我正在尝试运行openssl命令来缩小尝试从我们的系统发送出站消息时SSL问题的范围.
我在另一个主题中找到了这个命令:使用openssl从服务器获取证书
openssl s_client -connect ip:port -prexit
这导致了输出
CONNECTED(00000003) 15841:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 121 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE ---
这是否意味着服务器没有提供任何证书?我在不同的ip:port上尝试了其他系统,并且它们成功地提供了证书.
相互身份验证是否会影响此命令与-prexit?
--Update--
我再次运行命令
openssl s_client -connect ip:port -prexit
我现在得到了这个回应
CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 121 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE ---
我在命令中添加了-ssl3
openssl s_client -connect ip:port -prexit -ssl3
响应:
CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None Start Time: 1403907236 Timeout : 7200 (sec) Verify return code: 0 (ok) ---
还试试-tls1
CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None Start Time: 1403907267 Timeout : 7200 (sec) Verify return code: 0 (ok) ---
小智.. 73
我今天正在调试SSL问题导致同样的write:errno=104
错误.最终我发现这种行为的原因是服务器需要SNI(servername
TLS扩展)才能正常工作.提供-servername
openssl选项使其成功连接:
openssl s_client -connect domain.tld:443 -servername domain.tld
希望这可以帮助.
我今天正在调试SSL问题导致同样的write:errno=104
错误.最终我发现这种行为的原因是服务器需要SNI(servername
TLS扩展)才能正常工作.提供-servername
openssl选项使其成功连接:
openssl s_client -connect domain.tld:443 -servername domain.tld
希望这可以帮助.
15841:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: ... SSL handshake has read 0 bytes and written 121 bytes
这是握手失败.另一方关闭连接而不发送任何数据("读取0字节").可能是,另一方根本不会说SSL.但是我看到了破坏SSL实现的类似错误,它们不了解更新的SSL版本.如果通过添加-ssl3
到s_client的命令行获得SSL连接,请尝试.