这是因为 Java 问题(有一个stackoverflow 问题),结果发现这实际上与 Java 无关,因为我可以使用 wget 重现它。这发生在 3 个不同的 Ubuntu 机器上。
$ wget https://producao.ginfes.com.br --certificate reck.pem --no-check-certificate --debug
DEBUG output created by Wget 1.12 on linux-gnu.
--2014-02-27 17:35:57-- https://producao.ginfes.com.br/
Resolvendo producao.ginfes.com.br... 201.77.231.18
Caching producao.ginfes.com.br => 201.77.231.18
Conectando-se a producao.ginfes.com.br|201.77.231.18|:443... conectado.
Created socket 3.
Releasing 0x09b827f0 (new refcount 1).
Initiating SSL handshake.
SSL handshake failed.
Closed fd 3
Não foi possível estabelecer conexão segura (SSL).
现在,如果我从同一台机器创建到我的开发箱的 ssh 隧道,并尝试使用该隧道连接到同一个网站,则连接可以正常工作(预计会出现 404 错误):
$ ssh [email protected] -L4443:producao.ginfes.com.br:443
...
$ wget https://localhost:4443 --certificate reck.pem --no-check-certificate --debug
DEBUG output created by Wget 1.12 on linux-gnu.
--2014-02-27 17:38:35-- https://localhost:4443/
Resolvendo localhost... ::1, 127.0.0.1
Caching localhost => ::1 127.0.0.1
Conectando-se a localhost|::1|:4443... conectado.
Created socket 3.
Releasing 0x086a88f0 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x086a6ba0
certificate:
subject: /C=BR/ST=SP/L=S\\xC3\\xA3o Paulo/O=Eicon Controles Inteligentes de Negocios LTDA/CN=*.ginfes.com.br
issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
AVISO: não foi possível verificar o certificado de localhost, emitido por “/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3”:
Foi encontrado um certificado auto-assinado.
AVISO: o nome comum no certificado “*.ginfes.com.br” não coincide com o nome de máquina solicitado “localhost”.
---request begin---
GET / HTTP/1.0
User-Agent: Wget/1.12 (linux-gnu)
Accept: */*
Host: localhost:4443
Connection: Keep-Alive
---request end---
A requisição HTTP foi enviada, aguardando resposta...
---response begin---
HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Length: 0
Date: Thu, 27 Feb 2014 21:38:37 GMT
Connection: keep-alive
---response end---
404 Not Found
Registered socket 3 for persistent reuse.
Skipping 0 bytes of body: [] done.
2014-02-27 17:38:37 ERRO 404: Not Found.
Wget 没有给我足够的信息,因此我尝试与 openssl 建立连接,它给我的信息如下:
openssl s_client -connect producao.ginfes.com.br:443 -cert reck.pem -key reck.pem -showcerts -CApath /etc/ssl/certs
CONNECTED(00000003)
depth=3 O = Entrust.net, OU = www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net Certification Authority (2048)
verify return:1
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance CA-3
