Openssl
Openssl 1.0.2q - 完成消息時出錯:錯誤:140790E5:SSL 常式:ssl23_write:ssl 握手失敗:s23_lib.c:177:
連接到後面帶有 Tomcat 的 VIP/負載均衡器。
(到目前為止,tcpdump 看起來很乾淨……沒有 RST)
使用 openssl 版本 1.2.q
$openssl s_client -connect "blah:443" -msg CONNECTED(00000003) >>> TLS 1.2 [length 0005] 16 03 01 01 2c >>> TLS 1.2 Handshake [length 012c], ClientHello 01 00 01 28 03 03 a8 3c de fd fd 63 19 ea 64 01 <snip> <<< ??? [length 0005] 16 03 03 00 51 <<< TLS 1.2 Handshake [length 0051], ServerHello 02 00 00 4d 03 03 dc dd fa a6 70 ab 42 29 26 5c <snip> <<< ??? [length 0005] 16 03 03 11 9b <<< TLS 1.2 Handshake [length 119b], Certificate 0b 00 11 97 00 11 94 00 06 01 30 82 05 fd 30 82 <snip> verify error:num=20:unable to get local issuer certificate <<< ??? [length 0005] 16 03 03 00 2e <<< TLS 1.2 Handshake [length 002a], CertificateRequest 0d 00 00 26 03 01 02 40 00 1e 06 01 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02 03 03 02 01 02 02 02 03 00 00 <<< TLS 1.2 Handshake [length 0004], ServerHelloDone 0e 00 00 00 >>> ??? [length 0005] 16 03 03 00 07 >>> TLS 1.2 Handshake [length 0007], Certificate 0b 00 00 03 00 00 00 >>> ??? [length 0005] 16 03 03 01 06 >>> TLS 1.2 Handshake [length 0106], ClientKeyExchange 10 00 01 02 01 00 93 7b b5 46 e4 a0 33 ef 9d 25 <snip> >>> ??? [length 0005] 14 03 03 00 01 >>> TLS 1.2 ChangeCipherSpec [length 0001] 01 >>> ??? [length 0005] 16 03 03 00 50 >>> TLS 1.2 Handshake [length 0010], Finished 14 00 00 0c f6 30 0b ca 0d 1c e9 b1 2d ec 91 90 140048048748200:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: No client certificate CA names sent Client Certificate Types: RSA sign, DSA sign, ECDSA sign Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1 Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1 --- SSL handshake has read 4649 bytes and written 370 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : AES256-SHA256 Session-ID: <snip> Session-ID-ctx: Master-Key: <snip> Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1548174269 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate)一切似乎進展順利,除了我在完成消息後看到“140048048748200:error:140790E5:SSLroutines:ssl23_write:ssl handshake failure:s23_lib.c:177:”。
(FWIW,我的目標是使用 ssl 連接 python3 以收集證書,但目前不能)
這裡有任何指示嗎?我無法在我的位置嘗試 1.1.0 或 1.1.1。
我與伺服器的管理員交談。原來需要客戶證書。