尝试使用以下字符串从 client2 进行连接:
client2@client2 curl -v --ssl -u 'user:password' ftp://www.example.com:21
* Rebuilt URL to: ftp://www.example.com:21/
* Trying 192.168.177.186...
* Connected to www.example.com (192.168.177.186) port 21 (#0)
< 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
< 220-You are user number 1 of 50 allowed.
< 220-Local time is now 09:16. Server port: 21.
< 220-This is a private system - No anonymous login
< 220-IPv6 connections are also welcome on this server.
< 220 You will be disconnected after 15 minutes of inactivity.
> AUTH SSL
< 500 This security scheme is not implemented
> AUTH TLS
< 234 AUTH TLS OK.
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 592 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification OK
.
.
.
* Connect data stream passively
* ftp_perform ends with SECONDARY: 0
< 229 Extended Passive mode OK (|||35104|)
* Connecting to 192.168.177.186 (192.168.177.186) port 35104
* Connected to www.example.com (192.168.177.186) port 21 (#0)
> TYPE A
< 200 TYPE is now ASCII
* Remembering we are in dir ""
< 226-Options: -a -l
< 226 6 matches total
* Connection #0 to host www.example.com left intact
尝试从客户端 1 连接不成功:
client1@client1:~> curl -v --ssl -u 'user:pass' ftp://www.example.com:21
* About to connect() to www.example.com port 21 (#0)
* Trying 192.168.177.186...
* connected
* Connected to www.example.com (192.168.177.186) port 21 (#0)
< 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
< 220-You are user number 1 of 50 allowed.
< 220-Local time is now 09:15. Server port: 21.
< 220-This is a private system - No anonymous login
< 220-IPv6 connections are also welcome on this server.
< 220 You will be disconnected after 15 minutes of inactivity.
> AUTH SSL
< 500 This security scheme is not implemented
> AUTH TLS
< 234 AUTH TLS OK.
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs/
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to www.example.com:21
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to www.example.com:21
可能是什么原因?
答案1
连接成功后client2使用 TLS 1.2,表明两端都支持它:
> AUTH SSL
< 500 This security scheme is not implemented
> AUTH TLS
< 234 AUTH TLS OK.
...
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
由于连接失败,client1似乎正在尝试使用已知已损坏的 SSLv3:
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to www.example.com:21
我猜想curl使用的SSL 库client1(OpenSSL?GnuTLS?其他?)太旧了,无法支持 TLS1.2 和/或服务器接受的加密算法。它尝试一路回退到 SSLv3 时代的加密算法,而服务器拒绝客户端提供的所有加密协议/算法,因为它们太弱或有问题。
由于您在输出的底行未对主机名进行清理client2,因此我将网站 URL 提交给了https://www.ssllabs.com/ssltest/并且看起来服务器至少需要 TLS 1.1。
要修复客户端 1,您应该找出curl该主机上使用的 SSL/TLS 库(ldd $(which curl)可能会有帮助)并确保该库尽可能是最新的。
但是,如果客户端 1 使用的是过时的 Linux 发行版,不再提供有效的安全支持,则可能没有足够新的更新的 SSL/TLS 库包可用。此时,您可能需要在某些第三方存储库中查找 curl + 相应 SSL/TLS 库的更新版本,或者编译您自己的库。