OpenSSL 1.1.1.d 与 1.1.1k 问题

OpenSSL 1.1.1.d 与 1.1.1k 问题

我已经完成了 apt-get 更新和升级,Python3 报告的 OpenSSL 版本是 1.1.1d2019 年 9 月 10 日。问题是我的客户端主机正在运行 1.1.1k2021 年 3 月 25 日,我收到连接错误(SSL 版本错误)。 ...更新 libssl1.1 告诉我我已经是最新版本了,1.1.1d。

...我想我还应该问Python是否有一种方法可以使用1.1.1k连接到使用1.1.1d的服务器?沿着这条切线,我正在使用 Mysql.connector。我知道服务器和客户端配置“正确”,因为我的客户端在与数据库引擎(即 MariaDb)运行在同一主机上时可以连接。

确切的错误消息是:

mysql.connector.errors.InterfaceError: 2055: Lost connection to MySQL server at 'trogdb:3306', system error: 1 [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1129)

这是 tcpdump,重试之间有 3 秒的延迟:

16:45:24.174046 ARP, Request who-has dbserver (b8:27:eb:71:99:00 (oui Unknown)) tell 192.168.12.33, length 28
16:45:24.174052 IP 192.168.12.33.51755 > dbserver.mysql: Flags [S], seq 152001190, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1285434605 ecr 0,sackOK,eol], length 0
16:45:24.430503 IP dbserver.mysql > 192.168.12.33.51755: Flags [S.], seq 3481602879, ack 152001191, win 65160, options [mss 1460,sackOK,TS val 3680782024 ecr 1285434605,nop,wscale 7], length 0

16:45:24.430600 IP 192.168.12.33.51755 > dbserver.mysql: Flags [.], ack 1, win 2058, options [nop,nop,TS val 1285434859 ecr 3680782024], length 0
16:45:24.435750 IP dbserver.mysql > 192.168.12.33.51755: Flags [P.], seq 1:104, ack 1, win 510, options [nop,nop,TS val 3680782073 ecr 1285434859], length 103
16:45:24.435803 IP 192.168.12.33.51755 > dbserver.mysql: Flags [.], ack 104, win 2057, options [nop,nop,TS val 1285434864 ecr 3680782073], length 0
16:45:24.436748 IP 192.168.12.33.51755 > dbserver.mysql: Flags [P.], seq 1:37, ack 104, win 2057, options [nop,nop,TS val 1285434865 ecr 3680782073], length 36
16:45:24.439981 IP dbserver.mysql > 192.168.12.33.51755: Flags [.], ack 37, win 510, options [nop,nop,TS val 3680782079 ecr 1285434865], length 0
16:45:24.439981 IP dbserver.mysql > 192.168.12.33.51755: Flags [P.], seq 104:130, ack 37, win 510, options [nop,nop,TS val 3680782079 ecr 1285434865], length 26
16:45:24.439982 IP dbserver.mysql > 192.168.12.33.51755: Flags [F.], seq 130, ack 37, win 510, options [nop,nop,TS val 3680782079 ecr 1285434865], length 0
16:45:24.440004 IP 192.168.12.33.51755 > dbserver.mysql: Flags [P.], seq 37:141, ack 130, win 2056, options [nop,nop,TS val 1285434868 ecr 3680782079], length 104
16:45:24.440013 IP 192.168.12.33.51755 > dbserver.mysql: Flags [.], ack 131, win 2056, options [nop,nop,TS val 1285434868 ecr 3680782079], length 0
16:45:24.445929 IP dbserver.mysql > 192.168.12.33.51755: Flags [R], seq 3481603010, win 0, length 0
16:45:24.445930 IP dbserver.mysql > 192.168.12.33.51755: Flags [R], seq 3481603009, win 0, length 0
16:45:27.446093 IP 192.168.12.33.51756 > dbserver.mysql: Flags [S], seq 1750823761, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2602561978 ecr 0,sackOK,eol], length 0
16:45:27.706430 IP 192.168.12.33.51756 > dbserver.mysql: Flags [S], seq 1750823761, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2602562237 ecr 0,sackOK,eol], length 0
16:45:27.707181 IP dbserver.mysql > 192.168.12.33.51756: Flags [S.], seq 416666955, ack 1750823762, win 65160, options [mss 1460,sackOK,TS val 3680785302 ecr 2602561978,nop,wscale 7], length 0
16:45:27.707210 IP 192.168.12.33.51756 > dbserver.mysql: Flags [.], ack 1, win 2058, options [nop,nop,TS val 2602562237 ecr 3680785302], length 0
16:45:27.711004 IP dbserver.mysql > 192.168.12.33.51756: Flags [S.], seq 416666955, ack 1750823762, win 65160, options [mss 1460,sackOK,TS val 3680785348 ecr 2602561978,nop,wscale 7], length 0
16:45:27.711004 IP dbserver.mysql > 192.168.12.33.51756: Flags [P.], seq 1:104, ack 1, win 510, options [nop,nop,TS val 3680785349 ecr 2602562237], length 103
16:45:27.711021 IP 192.168.12.33.51756 > dbserver.mysql: Flags [.], ack 1, win 2058, options [nop,nop,TS val 2602562241 ecr 3680785302], length 0
16:45:27.711029 IP 192.168.12.33.51756 > dbserver.mysql: Flags [.], ack 104, win 2057, options [nop,nop,TS val 2602562241 ecr 3680785349], length 0
16:45:27.711160 IP 192.168.12.33.51756 > dbserver.mysql: Flags [P.], seq 1:37, ack 104, win 2057, options [nop,nop,TS val 2602562241 ecr 3680785349], length 36
16:45:27.715488 IP dbserver.mysql > 192.168.12.33.51756: Flags [.], ack 37, win 510, options [nop,nop,TS val 3680785354 ecr 2602562241], length 0
16:45:27.715506 IP 192.168.12.33.51756 > dbserver.mysql: Flags [P.], seq 37:141, ack 104, win 2057, options [nop,nop,TS val 2602562245 ecr 3680785354], length 104
16:45:27.716795 IP dbserver.mysql > 192.168.12.33.51756: Flags [P.], seq 104:130, ack 37, win 510, options [nop,nop,TS val 3680785354 ecr 2602562241], length 26
16:45:27.716795 IP dbserver.mysql > 192.168.12.33.51756: Flags [F.], seq 130, ack 37, win 510, options [nop,nop,TS val 3680785354 ecr 2602562241], length 0
16:45:27.716810 IP 192.168.12.33.51756 > dbserver.mysql: Flags [.], ack 130, win 2056, options [nop,nop,TS val 2602562246 ecr 3680785354], length 0
16:45:27.716819 IP 192.168.12.33.51756 > dbserver.mysql: Flags [.], ack 131, win 2056, options [nop,nop,TS val 2602562246 ecr 3680785354], length 0
16:45:27.719254 IP dbserver.mysql > 192.168.12.33.51756: Flags [R], seq 416667059, win 0, length 0
16:45:27.720338 IP dbserver.mysql > 192.168.12.33.51756: Flags [R], seq 416667085, win 0, length 0
16:45:27.720339 IP dbserver.mysql > 192.168.12.33.51756: Flags [R], seq 416667086, win 0, length 0

