97:AB:62:AD:CE:7A:55:13:11:8A: 5D:25:D2:0A:FF:FD:8D:01:41:BA:12:DB:83:09:1F:D4: B2:90:66:9D:02:21:00:D6:F2:2A:FF:8B:F9:BD:36:A3: 96:08:46:A4:4A:27:8F:4B:24:4C:89:17:24:71:1E:B4: 4C:F2:51:FD:A9:19:3C Signature Algorithm: sha256WithRSAEncryption 23:26:ea:cc:61:27:7d:28:5b:dc:39:c3:19:34:ed:43:2e:c2: b2:b4:9d:cd:e9:22:24:1d:7a:61:27:67:e9:5c:3e:2c:7c:11: f1:c4:6d:fb:af:b6:b7:85:68:bb:be:a3:5b:e0:f4:cb:f1:52: 22:c4:ac:3e:bb:f4:a2:d2:d9:27:24:8c:87:b1:57:fa:e1:e2: 38:b5:f3:03:90:f0:c9:1b:13:20:af:da:84:b0:db:a4:c1:55: e0:b2:77:ab:a9:76:10:44:07:20:62:c9:cc:2c:47:6b:82:8f: bb:49:6e:dc:69:39:e6:fd:a7:5f:aa:b7:3a:af:d0:2b:e1:f1: d1:89:da:fd:a7:b4:6e:10:cf:de:44:20:a6:06:ab:30:1c:8e: e1:a6:c1:3a:9a:22:8b:87:56:97:a8:5e:88:e8:98:92:08:0a: 73:dd:7e:e6:27:83:a2:2d:51:4d:18:ac:3c:ad:91:c6:10:95: 2c:2d:00:56:21:6d:2a:64:f8:eb:cc:d1:b7:33:f2:c5:e5:c8: 55:85:2f:43:ec:77:14:b5:71:05:3f:bb:26:34:f7:4d:1a:06: d5:4e:d7:d8:df:eb:17:a4:51:5d:84:40:f9:a2:84:49:0a:45: f6:fc:97:f2:95:73:77:2d:3f:2f:d2:23:48:d3:81:cd:43:5f: df:4b:6e:e4:f5:0e:50:05:a8:44:06:cb:d2:ce:1f:3c:39:d1: cf:ff:68:f2:c9:0c:22:1a:a3:47:f5:0f:94:18:6a:d8:05:6e: 74:38:90:75:df:3b:68:6c:07:84:58:84:cf:c0:8e:34:9d:fd: f0:53:7a:a8:0a:f3:3f:9e:f2:6e:f2:43:b4:94:3d:e4:0f:80: 32:2e:a5:a7:39:8b:f0:82:30:b3:81:57:b6:ce:e2:c8:f4:5f: c1:66:26:67:99:76:a2:26:ad:92:4b:38:13:98:8c:ef:fc:70: 74:cd:21:c5:05:64:29:81:9a:5a:71:9a:24:ec:08:59:de:fc: e9:6c:e7:49:7e:07:12:38:27:bf:5b:af:9d:ac:bc:80:e7:04: f3:57:79:b8:fa:d6:94:e5:e2:af:9c:8f:4d:37:95:db:89:41: d7:9a:a2:c4:94:75:59:61:a9:29:0c:02:64:4f:6d:14:b9:de: 6e:20:61:c6:c2:21:c5:62:fc:87:80:79:4d:07:16:bb:ec:19: f6:81:8c:4a:b4:7f:79:cb:7a:3f:0b:44:9a:1d:ab:8d:2f:b8: 21:bb:26:55:c4:d4:56:b0:a7:15:5a:56:7e:d7:f4:eb:3a:51: 29:d3:49:d3:17:2a:16:ab:16:c5:83:05:4f:f5:66:ab:09:10: d7:fe:b6:7f:63:3a:ff:b1特別相關的是這些行:
Issuer: C = BM, O = QuoVadis Limited, CN = QuoVadis EV SSL ICA G3 Subject: jurisdictionC = GB [...] CN = discovery.ucl.ac.uk這表明提供的證書是一個葉證書,對於
