我的服务器没法连外网,以下是sh里面的内容:
#!/bin/sh
# shellcheck shell=dash
# shellcheck disable=SC2039 # local is non
-POSIX
# This is just a little script that can be downloaded from the internet to
# install rustup. It just does platform detection, downloads the installer
# and runs it.
# It runs on Unix shells like {a,ba,da,k,z}sh. It uses the common `local`
# extension. Note: Most shells limit `local` to 1 var per line, contra bash.
# Some
versions of ksh have no `local` keyword. Alias it to `typeset`, but
# beware this makes variables global with f()
-style function syntax in ksh93.
# mksh has this alias by default.
has_local() {
# shellcheck disable=SC2034 # deliberately unused
local _has_local
}
has_local 2>/dev/null || alias local=typeset
is_zsh() {
[
-n "${ZSH_
VERSION-}" ]
}
set
-u
# If RUSTUP_UPDATE_ROOT is unset or empty, default it.
RUSTUP_UPDATE_ROOT="${RUSTUP_UPDATE_ROOT:
-https://static.rust
-lang.org/rustup}"
# Set quiet as a global for ease of use
RUSTUP_QUIET=no
# NOTICE: If you change anything here, please make the same changes in setup_mode.rs
usage() {
cat <<EOF
rustup
-init 1.28.2 (d1f31992a 2025
-04
-28)
The installer for rustup
Usage: rustup
-init[EXE] [OPTIONS]
Options:
-v,
--verbose
Set log level to 'DEBUG' if 'RUSTUP_LOG' is unset
-q,
--quiet
Disable progress output, set log level to 'WARN' if 'RUSTUP_LOG' is unset
-y
Disable confirmation prompt
--default
-host <DEFAULT_HOST>
Choose a default host triple
--default
-toolchain <DEFAULT_TOOLCHAIN>
Choose a default toolchain to install. Use 'none' to not install any toolchains at all
--profile <PROFILE>
[default: default] [possible values: minimal, default, complete]
-c,
--component <COMPONENT>
Comma
-separated list of component names to also install
-t,
--target <TARGET>
Comma
-separated list of target names to also install
--no
-update
-default
-toolchain
Don't update any existing default toolchain after install
--no
-modify
-path
Don't configure the PATH environment variable
-h,
--help
Print help
-V,
--version
Print
version
EOF
}
main() {
downloader
--check
need_cmd uname
need_cmd mktemp
need_cmd chmod
need_cmd mkdir
need_cmd rm
need_cmd rmdir
get_architecture || return 1
local _arch="$RETVAL"
assert_nz "$_arch" "arch"
local _ext=""
case "$_arch" in
*windows*)
_ext=".exe"
;;
esac
local _url
if [ "${RUSTUP_
VERSION+set}" = 'set' ]; then
say "\`RUSTUP_
VERSION\` has been set to \`${RUSTUP_
VERSION}\`"
_url="${RUSTUP_UPDATE_ROOT}/archive/${RUSTUP_
VERSION}"
else
_url="${RUSTUP_UPDATE_ROOT}/dist"
fi
_url="${_url}/${_arch}/rustup
-init${_ext}"
local _dir
if ! _dir="$(ensure mktemp
-d)"; then
# Because the previous command ran in a subshell, we must manually
# propagate exit status.
exit 1
fi
local _file="${_dir}/rustup
-init${_ext}"
local _ansi_escapes_are_valid=false
if [
-t 2 ]; then
if [ "${TERM+set}" = 'set' ]; then
case "$TERM" in
xterm*|rxvt*|urxvt*|linux*|vt*)
_ansi_escapes_are_valid=true
;;
esac
fi
fi
# check if we have to use /dev/tty to prompt the user
local need_tty=yes
for arg in "$@"; do
case "$arg" in
--help)
usage
exit 0
;;
--quiet)
RUSTUP_QUIET=yes
;;
*)
OPTIND=1
if [ "${arg%%
--*}" = "" ]; then
# Long option (other than
--help);
# don't attempt to interpret it.
continue
fi
while getopts :hqy sub_arg "$arg"; do
case "$sub_arg" in
h)
usage
exit 0
;;
q)
RUSTUP_QUIET=yes
;;
y)
# user wants to skip the prompt
--
# we don't need /dev/tty
need_tty=no
;;
*)
;;
esac
done
;;
esac
done
say 'downloading installer'
ensure mkdir
-p "$_dir"
ensure downloader "$_url" "$_file" "$_arch"
ensure chmod u+x "$_file"
if [ !