3 seconds between retries

16:45:30.724896 IP 192.168.12.33.51757 > dbserver.mysql: Flags [S], seq 3599738548, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3758629911 ecr 0,sackOK,eol], length 0
16:45:30.985153 IP dbserver.mysql > 192.168.12.33.51757: Flags [S.], seq 3278475863, ack 3599738549, win 65160, options [mss 1460,sackOK,TS val 3680788605 ecr 3758629911,nop,wscale 7], length 0
16:45:30.985229 IP 192.168.12.33.51757 > dbserver.mysql: Flags [.], ack 1, win 2058, options [nop,nop,TS val 3758630170 ecr 3680788605], length 0
16:45:30.995059 IP dbserver.mysql > 192.168.12.33.51757: Flags [P.], seq 1:104, ack 1, win 510, options [nop,nop,TS val 3680788629 ecr 3758630170], length 103
16:45:30.995113 IP 192.168.12.33.51757 > dbserver.mysql: Flags [.], ack 104, win 2057, options [nop,nop,TS val 3758630179 ecr 3680788629], length 0
16:45:30.995428 IP 192.168.12.33.51757 > dbserver.mysql: Flags [P.], seq 1:37, ack 104, win 2057, options [nop,nop,TS val 3758630179 ecr 3680788629], length 36
16:45:31.003811 IP dbserver.mysql > 192.168.12.33.51757: Flags [.], ack 37, win 510, options [nop,nop,TS val 3680788641 ecr 3758630179], length 0
16:45:31.003812 IP dbserver.mysql > 192.168.12.33.51757: Flags [P.], seq 104:130, ack 37, win 510, options [nop,nop,TS val 3680788641 ecr 3758630179], length 26
16:45:31.003849 IP 192.168.12.33.51757 > dbserver.mysql: Flags [P.], seq 37:141, ack 130, win 2056, options [nop,nop,TS val 3758630187 ecr 3680788641], length 104
16:45:31.007156 IP dbserver.mysql > 192.168.12.33.51757: Flags [F.], seq 130, ack 37, win 510, options [nop,nop,TS val 3680788641 ecr 3758630179], length 0
16:45:31.007193 IP 192.168.12.33.51757 > dbserver.mysql: Flags [.], ack 131, win 2056, options [nop,nop,TS val 3758630189 ecr 3680788641], length 0
16:45:31.013955 IP dbserver.mysql > 192.168.12.33.51757: Flags [R], seq 3278475993, win 0, length 0
16:45:31.020450 IP dbserver.mysql > 192.168.12.33.51757: Flags [R], seq 3278475994, win 0, length 0

答案1

还没有答案,只是部分分析:

您的非数据 tcpdump 显示 TCP 握手后,服务器发送 104 字节,客户端发送 37 字节,服务器发送 26 字节,客户端发送 104 字节,以及服务器 FIN。

在我可以最轻松地测试的系统上,CentOS7.7与mariadb5.5.26,我得到:
服务器发送86字节问候
客户端发送36字节登录
客户端启动TLS握手(289字节ClientHello)并成功继续,然后是数据

前两者非常匹配。您的客户端 104 可以是 ClientHello,尽管这对于 OpenSSL1.1.1 来说相当短(即使它只支持 TLS1.0&1.1,如旧版本的 MySQL/Maria 所使用的那样)。但是服务器26发送了这不可能是 TLS 响应(而且对于 ServerHello 来说太短了)并且可能是某种根本不是 SSL/TLS 的错误消息但是 libssl 试图解释它,它看起来像是错误的版本(这也可以解释服务器 FIN-ing 而无需任何进一步的数据)。获取跟踪中的数据可以确认这两点,并可能增加识别问题的知识。

此外,如果您在 dbhost 上本地运行了成功的连接,并且实际上是通过 TLS 进行的,您应该能够在环回接口上捕获该连接,这将为比较提供参考。

相关内容