ssl - 通过相互 SSL 连接无法读取传入的 changeCipherSpec

Question

我们需要使用双向 SSL 连接到服务器，但由于某种原因，我们在尝试发出请求时收到以下错误：

[...]
readIncomingTls_changeCipherSpec2:
  processTlsRecord:
    processAlert:
      TlsAlert:
        level: fatal
        descrip: handshake failure
      --TlsAlert
    --processAlert
  --processTlsRecord
--readIncomingTls_changeCipherSpec2
Failed to read incoming handshake messages. (3)
Client handshake failed. (3)
Failed to connect.
[...]

私钥和 CSR 由我们提出，证书由我们连接的人返回给我们。

将密钥和证书组合到一个 pem 文件中并像这样添加到请求中，在其他脚本中没有问题，它们各自的密钥证书和目标：

var Gateway = new ActiveXObject("Chilkat.Http");
    Gateway.UnlockComponent("redacted");
var pemSuccess = Gateway.SetSslClientCertPem(Server.MapPath(certPath), "");
    Gateway.ConnectTimeout = 10;        
    Gateway.ReadTimeout = 10;

但是，在这种情况下，不仅 pemSuccess 返回 0，而且我注意到更改此内容或完全删除该行并不会更改错误，这表明它在此之前已中断？

不幸的是，我在这个过程中的知识有限，我不确定如何解决这个问题。

一些谷歌搜索导致 chilkat 支持页面建议更新 DLL 并确保 .pem 使用正确的密钥和证书，但这些都是应有的。

编辑 08/06/2015：将 -----BEGIN CERTIFICATE----- 页眉/页脚的格式更改为 -----BEGIN CERTIFICATE----- 已允许 SetSslClientCertPem 返回 true，但不会更改 LastErrorText ...

完整的 LastErrorText：

    SynchronousRequest:
    DllDate: Dec 12 2012
    UnlockPrefix: [redacted]
    Username: [redacted]
    Architecture: Little Endian; 32-bit
    Language: ActiveX
    VerboseLogging: 0
    domain: [redacted]
    port: 9000
    ssl: 1
    RequestData:
      HttpVersion: 1.1
      Verb: POST
      Path: [redacted]
      Charset: utf-8
      SendCharset: 0
      MimeHeader: SOAPAction:
Content-Type: text/xml
    --RequestData
    ReadTimeout: 10
    ConnectTimeout: 10
    httpConnect:
      hostname: [redacted]
      port: 9000
      ssl: 1
      Need to establish connection to the HTTP server...
      ConnectTimeoutMs_1: 10000
      calling ConnectSocket2
      IPV6 enabled connect with NO heartbeat.
      connectingTo: [redacted]
      resolveHostname1:
        dnsCacheLookup: [redacted]
        dnsCacheHit: [redacted]
      --resolveHostname1
      GetHostByNameHB_ipv4: Elapsed time: 0 millisec
      myIP_1: [redacted]
      myPort_1: [redacted]
      connect successful (1)
      clientHelloMajorMinorVersion: 3.1
      buildClientHello:
        majorVersion: 3
        minorVersion: 1
        numRandomBytes: 32
        sessionIdSize: 0
        numCipherSuites: 10
        numCompressionMethods: 1
      --buildClientHello
      readIncomingTls_serverHello:
        processTlsRecord:
          processHandshake:
            handshakeMessageType: ServerHello
            handshakeMessageLen: 0x46
            processHandshakeMessage:
              MessageType: ServerHello
              Processing ServerHello...
              ServerHello:
                MajorVersion: 3
                MinorVersion: 1
                SessionIdLen: 32
                CipherSuite: RSA_WITH_AES_256_CBC_SHA
                CipherSuite: 00,35
                CompressionMethod: 0
                Queueing ServerHello message.
                ServerHello is OK.
              --ServerHello
            --processHandshakeMessage
          --processHandshake
        --processTlsRecord
      --readIncomingTls_serverHello
      HandshakeQueue:
        MessageType: ServerHello
      --HandshakeQueue
      Dequeued ServerHello message.
      readIncomingTls_6:
        processTlsRecord:
          processHandshake:
            handshakeMessageType: Certificate
            handshakeMessageLen: 0xf13
            processHandshakeMessage:
              MessageType: Certificate
              ProcessCertificates:
                Certificate:
                  [cert info]
                --Certificate
                Certificate:
                  [cert info]
                --Certificate
                Certificate:
                  [cert info]
                --Certificate
                NumCertificates: 3
                Queueing Certificates message...
              --ProcessCertificates
            --processHandshakeMessage
          --processHandshake
        --processTlsRecord
      --readIncomingTls_6
      Dequeued Certificate message.
      readIncomingTls_6:
        processTlsRecord:
          processHandshake:
            handshakeMessageType: CertificateRequest
            handshakeMessageLen: 0x6
            processHandshakeMessage:
              MessageType: CertificateRequest
              CertificateRequest:
                NumCertificateTypes: 3
                Certificate Type: RSA Sign
                Certificate Type: DSS Sign
                OtherCertificateType: 64
                totalLen: 0
                NumDistinguishedNames: 0
                CertificateRequest message is OK.
                Queueing CertificateRequest message.
              --CertificateRequest
            --processHandshakeMessage
            handshakeMessageType: ServerHelloDone
            handshakeMessageLen: 0x0
            processHandshakeMessage:
              MessageType: ServerHelloDone
              Queueing HelloDone message.
            --processHandshakeMessage
          --processHandshake
        --processTlsRecord
      --readIncomingTls_6
      Dequeued CertificateRequest message.
      DequeuedMessageType: ServerHelloDone
      OK to ServerHelloDone!
      Sending 0-length certificate (this is normal).
      CertificatesMessage:
        numCerts: 0
        CertificateSize: 0x3
      --CertificatesMessage
      Encrypted pre-master secret with server certificate RSA public key is OK.
      Sending ClientKeyExchange...
      Sent ClientKeyExchange message.
      Sending ChangeCipherSpec...
      Sent ChangeCipherSpec message.
      Derived keys.
      Installed new outgoing security params.
      Sending FINISHED message..
      algorithm: aes
      keyLength: 256
      Sent FINISHED message..
      readIncomingTls_changeCipherSpec2:
        processTlsRecord:
          processAlert:
            TlsAlert:
              level: fatal
              descrip: handshake failure
            --TlsAlert
          --processAlert
        --processTlsRecord
      --readIncomingTls_changeCipherSpec2
      Failed to read incoming handshake messages. (3)
      Client handshake failed. (3)
      Failed to connect.
    --httpConnect
    connectTime1: Elapsed time: 47 millisec
    totalTime: Elapsed time: 47 millisec
    Failed.
  --SynchronousRequest
--ChilkatLog

Answer 1

所以事实证明，尽管发件人多次坚持证书是正确的，尽管他们坚持（当被问及）电子邮件编码没有删除任何字符，但事实证明证书不正确并且电子邮件编码已经删除了一些字符从正文。

注意以 + 字符开头的行。