-x "$_file" ]; then
err "Cannot execute $_file (likely because of mounting /tmp as noexec)."
err "Please copy the file to a location where you can execute binaries and run ./rustup
-init${_ext}."
exit 1
fi
if [ "$need_tty" = "yes" ] && [ !
-t 0 ]; then
# The installer is going to want to ask for confirmation by
# reading stdin. This script was piped into `sh` though and
# doesn't have stdin to pass to its children. Instead we're going
# to explicitly connect /dev/tty to the installer's stdin.
if [ !
-t 1 ]; then
err "Unable to run interactively. Run with
-y to accept defaults,
--help for additional options"
exit 1;
fi
ignore "$_file" "$@" < /dev/tty
else
ignore "$_file" "$@"
fi
local _retval=$?
ignore rm "$_file"
ignore rmdir "$_dir"
return "$_retval"
}
get_current_exe() {
# Returns the executable used for system architecture detection
# This is only run on Linux
local _current_exe
if test
-L /proc/self/exe ; then
_current_exe=/proc/self/exe
else
warn "Unable to find /proc/self/exe. System architecture detection might be inaccurate."
if test
-n "$SHELL" ; then
_current_exe=$SHELL
else
need_cmd /bin/sh
_current_exe=/bin/sh
fi
warn "Falling back to $_current_exe."
fi
echo "$_current_exe"
}
get_bitness() {
need_cmd head
# Architecture detection without dependencies beyond coreutils.
# ELF files start out "\x7fELF", and the following byte is
# 0x01 for 32
-bit and
# 0x02 for 64
-bit.
# The printf builtin on some shells like dash only supports octal
# escape sequences, so we use those.
local _current_exe=$1
local _current_exe_head
_current_exe_head=$(head
-c 5 "$_current_exe")
if [ "$_current_exe_head" = "$(printf '\177ELF\001')" ]; then
echo 32
elif [ "$_current_exe_head" = "$(printf '\177ELF\002')" ]; then
echo 64
else
err "unknown platform bitness"
exit 1;
fi
}
is_host_amd64_elf() {
local _current_exe=$1
need_cmd head
need_cmd tail
# ELF e_machine detection without dependencies beyond coreutils.
# Two
-byte field at offset 0x12 indicates the CPU,
# but we're interested in it being 0x3E to indicate amd64, or not that.
local _current_exe_machine
_current_exe_machine=$(head
-c 19 "$_current_exe" | tail
-c 1)
[ "$_current_exe_machine" = "$(printf '\076')" ]
}
get_endianness() {
local _current_exe=$1
local cputype=$2
local suffix_eb=$3
local suffix_el=$4
# detect endianness without od/hexdump, like get_bitness() does.
need_cmd head
need_cmd tail
local _current_exe_endianness
_current_exe_endianness="$(head
-c 6 "$_current_exe" | tail
-c 1)"
if [ "$_current_exe_endianness" = "$(printf '\001')" ]; then
echo "${cputype}${suffix_el}"
elif [ "$_current_exe_endianness" = "$(printf '\002')" ]; then
echo "${cputype}${suffix_eb}"
else
err "unknown platform endianness"
exit 1
fi
}
# Detect the Linux/LoongArch UAPI flavor, with all
errors being non
-fatal.
