Openssl 1.0.2q - 完成消息时出错:错误:140790E5:SSL 例程:ssl23_write:ssl 握手失败:s23_lib.c:177:

Openssl 1.0.2q - 完成消息时出错:错误:140790E5:SSL 例程:ssl23_write:ssl 握手失败:s23_lib.c:177:

连接到其后面带有 Tomcat 的 VIP/负载均衡器。

(到目前为止,tcpdump 看起来很干净,没有 RST)

使用 openssl 版本 1.2.q

$openssl s_client -connect "blah:443" -msg

    CONNECTED(00000003)

    >>> TLS 1.2  [length 0005]

        16 03 01 01 2c

    >>> TLS 1.2 Handshake [length 012c], ClientHello

        01 00 01 28 03 03 a8 3c de fd fd 63 19 ea 64 01

        <snip>

    <<< ??? [length 0005]

        16 03 03 00 51

    <<< TLS 1.2 Handshake [length 0051], ServerHello

        02 00 00 4d 03 03 dc dd fa a6 70 ab 42 29 26 5c

       <snip>

    <<< ??? [length 0005]

        16 03 03 11 9b

    <<< TLS 1.2 Handshake [length 119b], Certificate

        0b 00 11 97 00 11 94 00 06 01 30 82 05 fd 30 82

        <snip>

    verify error:num=20:unable to get local issuer certificate

    <<< ??? [length 0005]

        16 03 03 00 2e

    <<< TLS 1.2 Handshake [length 002a], CertificateRequest

        0d 00 00 26 03 01 02 40 00 1e 06 01 06 02 06 03

        05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02

        03 03 02 01 02 02 02 03 00 00

    <<< TLS 1.2 Handshake [length 0004], ServerHelloDone

        0e 00 00 00

    >>> ??? [length 0005]

        16 03 03 00 07

    >>> TLS 1.2 Handshake [length 0007], Certificate

        0b 00 00 03 00 00 00

    >>> ??? [length 0005]

        16 03 03 01 06

    >>> TLS 1.2 Handshake [length 0106], ClientKeyExchange

        10 00 01 02 01 00 93 7b b5 46 e4 a0 33 ef 9d 25

        <snip>

    >>> ??? [length 0005]

        14 03 03 00 01

    >>> TLS 1.2 ChangeCipherSpec [length 0001]

        01

    >>> ??? [length 0005]

        16 03 03 00 50

    >>> TLS 1.2 Handshake [length 0010], Finished

        14 00 00 0c f6 30 0b ca 0d 1c e9 b1 2d ec 91 90

    140048048748200:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:



No client certificate CA names sent

Client Certificate Types: RSA sign, DSA sign, ECDSA sign

Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1

Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1

---

SSL handshake has read 4649 bytes and written 370 bytes

---

New, TLSv1/SSLv3, Cipher is AES256-SHA256

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : AES256-SHA256

    Session-ID: <snip>    
    Session-ID-ctx:

    Master-Key: <snip>    
    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1548174269

    Timeout   : 300 (sec)

    Verify return code: 20 (unable to get local issuer certificate)

一切似乎都进展顺利,除了我在完成的消息后看到“140048048748200:错误:140790E5:SSL 例程:ssl23_write:ssl 握手失败:s23_lib.c:177:”。

(FWIW,我的目标是使用 ssl 连接 python3 来收集证书,但目前无法实现)

这里有指示吗?我无法在我所在位置尝试 1.1.0 或 1.1.1。

答案1

我与服务器管理员进行了交谈。结果发现需要客户端证书。

相关内容