我在 Debian:Squeeze 中使用open-uri
ruby 模块时注意到了 SSL 握手错误,但在 Debian:Wheezy 和 Debian:Jessie 上运行良好
以下是我注意到的:
Debian Squeeze
root@0fdf024c8c42:/# cat /etc/issue
Debian GNU/Linux 6.0 \n \l
root@0fdf024c8c42:/# irb
irb(main):001:0> require 'open-uri'
=> true
irb(main):002:0> open("https://www.openssl.org")
OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A
from /usr/lib/ruby/1.9.1/net/http.rb:799:in `connect'
from /usr/lib/ruby/1.9.1/net/http.rb:799:in `block in connect'
from /usr/lib/ruby/1.9.1/timeout.rb:54:in `timeout'
from /usr/lib/ruby/1.9.1/timeout.rb:99:in `timeout'
from /usr/lib/ruby/1.9.1/net/http.rb:799:in `connect'
from /usr/lib/ruby/1.9.1/net/http.rb:755:in `do_start'
from /usr/lib/ruby/1.9.1/net/http.rb:744:in `start'
from /usr/lib/ruby/1.9.1/open-uri.rb:306:in `open_http'
from /usr/lib/ruby/1.9.1/open-uri.rb:775:in `buffer_open'
from /usr/lib/ruby/1.9.1/open-uri.rb:203:in `block in open_loop'
from /usr/lib/ruby/1.9.1/open-uri.rb:201:in `catch'
from /usr/lib/ruby/1.9.1/open-uri.rb:201:in `open_loop'
from /usr/lib/ruby/1.9.1/open-uri.rb:146:in `open_uri'
from /usr/lib/ruby/1.9.1/open-uri.rb:677:in `open'
from /usr/lib/ruby/1.9.1/open-uri.rb:33:in `open'
from (irb):2
from /usr/bin/irb:12:in `<main>'irb(main):003:0>
Debian Wheezy
root@d6d7e1af56d0:/# cat /etc/issue
Debian GNU/Linux 7 \n \l
root@d6d7e1af56d0:/# irb
irb(main):001:0> require 'open-uri'
=> true
irb(main):002:0> open("https://www.openssl.org")
=> #<StringIO:0x000000022aaec0>
Debian 杰西
root@405c251f32df:/# cat /etc/issue
Debian GNU/Linux 8 \n \l
root@405c251f32df:/# irb2.1
irb(main):001:0> require 'open-uri'
=> true
irb(main):002:0> open("https://www.openssl.org")
=> #<StringIO:0x00000001e45b78 @base_uri=#<URI::HTTPS:0x00000001e45ec0 URL:https://www.openssl.org>, @meta={"date"=>"Wed, 26 Aug 2015 11:56:57 GMT", "server"=>"Apache/2.4.7 (Ubuntu)", "strict-transport-security"=>"max-age=31536000; includeSubDomains", "accept-ranges"=>"bytes", "vary"=>"Accept-Encoding", "content-length"=>"2456", "content-type"=>"text/html; charset=UTF-8"}, @metas={"date"=>["Wed, 26 Aug 2015 11:56:57 GMT"], "server"=>["Apache/2.4.7 (Ubuntu)"], "strict-transport-security"=>["max-age=31536000; includeSubDomains"], "accept-ranges"=>["bytes"], "vary"=>["Accept-Encoding"], "content-length"=>["2456"], "content-type"=>["text/html; charset=UTF-8"]}, @status=["200", "OK"]>
我知道这与 ruby 版本无关,因为我尝试更新 ruby 版本,但没有帮助。
答案1
Squeeze 机器是否ca-certificates
安装了该软件包?如果没有该软件包,则没有一组可信任的根证书可用于验证所提供证书是否有效。
假设已ca-certificates
正确安装,则您可能遇到 TLS 协议兼容性问题。Squeeze 相当老旧,其 OpenSSL 版本与现代标准不太匹配。www.openssl.org
您测试过的一些网站(例如)可能以某种方式配置其 TLS 堆栈,从而限制与较旧的 TLS 堆栈(例如 squeeze 附带的堆栈)的兼容性。
在测试系统上,我尝试时得到了与您相同的结果open("https://www.openssl.org")
,但连接到其他一些站点却很好。 此 ssllabs 报告表示www.openssl.org
不支持 TLS 1.0,而 Squeeze 的连接报告称这是它支持的最高版本。因此,在这个特定情况下,这就是您遇到的问题 —— 简单的 TLS 版本不兼容。