# Returns 0 or 234 in case of successful detection, 1 otherwise (/tmp being
# noexec, or other causes).
check_loongarch_uapi() {
need_cmd base64
local _tmp
if ! _tmp="$(ensure mktemp)"; then
return 1
fi
# Minimal Linux/LoongArch UAPI detection, exiting with 0 in case of
# upstream ("new world") UAPI, and 234 (
-EINVAL truncated) in case of
# old
-world (as deployed on several early commercial Linux distributions
# for LoongArch).
#
# See https://gist.github.com/xen0n/5ee04aaa6cecc5c7794b9a0c3b65fc7f for
# source to this helper binary.
ignore base64
-d > "$_tmp" <<EOF
f0VMRgIBAQAAAAAAAAAAAAIAAgEBAAAAeAAgAAAAAABAAAAAAAAAAAAAAAAAAAAAQQAAAEAAOAAB
AAAAAAAAAAEAAAAFAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAJAAAAAAAAAAkAAAAAAAAAAAA
AQAAAAAABCiAAwUAFQAGABUAByCAAwsYggMAACsAC3iBAwAAKwAxen0n
EOF
ignore chmod u+x "$_tmp"
if [ !
-x "$_tmp" ]; then
ignore rm "$_tmp"
return 1
fi
"$_tmp"
local _retval=$?
ignore rm "$_tmp"
return "$_retval"
}
ensure_loongarch_uapi() {
check_loongarch_uapi
case $? in
0)
return 0
;;
234)
err 'Your Linux kernel does not provide the ABI required by this Rust distribution.'
err 'Please check with your OS provider for how to obtain a compatible Rust package for your system.'
exit 1
;;
*)
warn "Cannot determine current system's ABI flavor, continuing anyway."
warn 'Note that the official Rust distribution only works with the upstream kernel ABI.'
warn 'Installation will fail if your running kernel happens to be incompatible.'
;;
esac
}
get_architecture() {
local _ostype _cputype _bitness _arch _clibtype
_ostype="$(uname
-s)"
_cputype="$(uname
-m)"
_clibtype="gnu"
if [ "$_ostype" = Linux ]; then
if [ "$(uname
-o)" = Android ]; then
_ostype=Android
fi
if ldd
--version 2>&1 | grep
-q 'musl'; then
_clibtype="musl"
fi
fi
if [ "$_ostype" = Darwin ]; then
# Darwin `uname
-m` can lie due to Rosetta shenanigans. If you manage to
# invoke a native shell binary and then a native uname binary, you can
# get the real answer, but that's hard to ensure, so instead we use
# `sysctl` (which doesn't lie) to check for the actual architecture.
if [ "$_cputype" = i386 ]; then
# Handling i386 compatibility mode in older macOS
versions (<10.15)
# running on x86_64
-based Macs.
# Starting from 10.15, macOS explicitly bans all i386 binaries from running.
# See: <https://support.apple.com/en
-us/HT208436>
# Avoid `sysctl: unknown oid` stderr output and/or non
-zero exit code.
if sysctl hw.optional.x86_64 2> /dev/null || true | grep
-q ': 1'; then
_cputype=x86_64
fi
elif [ "$_cputype" = x86_64 ]; then
# Handling x86
-64 compatibility mode (a.k.a. Rosetta 2)
# in newer macOS
versions (>=11) running on arm64
-based Macs.
# Rosetta 2 is built exclusively for x86
-64 and cannot run i386 binaries.
# Avoid `sysctl: unknown oid` stderr output and/or non
-zero exit code.
if sysctl hw.optional.arm64 2> /dev/null || true | grep
-q ': 1'; then
_cputype=arm64
fi
fi
fi
if [ "$_ostype" = SunOS ]; then
# Both Solaris and illumos presently announce as "SunOS" in "uname
-s"