verify return:1
depth=0 C = BR, ST = SP, L = S\C3\A3o Paulo, O = Eicon Controles Inteligentes de Negocios LTDA, CN = *.ginfes.com.br
verify return:1
3078990568:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
0 s:/C=BR/ST=SP/L=S\xC3\xA3o Paulo/O=Eicon Controles Inteligentes de Negocios LTDA/CN=*.ginfes.com.br
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
-----BEGIN CERTIFICATE-----
MIIGyDCCBbCgAwIBAgIQAQ5FJfholOCaPaQynj06FzANBgkqhkiG9w0BAQUFADBm
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBDQS0zMB4XDTEyMDgzMDAwMDAwMFoXDTE1MTEyMjEyMDAwMFowgYExCzAJBgNV
BAYTAkJSMQswCQYDVQQIEwJTUDETMBEGA1UEBwwKU8OjbyBQYXVsbzE2MDQGA1UE
ChMtRWljb24gQ29udHJvbGVzIEludGVsaWdlbnRlcyBkZSBOZWdvY2lvcyBMVERB
MRgwFgYDVQQDDA8qLmdpbmZlcy5jb20uYnIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCTC53/d3F+u4U6kn8k0aJbTXE7ijsZ6Rr8tUhzOhdIiIIhfQR6
ZO9H0GjynuLqrAZNkb8e9u4J0GcA2Igjm+PSVaf55u9zwBIf0ffOspmEGt1e17fs
xS0AAJpUx+jQ41+7bWLKZnnfnV/RVFaHFkH2YQd0aHVW/s4fRBwqXpnCFJSb2bkz
38ARNAXamCCBi6FyjWi6jBonsekwAE9lDfwGvVbWV7X42oZlacOeTF2Zw0fzPNaD
5AifnuoOmS7wkCXG+7xkj63sS582VLpEtxCZC0qCpwIgyV0dZ+5wo1UhWkWHl2y9
4uPjdSKUmEAY/xkdFZOxlhQ3eMKmJCpfZ6VxAgMBAAGjggNUMIIDUDAfBgNVHSME
GDAWgBRQ6nOJ2yn7EI+e5QEg1N55mUiD9zAdBgNVHQ4EFgQUoVPPF0WN4bUT/qM1
rizlMG3p/dUwKQYDVR0RBCIwIIIPKi5naW5mZXMuY29tLmJygg1naW5mZXMuY29t
LmJyMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwYQYDVR0fBFowWDAqoCigJoYkaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL2Nh
My1nMTQuY3JsMCqgKKAmhiRodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vY2EzLWcx
NC5jcmwwggHEBgNVHSAEggG7MIIBtzCCAbMGCWCGSAGG/WwBATCCAaQwOgYIKwYB
BQUHAgEWLmh0dHA6Ly93d3cuZGlnaWNlcnQuY29tL3NzbC1jcHMtcmVwb3NpdG9y
eS5odG0wggFkBggrBgEFBQcCAjCCAVYeggFSAEEAbgB5ACAAdQBzAGUAIABvAGYA
IAB0AGgAaQBzACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAAYwBvAG4AcwB0AGkA
dAB1AHQAZQBzACAAYQBjAGMAZQBwAHQAYQBuAGMAZQAgAG8AZgAgAHQAaABlACAA
RABpAGcAaQBDAGUAcgB0ACAAQwBQAC8AQwBQAFMAIABhAG4AZAAgAHQAaABlACAA
UgBlAGwAeQBpAG4AZwAgAFAAYQByAHQAeQAgAEEAZwByAGUAZQBtAGUAbgB0ACAA
dwBoAGkAYwBoACAAbABpAG0AaQB0ACAAbABpAGEAYgBpAGwAaQB0AHkAIABhAG4A
ZAAgAGEAcgBlACAAaQBuAGMAbwByAHAAbwByAGEAdABlAGQAIABoAGUAcgBlAGkA
bgAgAGIAeQAgAHIAZQBmAGUAcgBlAG4AYwBlAC4wewYIKwYBBQUHAQEEbzBtMCQG
CCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKG
OWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEhpZ2hBc3N1cmFu
Y2VDQS0zLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4IBAQAmvkbx
0DrGmi0YduBVze0zFgRb2pgn0xLAVtqEv8fg4jm3IbYRe0wTTuVf3I06JbHcJu5y