discovery.ucl.ac.uk,並且它是由某個名為 的證書(或者更確切地說是實體)簽名的QuoVadis EV SSL ICA G3。稍後會很清楚這不是根證書(目前,CA名稱中的缺少是一個提示;ICA通常意味著中間證書頒發機構)。@little_dog 建議您下載的證書是缺少的中間證書(不是根證書!)。您可以從他的回答中的以下幾行中看出這一點:
Issuer: C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 G3 Subject: C = BM, O = QuoVadis Limited, CN = QuoVadis EV SSL ICA G3該證書是
QuoVadis EV SSL ICA G3上面葉子證書所引用的!但是這個證書不是根證書。根證書是自己簽名的,但是這個證書是由QuoVadis Root CA 2 G3. 順便說一句,這就是CA它的名字。那麼,我們從哪裡獲得根證書呢?理想情況下,它應該在您的瀏覽器或作業系統中。至少對於 Debian(也可能是 Ubuntu),我們可以檢查一下這個怪物:
% awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep 'QuoVadis Root CA 2 G3' subject=C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 G3該命令的第一部分生成所有系統信任的 CA 證書的證書主題(“名稱”),然後我們搜尋相關的 QuoVadis 根證書。在我的系統上它找到了這個,所以根證書是存在的。
回顧一下
根證書
QuoVadis Root CA 2 G3(在您的系統上)
簽署中級證書
QuoVadis EV SSL ICA G3(缺失)
- 標誌葉子證書
discovery.ucl.ac.uk(由網路伺服器提供)中間證書應該從哪裡來?答案很簡單:Web 伺服器也應該提供它。然後客戶端可以檢查整個鏈,直到根證書(來自其信任庫)。
修復它
@little_dog 的回答是讓您下載中間體,並將其安裝在您的信任庫中,從而有效地將中間體轉換為系統的根證書。目前,這將適用於這個特定問題,但也有缺點:
- 它只會在您的特定機器上解決這個非常特殊的問題。從另一個配置錯誤的 Web 伺服器下載?同樣的問題。在另一台機器上從這個站點下載?同樣的問題。
- 中間證書的壽命通常比根證書短。在將來的某個時候,您手動安裝的中間體將過期,然後它將停止工作。
- 中間人的存在是有原因的。在 CA 妥協的情況下,中間體也可能受到損害。然後,CA 將撤銷這些中間體,並創建新的中間體並重新頒發葉子證書。但是因為你手動信任了你的中間人,它不會被撤銷,你的系統最終可能會信任它不應該信任的伺服器。
真正的解決方案是修復網站。嘗試將其報告給 discovery.ucl.ac.uk 網站管理員。當您向他們報告網路伺服器未提供中間 CA 證書時,任何體面的網路伺服器管理員都應該確切地知道發生了什麼。如果他們需要更多資訊,這個答案有很多:)
還有許多線上服務會檢查您指定的任何 Web 伺服器並報告潛在安全問題和配置問題的列表。我試了一把,他們都抱怨缺少中間證書。一些受歡迎的包括:
但它在 Chrome 中有效嗎?
故事在這裡變得更加複雜。有一種稱為授權資訊訪問(AIA) 的機制允許 HTTP 客戶端向 CA 查詢中間證書。您可以在此答案前面的文本證書輸出中看到為其提供的 URL。
但並不是每個客戶端都實現了 AIA fetching。Internet Explorer 和 Safari 可以。Chrome 依賴於作業系統來執行此操作(因此在某些平台上可以,在其他平台上不行)。安卓沒有。由於隱私問題,Firefox 沒有。據我所知,Curl 和 wget 沒有。
更複雜的是,瀏覽器可以記憶體他們遇到的中間證書,因此,如果您訪問的網站可以
QuoVadis EV SSL ICA G3使用瀏覽器正確發送中間證書,則該證書可能會被記憶體,然後突然無法正常工作的網站也會被記憶體。最後,瀏覽器/作業系統可能會預先載入(一些)中間證書,這也會隱藏這個問題。至少 Firefox 正在探索這個選項。但是,這些東西都不能依賴;許多客戶不進行 AIA 獲取或預載入。因此,在這些機製成為強制性並得到普遍支持之前,Web 伺服器仍然需要包含所有證書才能完成鏈。