# so use "uname
-o" to disambiguate. We use the full path to the
# system uname in case the user has coreutils uname first in PATH,
# which has historically sometimes printed the wrong value here.
if [ "$(/usr/bin/uname
-o)" = illumos ]; then
_ostype=illumos
fi
# illumos systems have multi
-arch userlands, and "uname
-m" reports the
# machine hardware name; e.g., "i86pc" on both 32
- and 64
-bit x86
# systems. Check for the native (widest) instruction set on the
# running kernel:
if [ "$_cputype" = i86pc ]; then
_cputype="$(isainfo
-n)"
fi
fi
local _current_exe
case "$_ostype" in
Android)
_ostype=linux
-android
;;
Linux)
_current_exe=$(get_current_exe)
_ostype=unknown
-linux
-$_clibtype
_bitness=$(get_bitness "$_current_exe")
;;
FreeBSD)
_ostype=unknown
-freebsd
;;
NetBSD)
_ostype=unknown
-netbsd
;;
DragonFly)
_ostype=unknown
-dragonfly
;;
Darwin)
_ostype=apple
-darwin
;;
illumos)
_ostype=unknown
-illumos
;;
MINGW* | MSYS* | CYGWIN* | Windows_NT)
_ostype=pc
-windows
-gnu
;;
*)
err "unrecognized OS type: $_ostype"
exit 1
;;
esac
case "$_cputype" in
i386 | i486 | i686 | i786 | x86)
_cputype=i686
;;
xscale | arm)
_cputype=arm
if [ "$_ostype" = "linux
-android" ]; then
_ostype=linux
-androideabi
fi
;;
armv6l)
_cputype=arm
if [ "$_ostype" = "linux
-android" ]; then
_ostype=linux
-androideabi
else
_ostype="${_ostype}eabihf"
fi
;;
armv7l | armv8l)
_cputype=armv7
if [ "$_ostype" = "linux
-android" ]; then
_ostype=linux
-androideabi
else
_ostype="${_ostype}eabihf"
fi
;;
aarch64 | arm64)
_cputype=aarch64
;;
x86_64 | x86
-64 | x64 | amd64)
_cputype=x86_64
;;
mips)
_cputype=$(get_endianness "$_current_exe" mips '' el)
;;
mips64)
if [ "$_bitness"
-eq 64 ]; then
# only n64 ABI is supported for now
_ostype="${_ostype}abi64"
_cputype=$(get_endianness "$_current_exe" mips64 '' el)
fi
;;
ppc)
_cputype=powerpc
;;
ppc64)
_cputype=powerpc64
;;
ppc64le)
_cputype=powerpc64le
;;
s390x)
_cputype=s390x
;;
riscv64)
_cputype=riscv64gc
;;
loongarch64)
_cputype=loongarch64
ensure_loongarch_uapi
;;
*)
err "unknown CPU type: $_cputype"
exit 1
esac
# Detect 64
-bit linux with 32
-bit userland
if [ "${_ostype}" = unknown
-linux
-gnu ] && [ "${_bitness}"
-eq 32 ]; then
case $_cputype in
x86_64)
if [
-n "${RUSTUP_CPUTYPE:
-}" ]; then
_cputype="$RUSTUP_CPUTYPE"
else {
# 32
-bit executable for amd64 = x32
if is_host_amd64_elf "$_current_exe"; then {
err "This host is running an x32 userland, for which no native toolchain is provided."
err "You will have to install multiarch compatibility with i686 or amd64."
err "To do so, set the RUSTUP_CPUTYPE environment variable set to i686 or amd64 and re
-run this script."
err "You will be able to add an x32 target after installation by running \`rustup target add x86_64
-unknown
-linux
-gnux32\`."
exit 1
}; else
_cputype=i686
fi
}; fi
;;
mips64)
_cputype=$(get_endianness "$_current_exe" mips '' el)
;;
powerpc64)
_cputype=powerpc
;;
aarch64)
_cputype=armv7
if [ "$_ostype" = "linux
-android" ]; then
_ostype=linux
-androideabi
else
_ostype="${_ostype}eabihf"
fi
;;
riscv64gc)
err "riscv64 with 32
-bit userland
unsupported"
exit 1
;;
esac
fi
# Detect armv7 but without the CPU features Rust needs in that build,
# and fall back to arm.
# See https://github.com/rust
-lang/rustup.rs/issues/587.
