我遇到了一个问题,几天前我一直在尝试解决它。
我们有一台生产服务器,它有证书,支持 TLS1、TSL1.1、TLS1.2。我们还有一个临时服务器,用于测试一些设备,它只运行 TLS1.1 和 TLS1.2
据我所知,所有证书变更看起来都一样
问题 :
当我们将设备连接到生产时,它运行良好。
当我们将设备连接到舞台时,它没有连接
第一阶段,关闭连接。
openssl s_client -connect xxxx.bac.com:443 -status -state -quiet
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=2 C = BM, O = ABC Limited, CN = ABCDF Root CA 2
verify return:1
depth=1 C = US, O = AAAB , CN = CCDE SSL ICA G2
verify return:1
depth=0 C = CA, ST = ME, L = CCC, O = "xxxx.", CN = xxxx.bac.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
SSL3 alert read:warning:close notify
SSL3 alert write:warning:close notify
下面的产品运行良好。
openssl s_client -connect prod.bac.com:443 -quiet -state -status
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=2 C = BM, O = ABSC, CN = ABSC Root CA 2
verify return:1
depth=1 C = US, O = DFFFF, CN = DDFF SSL ICA G2
verify return:1
depth=0 C = CA, ST = ME, L = LEEE, O = "BAC", CN = prod.bac.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
这里可能存在什么问题?我怀疑可能是由于 TLS_FALLBACK
连接到产品,产品有效。
New, TLSv1/SSLv3, Cipher is AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-GCM-SHA256
Session-ID: B5B4E0FECC197987CAB113484FC33305B257F18F
Session-ID-ctx:
Master-Key: 5EA2D034F4EF9E0F583B58F1437593F1162269C181EF922B2647A796F813C6
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1567782512
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
与 stage-bac.com 的连接不起作用。
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 8055139B925BED1F834E141ED740A2762254213C0DD3
Session-ID-ctx:
Master-Key: 4041914ACE614C18EC696960FD08057E9E348538A2D448184FE3FE18432
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
知道问题可能出在哪里吗?为什么无法建立连接。