IYMH65ajMgiDmzrK6nVvY6wdzRTcXX7Iu7tSSJvsOzyPVNxbMyvzqeAD3HAJYq6h
OHURlFVQ88NdRnkXb4oNBI3hJWfIoAe6mcHPGQXzKvnu3mmOPmNmKW0T5VY+CPRK
QYOxpD+JdEzZ7jHZsLhbC1bH9VNrBIXvCdpHyvmK+q5Oef+pChqEbXouaD9H93Ss
FtjW16OZHTEliToBsLBYQF4BoYkfVpuYvAf2lnDZo5C0EIkNCUov+vchr3sWJ5e8
CKUuSAvA6/lyBsPj
-----END CERTIFICATE-----
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
-----BEGIN CERTIFICATE-----
MIIGWDCCBUCgAwIBAgIQCl8RTQNbF5EX0u/UA4w/OzANBgkqhkiG9w0BAQUFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTA4MDQwMjEyMDAwMFoXDTIyMDQwMzAwMDAwMFowZjEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTElMCMGA1UEAxMcRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
Q0EtMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9hCikQH17+NDdR
CPge+yLtYb4LDXBMUGMmdRW5QYiXtvCgFbsIYOBC6AUpEIc2iihlqO8xB3RtNpcv
KEZmBMcqeSZ6mdWOw21PoF6tvD2Rwll7XjZswFPPAAgyPhBkWBATaccM7pxCUQD5
BUTuJM56H+2MEb0SqPMV9Bx6MWkBG6fmXcCabH4JnudSREoQOiPkm7YDr6ictFuf
1EutkozOtREqqjcYjbTCuNhcBoz4/yO9NV7UfD5+gw6RlgWYw7If48hl66l7XaAs
zPw82W3tzPpLQ4zJ1LilYRyyQLYoEt+5+F/+07LJ7z20Hkt8HEyZNp496+ynaF4d
32duXvsCAwEAAaOCAvowggL2MA4GA1UdDwEB/wQEAwIBhjCCAcYGA1UdIASCAb0w
ggG5MIIBtQYLYIZIAYb9bAEDAAIwggGkMDoGCCsGAQUFBwIBFi5odHRwOi8vd3d3
LmRpZ2ljZXJ0LmNvbS9zc2wtY3BzLXJlcG9zaXRvcnkuaHRtMIIBZAYIKwYBBQUH
AgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBmACAAdABoAGkAcwAgAEMAZQBy
AHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABpAHQAdQB0AGUAcwAgAGEAYwBj
AGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAgAEQAaQBnAGkAQwBlAHIAdAAg
AEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcAIABQ
AGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAgAHcAaABpAGMAaAAgAGwAaQBt
AGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBuAGQAIABhAHIAZQAgAGkAbgBj
AG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBpAG4AIABiAHkAIAByAGUAZgBl
AHIAZQBuAGMAZQAuMBIGA1UdEwEB/wQIMAYBAf8CAQAwNAYIKwYBBQUHAQEEKDAm
MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wgY8GA1UdHwSB
hzCBhDBAoD6gPIY6aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0SGln
aEFzc3VyYW5jZUVWUm9vdENBLmNybDBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNl
cnQuY29tL0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDAfBgNVHSME
GDAWgBSxPsNpA/i/RwHUmCYaCALvY2QrwzAdBgNVHQ4EFgQUUOpzidsp+xCPnuUB
INTeeZlIg/cwDQYJKoZIhvcNAQEFBQADggEBAB7ipUiebNtTOA/vphoqrOIDQ+2a
vD6OdRvw/S4iWawTwGHi5/rpmc2HCXVUKL9GYNy+USyS8xuRfDEIcOI3ucFbqL2j
CwD7GhX9A61YasXHJJlIR0YxHpLvtF9ONMeQvzHB+LGEhtCcAarfilYGzjrpDq6X