if [ "$_ostype" = "unknown
-linux
-gnueabihf" ] && [ "$_cputype" = armv7 ]; then
if ! (ensure grep '^Features' /proc/cpuinfo | grep
-E
-q 'neon|simd') ; then
# Either `/proc/cpuinfo` is malformed or unavailable, or
# at least one processor does not have NEON (which is asimd on armv8+).
_cputype=arm
fi
fi
_arch="${_cputype}
-${_ostype}"
RETVAL="$_arch"
}
__print() {
if $_ansi_escapes_are_valid; then
printf '\33[1m%s:\33[0m %s\n' "$1" "$2" >&2
else
printf '%s: %s\n' "$1" "$2" >&2
fi
}
warn() {
__print 'warn' "$1" >&2
}
say() {
if [ "$RUSTUP_QUIET" = "no" ]; then
__print 'info' "$1" >&2
fi
}
# NOTE: you are required to exit yourself
# we don't do it here because of multiline
errors
err() {
__print '
error' "$1" >&2
}
need_cmd() {
if ! check_cmd "$1"; then
err "need '$1' (command not found)"
exit 1
fi
}
check_cmd() {
command
-v "$1" > /dev/null 2>&1
}
assert_nz() {
if [
-z "$1" ]; then
err "assert_nz $2"
exit 1
fi
}
# Run a command that should never fail. If the command fails execution
# will immediately terminate with an
error showing the failing
# command.
ensure() {
if ! "$@"; then
err "command failed: $*"
exit 1
fi
}
# This is just for indicating that commands' results are being
# intentionally ignored. Usually, because it's being executed
# as part of
error handling.
ignore() {
"$@"
}
# This wraps curl or wget. Try curl first, if not installed,
# use wget instead.
downloader() {
# zsh does not split words by default, Required for curl retry arguments below.
is_zsh && setopt local_options shwordsplit
local _dld
local _ciphersuites
local _err
local _status
local _retry
if check_cmd curl; then
_dld=curl
elif check_cmd wget; then
_dld=wget
else
_dld='curl or wget' # to be used in
error message of need_cmd
fi
if [ "$1" =
--check ]; then
need_cmd "$_dld"
elif [ "$_dld" = curl ]; then
check_curl_for_retry_support
_retry="$RETVAL"
get_ciphersuites_for_curl
_ciphersuites="$RETVAL"
if [
-n "$_ciphersuites" ]; then
# shellcheck disable=SC2086
_err=$(curl $_retry
--proto '=https'
--tlsv1.2
--ciphers "$_ciphersuites"
--silent
--show
-error --fail
--location "$1"
--output "$2" 2>&1)
_status=$?
else
warn "Not enforcing strong cipher suites for TLS, this is potentially less secure"
if ! check_help_for "$3" curl
--proto
--tlsv1.2; then
warn "Not enforcing TLS v1.2, this is potentially less secure"
# shellcheck disable=SC2086
_err=$(curl $_retry
--silent
--show
-error --fail
--location "$1"
--output "$2" 2>&1)
_status=$?
else
# shellcheck disable=SC2086
_err=$(curl $_retry
--proto '=https'
--tlsv1.2
--silent
--show
-error --fail
--location "$1"
--output "$2" 2>&1)
_status=$?
fi
fi
if [
-n "$_err" ]; then
warn "$_err"
if echo "$_err" | grep
-q 404$; then
err "installer for platform '$3' not found, this may be
unsupported"
exit 1
fi
fi
return $_status
elif [ "$_dld" = wget ]; then
if [ "$(wget
-V 2>&1|head
-2|tail
-1|cut
-f1
-d" ")" = "BusyBox" ]; then
warn "using the BusyBox
version of wget. Not enforcing strong cipher suites for TLS or TLS v1.2, this is potentially less secure"
_err=$(wget "$1"
-O "$2" 2>&1)
_status=$?
else
get_ciphersuites_for_wget
_ciphersuites="$RETVAL"
if [
-n "$_ciphersuites" ]; then
_err=$(wget
--https
-only
--secure
-protocol=TLSv1_2
--ciphers "$_ciphersuites" "$1"
-O "$2" 2>&1)
_status=$?
