Windows

設置 stunnel 伺服器的錯誤:SSL3_GET_CLIENT_HELLO:wrong version number

  • February 18, 2013

我正在 Windows XP 上設置stunnel伺服器,當客戶端嘗試訪問時出現此錯誤:

2013.02.14 00:02:16 LOG7[8848:7664]: Service [https] accepted (FD=320) from 107.20.36.147:56160
2013.02.14 00:02:16 LOG7[8848:7664]: Creating a new thread
2013.02.14 00:02:16 LOG7[8848:7664]: New thread created
2013.02.14 00:02:16 LOG7[8848:9792]: Service [https] started
2013.02.14 00:02:16 LOG5[8848:9792]: Service [https] accepted connection from 107.20.36.147:56160
2013.02.14 00:02:16 LOG7[8848:9792]: SSL state (accept): before/accept initialization
2013.02.14 00:02:16 LOG7[8848:9792]: SSL alert (write): fatal: handshake failure
2013.02.14 00:02:16 LOG3[8848:9792]: SSL_accept: 1408A10B: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number
2013.02.14 00:02:16 LOG5[8848:9792]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2013.02.14 00:02:16 LOG7[8848:9792]: Local socket (FD=320) closed
2013.02.14 00:02:16 LOG7[8848:9792]: Service [https] finished (0 left)

知道該怎麼做嗎?我在網上看到這可能意味著我的伺服器正在宣傳它可以使用 SSL3 進行通信,但實際上不能。如果這是真的,我想知道如何解決這個問題。我正在編輯stunnel.conf文件,但我不知道要更改什麼來解決這個問題。

更新:

上述錯誤消息僅在 Twilio 客戶端(即 Twilio 的伺服器)嘗試訪問我的伺服器時顯示。當我嘗試使用我的一台電腦訪問我的伺服器時,該頁面確實顯示了,但在顯示內容後,Chrome 將頁面顯示為“正在載入”大約 30 秒,最後stunnel給出以下消息:

transfer: s_poll_wait: TIMEOUTclose exceeded: closing

更新:

這是wireshark擷取:https ://gist.github.com/cool-RR/4963477

帽文件:https ://dl.dropbox.com/u/1927707/wireshark.cap

請注意,伺服器在埠 8088 上執行。

更新:

這是來自伺服器的日誌(debug=7):

2013.02.17 17:06:52 LOG7[7636:2092]: No limit detected for the number of clients
2013.02.17 17:06:52 LOG5[7636:2092]: stunnel 4.54 on x86-pc-msvc-1500 platform
2013.02.17 17:06:52 LOG5[7636:2092]: Compiled/running with OpenSSL 1.0.1c-fips 10 May 2012
2013.02.17 17:06:52 LOG5[7636:2092]: Threading:WIN32 SSL:+ENGINE+OCSP+FIPS Auth:none Sockets:SELECT+IPv6
2013.02.17 17:06:52 LOG5[7636:2092]: Reading configuration from file stunnel.conf
2013.02.17 17:06:52 LOG5[7636:2092]: FIPS mode is enabled
2013.02.17 17:06:52 LOG7[7636:2092]: Compression not enabled
2013.02.17 17:06:52 LOG7[7636:2092]: Snagged 64 random bytes from C:\Documents and Settings\User/.rnd
2013.02.17 17:06:52 LOG7[7636:2092]: Wrote 1024 new random bytes to C:\Documents and Settings\User/.rnd
2013.02.17 17:06:52 LOG7[7636:2092]: PRNG seeded successfully
2013.02.17 17:06:52 LOG6[7636:2092]: Initializing service [https]
2013.02.17 17:06:52 LOG7[7636:2092]: Certificate: G:\Dropbox\StartSSL\SSL Cert.pem
2013.02.17 17:06:52 LOG7[7636:2092]: Certificate loaded
2013.02.17 17:06:52 LOG7[7636:2092]: Key file: G:\Dropbox\StartSSL\SSL Cert.pem
2013.02.17 17:06:52 LOG7[7636:2092]: Private key loaded
2013.02.17 17:06:52 LOG7[7636:2092]: Could not load DH parameters from G:\Dropbox\StartSSL\SSL Cert.pem
2013.02.17 17:06:52 LOG7[7636:2092]: Using hardcoded DH parameters
2013.02.17 17:06:52 LOG7[7636:2092]: DH initialized with 2048-bit key
2013.02.17 17:06:52 LOG7[7636:2092]: ECDH initialized with curve prime256v1
2013.02.17 17:06:52 LOG7[7636:2092]: SSL options set: 0x03000004
2013.02.17 17:06:52 LOG5[7636:2092]: Configuration successful
2013.02.17 17:06:52 LOG7[7636:2092]: Service [https] (FD=268) bound to 0.0.0.0:8088
2013.02.17 17:07:08 LOG7[7636:2092]: Service [https] accepted (FD=320) from 54.242.25.199:45922
2013.02.17 17:07:08 LOG7[7636:2092]: Creating a new thread
2013.02.17 17:07:08 LOG7[7636:2092]: New thread created
2013.02.17 17:07:08 LOG7[7636:8004]: Service [https] started
2013.02.17 17:07:08 LOG5[7636:8004]: Service [https] accepted connection from 54.242.25.199:45922
2013.02.17 17:07:08 LOG7[7636:8004]: SSL state (accept): before/accept initialization
2013.02.17 17:07:08 LOG7[7636:8004]: SSL alert (write): fatal: handshake failure
2013.02.17 17:07:08 LOG3[7636:8004]: SSL_accept: 1408A10B: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number
2013.02.17 17:07:08 LOG5[7636:8004]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2013.02.17 17:07:08 LOG7[7636:8004]: Local socket (FD=320) closed
2013.02.17 17:07:08 LOG7[7636:8004]: Service [https] finished (0 left)

更新:

這是我的stunnel.conf文件。

您應該進行網路擷取並查看它被拒絕的原因。還要檢查兩個端點的日誌。提高debugstunnel conf 中的級別。

您需要進行網路跟踪以確定客戶端支持哪個版本的 SSL 協議。然後確保您的伺服器也支持該版本。

客戶端發送一個 ClientHello 消息,指定它支持的最高 TLS 協議版本、一個隨機數、建議的 CipherSuite 列表和建議的壓縮方法。

來源

請注意,由於重新協商中的安全漏洞,SSL 協議在幾年前已更改。請參閱CVE-2009-3555和有關 SSL 重新協商的此頁面

伺服器響應:

Secure Sockets Layer
   SSLv3 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
       Content Type: Alert (21)
       Version: SSL 3.0 (0x0300)
       Length: 2
       Alert Message
           Level: Fatal (2)
           Description: Handshake Failure (40)

您必須檢查 SSL 伺服器上的日誌以了解它拒絕連接的原因。嘗試使用以下命令在 stunnel 上啟用 SSL 調試:debug=7

stunnel伺服器有,但客戶端正在options = NO_SSLv3嘗試使用 SSLv3 進行連接。您需要升級客戶端以支持較新版本的 SSL,或者您需要更改stunnel配置以接受 SSLv3。

引用自:https://serverfault.com/questions/476697