Openssl

Openssl 1.0.2q - 完成消息時出錯:錯誤:140790E5:SSL 常式:ssl23_write:ssl 握手失敗:s23_lib.c:177:

  • January 22, 2019

連接到後面帶有 Tomcat 的 VIP/負載均衡器。

(到目前為止,tcpdump 看起來很乾淨……沒有 RST)

使用 openssl 版本 1.2.q

$openssl s_client -connect "blah:443" -msg

   CONNECTED(00000003)

   >>> TLS 1.2  [length 0005]

       16 03 01 01 2c

   >>> TLS 1.2 Handshake [length 012c], ClientHello

       01 00 01 28 03 03 a8 3c de fd fd 63 19 ea 64 01

       <snip>

   <<< ??? [length 0005]

       16 03 03 00 51

   <<< TLS 1.2 Handshake [length 0051], ServerHello

       02 00 00 4d 03 03 dc dd fa a6 70 ab 42 29 26 5c

      <snip>

   <<< ??? [length 0005]

       16 03 03 11 9b

   <<< TLS 1.2 Handshake [length 119b], Certificate

       0b 00 11 97 00 11 94 00 06 01 30 82 05 fd 30 82

       <snip>

   verify error:num=20:unable to get local issuer certificate

   <<< ??? [length 0005]

       16 03 03 00 2e

   <<< TLS 1.2 Handshake [length 002a], CertificateRequest

       0d 00 00 26 03 01 02 40 00 1e 06 01 06 02 06 03

       05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02

       03 03 02 01 02 02 02 03 00 00

   <<< TLS 1.2 Handshake [length 0004], ServerHelloDone

       0e 00 00 00

   >>> ??? [length 0005]

       16 03 03 00 07

   >>> TLS 1.2 Handshake [length 0007], Certificate

       0b 00 00 03 00 00 00

   >>> ??? [length 0005]

       16 03 03 01 06

   >>> TLS 1.2 Handshake [length 0106], ClientKeyExchange

       10 00 01 02 01 00 93 7b b5 46 e4 a0 33 ef 9d 25

       <snip>

   >>> ??? [length 0005]

       14 03 03 00 01

   >>> TLS 1.2 ChangeCipherSpec [length 0001]

       01

   >>> ??? [length 0005]

       16 03 03 00 50

   >>> TLS 1.2 Handshake [length 0010], Finished

       14 00 00 0c f6 30 0b ca 0d 1c e9 b1 2d ec 91 90

   140048048748200:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:



No client certificate CA names sent

Client Certificate Types: RSA sign, DSA sign, ECDSA sign

Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1

Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1

---

SSL handshake has read 4649 bytes and written 370 bytes

---

New, TLSv1/SSLv3, Cipher is AES256-SHA256

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

   Protocol  : TLSv1.2

   Cipher    : AES256-SHA256

   Session-ID: <snip>    
   Session-ID-ctx:

   Master-Key: <snip>    
   Key-Arg   : None

   PSK identity: None

   PSK identity hint: None

   SRP username: None

   Start Time: 1548174269

   Timeout   : 300 (sec)

   Verify return code: 20 (unable to get local issuer certificate)

一切似乎進展順利,除了我在完成消息後看到“140048048748200:error:140790E5:SSLroutines:ssl23_write:ssl handshake failure:s23_lib.c:177:”。

(FWIW,我的目標是使用 ssl 連接 python3 以收集證書,但目前不能)

這裡有任何指示嗎?我無法在我的位置嘗試 1.1.0 或 1.1.1。

我與伺服器的管理員交談。原來需要客戶證書。

引用自:https://serverfault.com/questions/950239