else
warn "Not enforcing strong cipher suites for TLS, this is potentially less secure"
if ! check_help_for "$3" wget
--https
-only
--secure
-protocol; then
warn "Not enforcing TLS v1.2, this is potentially less secure"
_err=$(wget "$1"
-O "$2" 2>&1)
_status=$?
else
_err=$(wget
--https
-only
--secure
-protocol=TLSv1_2 "$1"
-O "$2" 2>&1)
_status=$?
fi
fi
fi
if [
-n "$_err" ]; then
warn "$_err"
if echo "$_err" | grep
-q ' 404 Not Found$'; then
err "installer for platform '$3' not found, this may be
unsupported"
exit 1
fi
fi
return $_status
else
err "Unknown downloader" # should not reach here
exit 1
fi
}
check_help_for() {
local _arch
local _cmd
local _arg
_arch="$1"
shift
_cmd="$1"
shift
local _category
if "$_cmd"
--help | grep
-q '"
--help all"'; then
_category="all"
else
_category=""
fi
case "$_arch" in
*darwin*)
if check_cmd sw_vers; then
local _os_
version
local _os_major
_os_
version=$(sw_vers
-product
Version)
_os_major=$(echo "$_os_
version" | cut
-d.
-f1)
case $_os_major in
10)
# If we're running on macOS, older than 10.13, then we always
# fail to find these options to force fallback
if [ "$(echo "$_os_
version" | cut
-d.
-f2)"
-lt 13 ]; then
# Older than 10.13
warn "Detected macOS platform older than 10.13"
return 1
fi
;;
*)
if ! { [ "$_os_major"
-eq "$_os_major" ] 2>/dev/null && [ "$_os_major"
-ge 11 ]; }; then
# Unknown product
version, warn and continue
warn "Detected unknown macOS major
version: $_os_
version"
warn "TLS capabilities detection may fail"
fi
;; # We assume that macOS v11+ will always be okay.
esac
fi
;;
esac
for _arg in "$@"; do
if ! "$_cmd"
--help "$_category" | grep
-q
-- "$_arg"; then
return 1
fi
done
true # not strictly needed
}
# Check if curl supports the
--retry flag, then pass it to the curl invocation.
check_curl_for_retry_support() {
local _retry_supported=""
# "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc.
if check_help_for "notspecified" "curl" "
--retry"; then
_retry_supported="
--retry 3"
if check_help_for "notspecified" "curl" "
--continue
-at"; then
# "
-C
-" tells curl to automatically find where to resume the download when retrying.
_retry_supported="
--retry 3
-C
-"
fi
fi
RETVAL="$_retry_supported"
}
# Return cipher suite string specified by user, otherwise return strong TLS 1.2
-1.3 cipher suites
# if support by local tools is detected. Detection currently supports these curl backends:
# GnuTLS and Open
SSL (possibly also Libre
SSL and Boring
SSL). Return value can be empty.
get_ciphersuites_for_curl() {
if [
-n "${RUSTUP_TLS_CIPHERSUITES
-}" ]; then
# user specified custom cipher suites, assume they know what they're doing
RETVAL="$RUSTUP_TLS_CIPHERSUITES"
return
fi
local _open
ssl_syntax="no"
local _gnutls_syntax="no"
local _backend_supported="yes"
if curl
-V | grep
-q ' Open
SSL/'; then
_open
ssl_syntax="yes"
elif curl
-V | grep
-iq ' Libre
SSL/'; then
_open
ssl_syntax="yes"
elif curl
-V | grep
-iq ' Boring
SSL/'; then
_open
ssl_syntax="yes"
elif curl
-V | grep
-iq ' GnuTLS/'; then
_gnutls_syntax="yes"
else
_backend_supported="no"
fi
local _args_supported="no"
