It works perfectly on Windows, OS X and Ubuntu 13. But it's failing to work on Ubuntu 14 only and I don't know why.
...
ERR_SSL_PROTOCOL_ERROR
ERR_SSL_PROTOCOL_ERROR
表示客户端和服务器无法就协议达成一致 - SSLv3、TLS 1.0 等。我相信它对应于protocol_version
TLS 的警报。请参阅RFC 5246,第 7.2 节。
OpenSSL 自 1.0.1 以来一直是 TLS 1.2。请参阅OpenSSL 更改日志。但是,Ubuntu 14 之前的 Ubuntu 出于互操作原因禁用了 TLS 1.1 和 TLS 1.2。请参阅Ubuntu 12.04 LTS:OpenSSL 低级版本并且不支持 TLS 1.2。Ubuntu 14(及后续版本)启用 TLS 1.1 和 TLS 1.2。(TLS 1.3 即将发布:传输层安全 (TLS) 协议版本 1.3 (draft-ietf-tls-rfc5246-bis-00))。
如果您必须通过代理,可能还有其他问题。问题与ClientHello
大小有关。由于增加了密码套件,TLS 1.1 和 TLS 1.2的ClientHello
大小增加了(更准确地说,是 TLS 1.2,因为 TLS 1.1 没有添加任何密码套件)。大小应该无关紧要,除非某些代理具有固定大小的缓冲区和其他简单地破坏交换的硬编码限制。这是某些 F5 和 Ironport 设备的问题。
您可以使用以下方法测试 TLS 1.2 和ClientHello
大小敏感度s_client
:
openssl s_client -tls1_2 -connect <server>:<port> -servername <server> \
-cipher "SSL_RSA_WITH_3DES_EDE_CBC_SHA:TLS_RSA_WITH_3DES_EDE_CBC_SHA"
以上与 TLS 1.2 连接,仅使用 2 个密码套件(4 个字节)。如果它与 2 个密码套件连接,则删除-cipher
并查看它是否与内置的 80+(超过 160 个字节)连接。
如果它无法与 TLS 1.2 连接,请尝试使用-tls1
或-ssl3
。
编辑:你的问题是一个古老的服务器和 TLS 1.1 和 TLS 1.2。请参阅下面的步骤来隔离问题。
你有三个潜在的修复。
第一的
第一个修复是让服务器升级到不古老的东西。如果它是代理,则修复代理。
第二
如果您需要修改协议版本,则执行以下操作以仅获取 SSLv3 或 YLS 1.0:
m_sslContext = SSL_CTX_new( SSLv23_server_method() );
const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
SSL_CTX_set_options(m_sslContext, flags);
第三
如果需要修改密码套件列表:
m_sslContext = SSL_CTX_new( SSLv23_server_method() );
const char* const PREFERRED_CIPHERS = "kEECDH:kEDH:kRSA:AESGCM:AES256:AES128:3DES:"
"SHA256:SHA84:SHA1:!aNULL:!eNULL:HIGH:!RC4:!MD5:!SRP:!PSK:!ADH:!AECDH";
res = SSL_CTX_set_cipher_list(m_sslContext, PREFERRED_CIPHERS);
编辑:你的问题是一个古老的服务器和 TLS 1.1 和 TLS 1.2。您需要从上面使用 (1),或从上面使用 (2)。理想情况下,古老的服务器将被修复,这样每个人都可以受益。
TLS 1.2 不起作用:
$ openssl s_client -tls1_2 -connect www.example.com:443 -CAfile gd-class2-root.crt
CONNECTED(00000003)
140735211598300:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
...
TLS 1.1 不起作用:
$ openssl s_client -tls1_1 -connect www.example.com:443 -CAfile gd-class2-root.crt
CONNECTED(00000003)
140735211598300:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
...
TLS 1.0 确实有效:
$ openssl s_client -tls1 -connect www.example.com:443 -CAfile gd-class2-root.crt
CONNECTED(00000003)
depth=2 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
...
SSL v3 确实有效:
$ openssl s_client -ssl3 -connect www.example.com:443 -CAfile gd-class2-root.crt
CONNECTED(00000003)
depth=2 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
...
When I try to connect from wget, I get:
...
Unable to locally verify the issuer's authority.
...
So... If I finally follow the wget message and do...
wget https://mydomain.com:443/ --no-check-certificate
... THEN the server works perfectly!
