连接到其后面带有 Tomcat 的 VIP/负载均衡器。
(到目前为止,tcpdump 看起来很干净,没有 RST)
使用 openssl 版本 1.2.q
$openssl s_client -connect "blah:443" -msg
CONNECTED(00000003)
>>> TLS 1.2 [length 0005]
16 03 01 01 2c
>>> TLS 1.2 Handshake [length 012c], ClientHello
01 00 01 28 03 03 a8 3c de fd fd 63 19 ea 64 01
<snip>
<<< ??? [length 0005]
16 03 03 00 51
<<< TLS 1.2 Handshake [length 0051], ServerHello
02 00 00 4d 03 03 dc dd fa a6 70 ab 42 29 26 5c
<snip>
<<< ??? [length 0005]
16 03 03 11 9b
<<< TLS 1.2 Handshake [length 119b], Certificate
0b 00 11 97 00 11 94 00 06 01 30 82 05 fd 30 82
<snip>
verify error:num=20:unable to get local issuer certificate
<<< ??? [length 0005]
16 03 03 00 2e
<<< TLS 1.2 Handshake [length 002a], CertificateRequest
0d 00 00 26 03 01 02 40 00 1e 06 01 06 02 06 03
05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02
03 03 02 01 02 02 02 03 00 00
<<< TLS 1.2 Handshake [length 0004], ServerHelloDone
0e 00 00 00
>>> ??? [length 0005]
16 03 03 00 07
>>> TLS 1.2 Handshake [length 0007], Certificate
0b 00 00 03 00 00 00
>>> ??? [length 0005]
16 03 03 01 06
>>> TLS 1.2 Handshake [length 0106], ClientKeyExchange
10 00 01 02 01 00 93 7b b5 46 e4 a0 33 ef 9d 25
<snip>
>>> ??? [length 0005]
14 03 03 00 01
>>> TLS 1.2 ChangeCipherSpec [length 0001]
01
>>> ??? [length 0005]
16 03 03 00 50
>>> TLS 1.2 Handshake [length 0010], Finished
14 00 00 0c f6 30 0b ca 0d 1c e9 b1 2d ec 91 90
140048048748200:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
---
SSL handshake has read 4649 bytes and written 370 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-SHA256
Session-ID: <snip>
Session-ID-ctx:
Master-Key: <snip>
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1548174269
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
一切似乎都进展顺利,除了我在完成的消息后看到“140048048748200:错误:140790E5:SSL 例程:ssl23_write:ssl 握手失败:s23_lib.c:177:”。
(FWIW,我的目标是使用 ssl 连接 python3 来收集证书,但目前无法实现)
这里有指示吗?我无法在我所在位置尝试 1.1.0 或 1.1.1。
答案1
我与服务器管理员进行了交谈。结果发现需要客户端证书。