if [ "$_backend_supported" = "yes" ]; then
# "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc.
if check_help_for "notspecified" "curl" "
--tlsv1.2" "
--ciphers" "
--proto"; then
_args_supported="yes"
fi
fi
local _cs=""
if [ "$_args_supported" = "yes" ]; then
if [ "$_open
ssl_syntax" = "yes" ]; then
_cs=$(get_strong_ciphersuites_for "open
ssl")
elif [ "$_gnutls_syntax" = "yes" ]; then
_cs=$(get_strong_ciphersuites_for "gnutls")
fi
fi
RETVAL="$_cs"
}
# Return cipher suite string specified by user, otherwise return strong TLS 1.2
-1.3 cipher suites
# if support by local tools is detected. Detection currently supports these wget backends:
# GnuTLS and Open
SSL (possibly also Libre
SSL and Boring
SSL). Return value can be empty.
get_ciphersuites_for_wget() {
if [
-n "${RUSTUP_TLS_CIPHERSUITES
-}" ]; then
# user specified custom cipher suites, assume they know what they're doing
RETVAL="$RUSTUP_TLS_CIPHERSUITES"
return
fi
local _cs=""
if wget
-V | grep
-q '\
-DHAVE_LIB
SSL'; then
# "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc.
if check_help_for "notspecified" "wget" "TLSv1_2" "
--ciphers" "
--https
-only" "
--secure
-protocol"; then
_cs=$(get_strong_ciphersuites_for "open
ssl")
fi
elif wget
-V | grep
-q '\
-DHAVE_LIBGNUTLS'; then
# "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc.
if check_help_for "notspecified" "wget" "TLSv1_2" "
--ciphers" "
--https
-only" "
--secure
-protocol"; then
_cs=$(get_strong_ciphersuites_for "gnutls")
fi
fi
RETVAL="$_cs"
}
# Return strong TLS 1.2
-1.3 cipher suites in Open
SSL or GnuTLS syntax. TLS 1.2
# excludes non
-ECDHE and non
-AEAD cipher suites. DHE is excluded due to bad
# DH params often found on servers (see RFC 7919). Sequence matches or is
# similar to
Firefox 68 ESR with weak cipher suites disabled via about:config.
# $1 must be open
ssl or gnutls.
get_strong_ciphersuites_for() {
if [ "$1" = "open
ssl" ]; then
# Open
SSL is forgiving of unknown values, no problems with TLS 1.3 values on
versions that don't support it yet.
echo "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE
-ECDSA
-AES128
-GCM
-SHA256:ECDHE
-RSA
-AES128
-GCM
-SHA256:ECDHE
-ECDSA
-CHACHA20
-POLY1305:ECDHE
-RSA
-CHACHA20
-POLY1305:ECDHE
-ECDSA
-AES256
-GCM
-SHA384:ECDHE
-RSA
-AES256
-GCM
-SHA384"
elif [ "$1" = "gnutls" ]; then
# GnuTLS isn't forgiving of unknown values, so this may require a GnuTLS
version that supports TLS 1.3 even if wget doesn't.
# Begin with SECURE128 (and higher) then remove/add to build cipher suites. Produces same 9 cipher suites as Open
SSL but in slightly different order.
echo "SECURE128:
-VERS
-SSL3.0:
-VERS
-TLS1.0:
-VERS
-TLS1.1:
-VERS
-DTLS
-ALL:
-CIPHER
-ALL:
-MAC
-ALL:
-KX
-ALL:+AEAD:+ECDHE
-ECDSA:+ECDHE
-RSA:+AES
-128
-GCM:+CHACHA20
-POLY1305:+AES
-256
-GCM"
fi
}
set +u
case "$RUSTUP_INIT_SH_PRINT" in
arch | architecture)
get_architecture || exit 1
echo "$RETVAL"
;;
*)
main "$@" || exit 1
;;
esac
本文介绍了解决Firefox浏览器因使用SSLv3协议而出现的安全警告问题。通过调整about:config中的设置,将security.tls.version.fallback-limit的值更改为1,可以避免浏览器显示“无法安全连接”的错误。
扫一扫
2022
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