这是一个不同的问题。wget
通过合并上述修复程序之一可能会避免该问题。Wirehsark 的踪迹会告诉你。
此外,如果您提供了真实的服务器名称,我们可以帮助您识别您应该使用的根 CA(以避免Unable to locally verify the issuer's authority
)。
这是我所看到的s_client
:
$ openssl s_client -connect www.example.com:443
CONNECTED(00000003)
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certificates.godaddy.com/repository, CN = Go Daddy Secure Certification Authority, serialNumber = 07969287
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.example.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
...
所以你需要Go Daddy Class 2 Certification Authority。您可以从Go Daddy 存储库、SSL 证书信息中获取。该文件是gd-class2-root.crt
,您可以将其传递给s_client
,结果是Verify return code: 0 (ok)
:
$ openssl s_client -connect www.example.com:443 -CAfile gd-class2-root.crt
CONNECTED(00000003)
depth=2 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certificates.godaddy.com/repository, CN = Go Daddy Secure Certification Authority, serialNumber = 07969287
verify return:1
depth=0 OU = Domain Control Validated, CN = *.example.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.example.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFRTCCBC2gAwIBAgIHKyKXfFXVZjANBgkqhkiG9w0BAQUFADCByjELMAkGA1UE
BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY
BgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlm
aWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5
IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5Njky
ODcwHhcNMTQwMzIxMTYyMjU2WhcNMTUwMzIxMTYyMjU2WjA8MSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxFzAVBgNVBAMMDiouc3RheWZpbG0uY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyRsNuqBROD+6RsmkJk7S
KtTpFO5ke92AfWnEnZuKCbbRo/WjmtCPNLQC7fAQxPJb6i/cCt9cusQqlpFjHTg/
lD5Dqoqn/GXMe4hfKbV8VV3NAjWr8f0M/M1ftaL+zo5UtRjdAEIC9ysfbKqqBOxP
hqGPiL0QpkKQ5YZMiz3S4UZzwQ1Unjj43xH4IZFffsdwY5uJqfeoOl/6qBNAQIyg
1Hk00er/+1UlO2hpMe/qjiCZvGSRUat/O51AgyCPFGDmhSEi6rjyeLvEgpILzgR7
K1/BsCe2Kxi+SRIt8UK2jFjXSRnCQyjtgOitbk/sM0afhUUIb7ns95RWAiXt5CpD
0QIDAQABo4IBuzCCAbcwDwYDVR0TAQH/BAUwAwEBADAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMDQGA1UdHwQtMCswKaAnoCWG
I2h0dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2RzMS0xMDYuY3JsMFMGA1UdIARMMEow
SAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRl
cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzCBgAYIKwYBBQUHAQEEdDByMCQGCCsG
AQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wSgYIKwYBBQUHMAKGPmh0
dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZF9pbnRl
cm1lZGlhdGUuY3J0MB8GA1UdIwQYMBaAFP2sYTKTbEXW4u6FX5q653aZaMznMCcG
A1UdEQQgMB6CDiouc3RheWZpbG0uY29tggxzdGF5ZmlsbS5jb20wHQYDVR0OBBYE
FOZLbPozya++C27Grhs5pPUut4WFMA0GCSqGSIb3DQEBBQUAA4IBAQBPv85UBt3g
1XGHwZ9ARxpG9InoHRQledSbRckchU35awnIXuXd6pE+kZ7RctR6BywiPRrQnmYm
0D7wHP+BVoN2cZIkTHHgx/hILGTYk47CKyVcL9+WyDd5UXkJYyfdMzfia6dnG4wZ
ucsdR8Ete2do35yZmCZHU5L9KwXarQRuNexbiOqb4kBjUaIhN79NZs1h812QWLLB
+uRhvHOfQuSleEx1ggou/rwaYKNGYrIJl4/kpCquDXbqebkR1B+ad49GD+yBMyOm
/AOfGSU6YTUfZRGjzS2yAozs+QZFUrZTDHyt6Z93OLD+4O07SSAfTD3AlQlG/V1M
KwHuBUl22QD4
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.example.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
---
No client certificate CA names sent
---
SSL handshake has read 2765 bytes and written 843 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 990D00002F519EEFC297CD4CB157B2F7...
Session-ID-ctx:
Master-Key: A4B16EA84F4CD1E8D56A0B601A678AEE...
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1399002932
Timeout : 300 (sec)
Verify return code: 0 (ok)