dF3XcZpCdF/ejUN83ulV7WkAywXgemFhM9EZTfkI7qA5xSU1tyvED7Ld8aW3DiTE
JiiNeXf1L/BXunwH1OH8zVowV36GEEfdMR/X/KLCvzB8XSSq6PmuX2p0ws5rs0bY
Ib4p1I5eFdZCSucyb6Sxa1GDWL4/bcf72gMhy2oWGU4K8K2Eyl2Us1p292E=
-----END CERTIFICATE-----
2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
-----BEGIN CERTIFICATE-----
MIIFBzCCA++gAwIBAgIETA6m2zANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp
bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5
IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw0wNjEwMDExOTQyMjRaFw0xNjEx
MDQwMzM4NDRaMGwxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMx
GTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xKzApBgNVBAMTIkRpZ2lDZXJ0IEhp
Z2ggQXNzdXJhbmNlIEVWIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDGzOVz5vvUu+UtLTKm3+WBP8nNJUm2cSrD1ZQ0Z6IKHLBfaaZAscS3
so/QmKSpQVk609yU1jzbdDikSsxNJYL3SqVTEjju80ltcZF+Y7arpl/DpIT4T2JR
vvjF7Ns4kuMG5QiRDMQoQVX7y1qJFX5x6DW/TXIJPb46OFBbdzEbjbPHJEWap6xt
ABRaBLe6E+tRCphBQSJOZWGHgUFQpnlcid4ZSlfVLuZdHFMsfpjNGgYWpGhz0DQE
E1yhcdNafFXbXmThN4cwVgTlEbQpgBLxeTmIogIRfCdmt4i3ePLKCqg4qwpkwr9m
XZWEwaElHoddGlALIBLMQbtuC1E4uEvLAgMBAAGjggFmMIIBYjAOBgNVHQ8BAf8E
BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAnBgNVHSUEIDAeBggrBgEFBQcDAQYI
KwYBBQUHAwIGCCsGAQUFBwMEMDMGCCsGAQUFBwEBBCcwJTAjBggrBgEFBQcwAYYX
aHR0cDovL29jc3AuZW50cnVzdC5uZXQwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDov
L2NybC5lbnRydXN0Lm5ldC8yMDQ4Y2EuY3JsME8GA1UdIARIMEYwRAYEVR0gADA8
MDoGCCsGAQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9zc2wtY3BzLXJl
cG9zaXRvcnkuaHRtMB0GA1UdDgQWBBSxPsNpA/i/RwHUmCYaCALvY2QrwzAfBgNV
HSMEGDAWgBRV5IHREYC+2Im5CKMx+aEkCRa5cDAZBgkqhkiG9n0HQQAEDDAKGwRW
OC4xAwIAgTANBgkqhkiG9w0BAQUFAAOCAQEAWeGUFInGcjzna3VLJXotPqPbrDxy
T5swsKJe1mJdjzZr590jWcGALKDtfhGgyaO79pa4NMn+xtdYtLsnf+VrIwRoYUsW
V9/hfsDFNo8MBN7vd2hog218BftF3c4WVpE50liRUZWHnk20CtcFY4NDJt4Iphl3
nf5Zol/bMjNKZRDER++6VwcfTJ+vaGXvZ22a3h5eToeF7p0Nez3SA6ndtwUEnpUN
wbIR/Vp3xB+Yny6g0Ml80zRi9S+WN0hItCH7L61TZTTCe0p8/JBJn/P3NwieQQCy
YxtLufbBfVlmq9HzijAFGHpBR6vHZxQ6fGCxCE7QzsfhraZN7q4yrKzGWg==
-----END CERTIFICATE-----
3 s:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
-----BEGIN CERTIFICATE-----
MIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp
bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5
IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw05OTEyMjQxNzUwNTFaFw0yOTA3
MjQxNDE1MTJaMIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3d3d3
LmVudHJ1c3QubmV0L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxp
YWIuKTElMCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEG
A1UEAxMqRW50cnVzdC5uZXQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgKDIwNDgp
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArU1LqRKGsuqjIAcVFmQq
K0vRvwtKTY7tgHalZ7d4QMBzQshowNtTK91euHaYNZOLGp18EzoOH1u3Hs/lJBQe
sYGpjX24zGtLA/ECDNyrpUAkAH90lKGdCCmziAv1h3edVc3kw37XamSrhRSGlVuX
MlBvPci6Zgzj/L24ScF2iUkZ/cCovYmjZy/Gn7xxGWC4LeksyZB2ZnuU4q941mVT
XTzWnLLPKQP5L6RQstRIzgUyVYr9smRMDuSYB3Xbf9+5CFVghTAp+XtIpGmG4zU/
HoZdenoVve8AjhUiVBcAkCaTvA5JaJG/+EfTnZVCwQ5N328mz8MYIWJmQ3DW1cAH
4QIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
HQ4EFgQUVeSB0RGAvtiJuQijMfmhJAkWuXAwDQYJKoZIhvcNAQEFBQADggEBADub
j1abMOdTmXx6eadNl9cZlZD7Bh/KM3xGY4+WZiT6QBshJ8rmcnPyT/4xmf3IDExo
U8aAghOY+rat2l098c5u9hURlIIM7j+VrxGrD9cv3h8Dj1csHsm7mhpElesYT6Yf
zX1XEC+bBAlahLVu2B064dae0Wx5XnkcFMXj0EyTO2U87d89vqbllRrDtRnDvV5b
u/8j72gZyxKTJ1wDLW8w0B62GqzeWvfRqqgnpv55gcR5mTNXuhKwqeBCbJPKVt7+
bYQLCIt+jerXmCHG8+c8eS9enNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/Er
fF6adulZkMV8gzURZVE=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=BR/ST=SP/L=S\xC3\xA3o Paulo/O=Eicon Controles Inteligentes de Negocios LTDA/CN=*.ginfes.com.br
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
---
Acceptable client certificate CA names
/C=BR/O=ICP-Brasil/OU=Secretaria da Receita Federal do Brasil - RFB/CN=AC SINCOR RFB G2
/C=BR/O=ICP-Brasil/OU=Caixa Economica Federal/CN=AC CAIXA PF v1
/C=BR/O=ICP-Brasil/OU=Secretaria da Receita Federal do Brasil - RFB/CN=AC VALID RFB
/C=BR/O=ICP-Brasil/OU=Instituto Nacional de Tecnologia da Informacao - ITI/CN=AC Certisign G3
/C=BR/O=ICP-Brasil/OU=Autoridade Certificadora Raiz Brasileira v2/CN=AC SOLUTI
/C=BR/O=ICP-Brasil/CN=SERASA Certificadora Digital v1
/C=BR/O=ICP-Brasil/OU=Certisign Certificadora Digital S.A./CN=AC Certisign Multipla G5
/C=BR/O=ICP-Brasil/CN=AC Secretaria da Receita Federal do Brasil
/C=BR/O=ICP-Brasil/OU=Secretaria da Receita Federal do Brasil - RFB/CN=AC Instituto Fenacon RFB
/C=BR/O=ICP-Brasil/OU=Secretaria da Receita Federal do Brasil - RFB/CN=AC BR RFB G2
/C=BR/O=ICP-Brasil/OU=Caixa Economica Federal/CN=AC CAIXA PJ-1 v1
/C=BR/O=ICP-Brasil/CN=Autoridade Certificadora da Presidencia da Republica v2
/C=BR/O=ICP-Brasil/OU=Autoridade Certificadora Raiz Brasileira v2/OU=AC SOLUTI/CN=AC SOLUTI Multipla
/C=BR/O=ICP-Brasil/OU=Secretaria da Receita Federal do Brasil - RFB/CN=AC PRODEST RFB v2
/C=BR/O=ICP-Brasil/OU=Autoridade Certificadora da Justica - AC-JUS/CN=AC Certisign-JUS G3
