我尝试在我的 VPS 上使用一个简单的 php 脚本将一些数据插入我的 fritz.box(6360 电缆)。
Anotherserver.net 是我的 fritzbox 中有效的无 IP 地址(并且 fritzbox 可以从公共访问)。
php 脚本尝试 curl 服务器以获取 ssl 会话,但是,它以握手错误结束。所以我尝试了简单的 curl 命令,如下所示。curl 命令以相同的错误结束。令人困惑的是, -k/--insecure 开关不会改变任何东西。其次,您可以在下面看到更多的 openssl 命令完全可以正常工作。
root@server:/var/www/mycurl# curl -v -L --sslv3 --cacert cert_file.pem https://anotherserver.net
Rebuilt URL to: https://anotherserver.net/
Hostname was NOT found in DNS cache
Trying 37.xxx.xxx.xx...
Connected to anotherserver.net (37.xxx.xxx.xx) port 443 (#0)
successfully set certificate verify locations:
CAfile: cert_file.pem
CApath: /etc/ssl/certs
SSLv3, TLS handshake, Client hello (1):
SSLv3, TLS alert, Server hello (2):
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
Closing connection 0
curl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
打开ssl:
root@server:/var/www/mycurl# openssl s_client -connect anotherserver.net:443 -CAfile cert_file.pem
CONNECTED(00000003)
depth=0 CN = anotherServer.net
verify return:1
---
Certificate chain
0 s:/CN=anotherserver.net
i:/CN=anotherserver.net
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDuzCCAqOgAwIBAgIJANSTbhTXe9WfMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNV
BAMTDmJqYXV4LmRkbnMubmV0MB4XDTE0MDgxODE1NTQ0M1oXDTM4MDExNTE1NTQ0
M1owGTEXMBUGA1UEAxMOYmphdXguZGRucy5uZXQwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCy2fXZVUfe1znuSb5wXzrn3mhIk9a2e+iRBRO9v7mQ4rsO
FU1vyB0bP71r6vkCXUnV7fp5NqnsMw6lEIJxkpJl6CLA1lyP+E05SchYFHCAdo7N
/u3Rpa2Oc4OdDh457ZiEuVizOMXO2dgcKJhjC8i2JtbyITcRBRVrXXudlRdsAnTN
iTD65CLWVUOLHKrXKqxkdFZ7wJ0Xsdv4I5TTmocBb6LMd4yEgTYXT2vwz6wRAX1K
l1yhSlpXHqK+2WDfc42JDfYW4NvhbNTRf7dC/PrY9oI7RK1jxt9y8GrT1XuJL768
qjbrJ2JC8UkiCr9C6s02OIKIidfpybrYPtWDKkt5AgMBAAGjggEEMIIBADAdBgNV
HQ4EFgQUcsDrKlzjGvuMg25sGTdtBIMWGZ0wSQYDVR0jBEIwQIAUcsDrKlzjGvuM
g25sGTdtBIMWGZ2hHaQbMBkxFzAVBgNVBAMTDmJqYXV4LmRkbnMubmV0ggkA1JNu
FNd71Z8wDAYDVR0TBAUwAwEB/zCBhQYDVR0RAQH/BHsweYIOYmphdXguZGRucy5u
ZXSCHGp6OHl6bXJsaDVlcTN4b2YubXlmcml0ei5uZXSCEWZyaXR6LmZvbndsYW4u
Ym94gglmcml0ei5ib3iCDXd3dy5mcml0ei5ib3iCC215ZnJpdHouYm94gg93d3cu
bXlmcml0ei5ib3gwDQYJKoZIhvcNAQEFBQADggEBAJ5LA2+3Z2svWkOrWmJlw3kK
3Iz749HDak9gzYaLP0HB5ssHWJw6H20DEDlsJ4YO8RvSFW3TKnOSooYlFDBg7ips
orElIl9nTQwnS9djp2DOeOWpHAaCMyoUdksOVeF0e6QFo9KlKkAU8tEmzUqsQSQ2
p1mCFHx86pna8dlfG8hcMhW+aVp/i889rLRp7zjtwIYpY/pugpuFHK34PNheGVG7
Y2+bWnnaXVxVteFydbvpxsIUDaegkQoZYbE1AjHV1b7y/eSdX1LEvXOqPDu2jUzT
Y2i9Kr76R6EUKMXiYiBCCGc8pN7dskQl8m/xxXDA6z6+Zh8T32kRHcE0PeRN8Yc=
-----END CERTIFICATE-----
subject=/CN=anotherserver.net
issuer=/CN=anotherserver.net
---
No client certificate CA names sent
---
SSL handshake has read 1109 bytes and written 631 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID: A93D457B5DF416DFA40F5934B6C2FC2E6365266104B3300B873E5FC89759E395
Session-ID-ctx:
Master-Key: 790ABDC0B114C882B69FBA693712C08AA43EA409B242F0B2E92EB953A8BC71DD16527F8B3561206A21FD11E7EA8DC04E
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1408397806
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
我的服务器 openssl 版本是:
root@server:/var/www/mycurl# openssl version
OpenSSL 1.0.1f 6 Jan 2014
我的服务器 curl 版本是:
root@server:/var/www/mycurl# curl --version
curl 7.35.0 (x86_64-pc-linux-gnu) libcurl/7.35.0 OpenSSL/1.0.1f zlib/1.2.8 libidn/1.28 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP
我的 fritz.box 的 OpenSSL 版本似乎是 0.98。
编辑 19.08.2014:cert_file.pem 实际上是 bjaux.ddns.net.pem -“另一台服务器”(即 bjaux.ddns.net)的证书文件,我使用谷歌浏览器从给定站点下载。我还尝试将其重命名为 bjaux-ddns-net.pem,但 curl 不起作用。请注意,openssl s_client 总是返回验证返回码 0 - Openssl s_client 有效。完全。从那时起它就起作用了。只有 curl 命令总是会遇到握手问题。