%20%E5%A4%B1%E8%B4%A5%20-%20%E4%B8%BA%E4%BB%80%E4%B9%88%EF%BC%9F.png)
我正在运行以下命令:
curl --tlsv1.2 -v --cacert ./mycert.crt --key ./key.pem --cert ./mycert.crt https://thirdparty.url
使用 openssl 生成 CSR 和密钥文件后,我收到了与我合作的第三方的证书。
我的服务器IP被列入第三方防火墙的白名单,他们可以看到我的请求进来,但握手总是失败。
这是我收到的回复:
* Trying X.X.X.X...
* Connected to thirdparty.url (X.X.X.X) port 443 (#0)
* found 1 certificates in ./nonprod.crt
* found 596 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* gnutls_handshake() failed: Handshake failed
* Closing connection 0
curl: (35) gnutls_handshake() failed: Handshake failed
我该如何调试这个问题?
一些信息:我在 Ubuntu 16.04.4 上运行curl 7.47.0
我尝试运行这个命令:
openssl s_client -connect server.url:443 -tls1_2 -cert ./mycert.crt -key key.pem
但我必须排除链接 URI 才能使其正常工作。然而,响应确实包括这一点:
140593823835800:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1487:SSL alert number 40
140593823835800:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656:
但它也说:
SSL handshake has read 3378 bytes and written 1702 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: CE2294E9B415FB8B9850DB28F64FEF17390A46D5A38F12E62E31F614DA4199CF50C0AFA5F62401C4964105AFC4F1B095
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1528299660
Timeout : 7200 (sec)
Verify return code: 0 (ok)