/C=BR/O=ICP-Brasil/OU=Secretaria da Receita Federal do Brasil - RFB/CN=AC SINCOR RFB G4
/C=BR/O=ICP-Brasil/OU=Autoridade Certificadora Raiz Brasileira v2/CN=SERASA Autoridade Certificadora Principal v2
/C=BR/O=ICP-Brasil/OU=ORDEM DOS ADVOGADOS DO BRASIL CONSELHO FEDERAL/CN=AC OAB
/C=BR/O=ICP-Brasil/OU=Imprensa Oficial do Estado S A IMESP/CN=AC Imprensa Oficial G3
/C=BR/O=ICP-Brasil/CN=SERASA Certificadora Digital v2
/C=BR/O=ICP-Brasil/OU=Companhia de Tecnologia da Informacao do Estado de MG - PRODEMGE/CN=AC PRODEMGE G2
/C=BR/O=ICP-Brasil/OU=Secretaria da Receita Federal do Brasil - RFB/CN=AC PRODEMGE RFB G3
/C=BR/O=ICP-Brasil/OU=Secretaria da Receita Federal do Brasil - RFB/CN=AC PRODEST RFB V1
/C=BR/O=ICP-Brasil/OU=Certisign Certificadora Digital S.A./CN=AC Certisign Multipla G3
/C=BR/O=ICP-Brasil/OU=Instituto Nacional de Tecnologia da Informacao - ITI/CN=SERASA Autoridade Certificadora Principal v1
/C=BR/O=ICP-Brasil/OU=Secretaria da Receita Federal do Brasil - RFB/CN=AC Notarial RFB G3
/C=BR/O=ICP-Brasil/OU=Secretaria da Receita Federal do Brasil - RFB/CN=AC SERASA RFB v1
/C=BR/O=ICP-Brasil/OU=Certisign Certificadora Digital S.A./CN=AC Instituto Fenacon
/C=BR/O=ICP-Brasil/OU=Autoridade Certificadora Raiz Brasileira v2/CN=AC VALID
/C=BR/O=ICP-Brasil/OU=Servico Federal de Processamento de Dados - SERPRO/CN=Autoridade Certificadora do PRODERJ v2
/C=BR/O=ICP-Brasil/OU=Autoridade Certificadora da Justica - AC-JUS/CN=AC CAIXA-JUS v1
/C=BR/O=ICP-Brasil/OU=Autoridade Certificadora Raiz Brasileira v1/CN=AC CAIXA v1
/C=BR/O=ICP-Brasil/OU=SINCOR-SP - Sindicato dos Corretores de Seguros no Estado de SP/CN=AC SINCOR G3
/C=BR/O=ICP-Brasil/CN=Autoridade Certificadora da Casa da Moeda do Brasil
/C=BR/O=ICP-Brasil/OU=Autoridade Certificadora Raiz Brasileira v2/CN=AC Secretaria da Receita Federal do Brasil v3
/C=BR/O=ICP-Brasil/OU=Certisign Certificadora Digital S.A./OU=CSPB-2/CN=AC Certisign SPB G5
/C=BR/O=ICP-Brasil/OU=Imprensa Oficial do Estado S A IMESP/CN=AC Imprensa Oficial G2
/C=BR/O=ICP-Brasil/OU=Secretaria da Receita Federal do Brasil - RFB/CN=AC PRODEMGE RFB G2
/C=BR/O=ICP-Brasil/OU=Secretaria da Receita Federal do Brasil - RFB/CN=AC FENACON Certisign RFB G3
/C=BR/O=ICP-Brasil/OU=Secretaria da Receita Federal do Brasil - RFB/CN=AC Notarial RFB G2
/C=BR/O=ICP-Brasil/OU=Autoridade Certificadora Raiz Brasileira v2/CN=AC Certisign G5
/C=BR/O=ICP-Brasil/OU=ORDEM DOS ADVOGADOS DO BRASIL CONSELHO FEDERAL/CN=AC OAB G2
/C=BR/O=ICP-Brasil/OU=Instituto Nacional de Tecnologia da Informacao - ITI/CN=Autoridade Certificadora Raiz Brasileira v1
/C=BR/O=ICP-Brasil/OU=Secretaria da Receita Federal do Brasil - RFB/CN=AC BR RFB G3
/C=BR/O=ICP-Brasil/OU=Secretaria da Receita Federal do Brasil - RFB/CN=AC FENACON Certisign RFB G2
/C=BR/O=ICP-Brasil/OU=SINCOR-SP - Sindicato dos Corretores de Seguros no Estado de SP/CN=AC SINCOR G2
/C=BR/O=ICP-Brasil/OU=Caixa Economica Federal/CN=AC CAIXA PF v2
/C=BR/O=ICP-Brasil/OU=Servico Federal de Processamento de Dados - SERPRO/OU=CSPB-1/CN=Autoridade Certificadora do SERPRO Final v2
/C=BR/O=ICP-Brasil/CN=Autoridade Certificadora SERPRO v2
/C=BR/O=ICP-Brasil/OU=Autoridade Certificadora da Justica - AC-JUS/CN=AC SERASA-JUS v2
/C=BR/O=ICP-Brasil/OU=Autoridade Certificadora Raiz Brasileira v2/CN=Autoridade Certificadora da Casa da Moeda do Brasil v2
/C=BR/O=ICP-Brasil/OU=Secretaria da Receita Federal do Brasil - RFB/CN=AC Certisign RFB G3
/C=BR/O=ICP-Brasil/OU=Autoridade Certificadora Raiz Brasileira v2/CN=Autoridade Certificadora SERPRO v3
/C=BR/O=ICP-Brasil/OU=Autoridade Certificadora Raiz Brasileira v2/CN=Autoridade Certificadora da Presidencia da Republica v3
/C=BR/O=ICP-Brasil/OU=Secretaria da Receita Federal do Brasil - RFB/CN=AC Imprensa Oficial SP RFB G3
/C=BR/O=ICP-Brasil/OU=Secretaria da Receita Federal do Brasil - RFB/CN=AC Imprensa Oficial SP RFB G2
/C=BR/O=ICP-Brasil/OU=Autoridade Certificadora da Justica - AC-JUS/CN=AC SERPRO-JUS v4
/C=BR/O=ICP-Brasil/OU=Secretaria da Receita Federal do Brasil - RFB/CN=Autoridade Certificadora do SERPRORFB
/C=BR/O=ICP-Brasil/OU=PETROLEO BRASILEIRO S A PETROBRAS/CN=AC PETROBRAS G3
/C=BR/O=ICP-Brasil/OU=Instituto Nacional de Tecnologia da Informacao - ITI/CN=Autoridade Certificadora da Justica v3
/C=BR/O=ICP-Brasil/OU=Caixa Economica Federal/CN=AC CAIXA PJ v2
/C=BR/O=ICP-Brasil/OU=CSPB-4/CN=SERASA Autoridade Certificadora v2
/C=BR/O=ICP-Brasil/OU=Caixa Economica Federal/CN=AC CAIXA PJ v1
/C=BR/O=ICP-Brasil/CN=AC FENACOR v1
/C=BR/O=ICP-Brasil/OU=Instituto Nacional de Tecnologia da Informacao - ITI/CN=Autoridade Certificadora Raiz Brasileira v2
/C=BR/O=ICP-Brasil/OU=Autoridade Certificadora VALID - AC VALID/CN=AC VALID BRASIL
/C=BR/O=ICP-Brasil/OU=Certisign Certificadora Digital S.A./CN=AC Instituto Fenacon G2
/C=BR/O=ICP-Brasil/OU=Autoridade Certificadora da Justica - AC-JUS/CN=AC CAIXA-JUS v2
/C=BR/O=ICP-Brasil/OU=Secretaria da Receita Federal do Brasil - RFB/CN=AC SERASA RFB v2
/C=BR/O=ICP-Brasil/OU=Autoridade Certificadora Raiz Brasileira v2/CN=AC CAIXA v2
/C=BR/O=ICP-Brasil/OU=Secretaria da Receita Federal do Brasil - RFB/CN=AC SINCOR RFB G3
/C=BR/O=ICP-Brasil/OU=Autoridade Certificadora Raiz Brasileira v2/CN=AC Certisign G6
/C=BR/O=ICP-Brasil/OU=Certisign Certificadora Digital S.A./OU=CSPB-2/CN=AC Certisign SPB G3
/C=BR/O=ICP-Brasil/OU=Secretaria da Receita Federal do Brasil - RFB/CN=AC Instituto Fenacon RFB G2
/C=BR/O=ICP-Brasil/OU=Companhia de Tecnologia da Informacao do Estado de MG - PRODEMGE/CN=AC PRODEMGE G3
/C=BR/O=ICP-Brasil/OU=Autoridade Certificadora Raiz Brasileira v2/CN=AC Imprensa Oficial SP G3
/C=BR/O=ICP-Brasil/OU=Secretaria da Receita Federal do Brasil - RFB/CN=Autoridade Certificadora SERPRORFB v3
/C=BR/O=ICP-Brasil/OU=Caixa Economica Federal/CN=AC CAIXA PF-1 v1
/C=BR/O=ICP-Brasil/OU=Autoridade Certificadora Raiz Brasileira v2/CN=Autoridade Certificadora da Justica v4
/C=BR/O=ICP-Brasil/OU=Secretaria da Receita Federal do Brasil - RFB/CN=AC Certisign RFB G4
/C=BR/O=ICP-Brasil/OU=Servico Federal de Processamento de Dados - SERPRO/OU=CSPB-1/CN=Autoridade Certificadora do SERPRO Final v3
/C=BR/O=ICP-Brasil/OU=CSPB-4/CN=SERASA Autoridade Certificadora v1
/C=BR/O=ICP-Brasil/OU=PETROLEO BRASILEIRO S A PETROBRAS/CN=AC PETROBRAS G2
---
SSL handshake has read 16601 bytes and written 2595 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 530FB1A9BD310D77D5E436BC4CA14127A423B86C9A7E92AF468C6F8DC3758DE6
Session-ID-ctx:
Master-Key: 0E2E35C604253C847156C0DF36B108E3CEAA25BE601EC4FDE2FC9F87138537C71791A469C93D14318B2CED12B671A72D
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1393537449
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
尽管看起来好像有效,但是 openssl 在握手期间会出现此错误:3078990568:错误:140790E5:SSL 例程:SSL23_WRITE:ssl 握手失败:s23_lib.c:177:。如果我像使用 wget 一样使用隧道,则不会显示该消息。我认为这与 wget 在 SSL 握手中失败有关。有什么想法吗?
答案1
事实证明,问题与 Java 无关,而与 ISP 提供给我的电缆调制解调器有关。我的网络设置如下:
- TP-Link TL-ER5120 作为网关和防火墙(以及链路负载均衡器)
- 两个互联网连接服务器由同等的 Thomson DWG874B 电缆调制解调器组成
- 一个由 TL-MR3020 连接到 3G USB 调制解调器提供的互联网链接
3G 调制解调器实际上是一种故障转移措施。如果我通过 3G 调制解调器路由服务器流量,SSL 连接就会正常工作。因此问题要么出在电缆调制解调器上,要么出在 ISP 本身上。我在家里使用同一个 ISP(使用不同的电缆调制解调器),连接正常。所以我把问题归咎于电缆调制解调器。
该电缆调制解调器实际上也是一个无线路由器(尽管无线功能被禁用)。调制解调器有一个 DCHP 服务器,它为我的防火墙分配一个本地 IP。所以我的实际本地网络是 192.168.0.x,防火墙和电缆调制解调器之间还有另一个网络,比如说 192.168.1.x,电缆调制解调器有一个公共 IP 地址。我从来都不喜欢这种设置,但它似乎没有造成任何危害,所以我就接受了。
电缆调制解调器有一个设置,可使其充当纯电缆调制解调器,并为连接到它的任何设备分配来自 ISP 的公共 IP。该设置称为交换模式,如下所示(之前的设置是传统 RG IPv4 模式)。
我一使用它,我与该特定网站的 SSL 连接在 Linux 上就又开始工作了。我不知道发生了什么,但我很高兴它已经修复了。