OpenSSL - SSLv2/v3 读取客户端 hello A 时出错

OpenSSL - SSLv2/v3 读取客户端 hello A 时出错

您知道如何解决 OpenSSL 错误吗:

  • ssl_engine_io.c(2079): - OpenSSL: I/O 错误,预计在 BIO#55900da46090 上读取 11 个字节 [mem: 55900da4d700]
  • ssl_engine_kernel.c(1809): OpenSSL: 退出:SSLv2/v3 读取客户端 hello A 时出错

我有 2 个使用 SSL/TLS 的网站,托管在同一台 Linux 计算机内的同一台 Apache Web 服务器中。(一台 Web 服务器中有两个网站。)

第一个网站https://dev.thestack.ca运行正常,没有错误日志。

第二个网站https://test.thestack.ca运行正常但在 Linux 网络服务器中生成了大量 SSL 错误日志条目。

以下是 Web 服务器中的错误日志条目https://test.thestack.ca网站。

[Thu Jul 23 06:57:37.493303 2020] [ssl:info] [pid 20920] AH02200: Loading certificate & private key of SSL-aware server 'test.thestack.ca:443'
[Thu Jul 23 06:57:37.517536 2020] [ssl:debug] [pid 20920] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[Thu Jul 23 06:57:37.553250 2020] [ssl:info] [pid 20920] AH01914: Configuring server test.thestack.ca:443 for SSL protocol
[Thu Jul 23 06:57:37.553293 2020] [ssl:trace3] [pid 20920] ssl_engine_init.c(495): Creating new SSL context (protocols: TLSv1, TLSv1.1, TLSv1.2)
[Thu Jul 23 06:57:37.553429 2020] [ssl:trace1] [pid 20920] ssl_engine_init.c(746): Configuring permitted SSL ciphers [HIGH:!aNULL:!MD5]
[Thu Jul 23 06:57:37.553571 2020] [ssl:debug] [pid 20920] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[Thu Jul 23 06:57:37.553605 2020] [ssl:debug] [pid 20920] ssl_engine_init.c(933): AH02232: Configuring RSA server certificate
[Thu Jul 23 06:57:37.553740 2020] [ssl:trace3] [pid 20920] ssl_util_ssl.c(484): [test.thestack.ca:443] SSL_X509_match_name: expecting name 'test.thestack.ca', matched by ID 'test.thestack.ca'
[Thu Jul 23 06:57:37.553802 2020] [ssl:debug] [pid 20920] ssl_util_ssl.c(495): AH02412: [test.thestack.ca:443] Cert matches for name 'test.thestack.ca' [subject: CN=test.thestack.ca / issuer: CN=git-W123P-CA,DC=git,DC=ca / serial: 31000002BD03131CEFB23880BF0000000002BD / notbefore: Jul 21 16:45:58 2020 GMT / notafter: Jul 21 16:45:58 2022 GMT]
[Thu Jul 23 06:57:37.553828 2020] [ssl:debug] [pid 20920] ssl_engine_init.c(988): AH02236: Configuring RSA server private key
[Thu Jul 23 06:57:37.602292 2020] [ssl:info] [pid 20920] AH02200: Loading certificate & private key of SSL-aware server 'test.thestack.ca:443'
[Thu Jul 23 06:57:37.602636 2020] [ssl:debug] [pid 20920] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[Thu Jul 23 06:57:37.604227 2020] [ssl:info] [pid 20920] AH01914: Configuring server test.thestack.ca:443 for SSL protocol
[Thu Jul 23 06:57:37.604243 2020] [ssl:trace3] [pid 20920] ssl_engine_init.c(495): Creating new SSL context (protocols: TLSv1, TLSv1.1, TLSv1.2)
[Thu Jul 23 06:57:37.604285 2020] [ssl:trace1] [pid 20920] ssl_engine_init.c(746): Configuring permitted SSL ciphers [HIGH:!aNULL:!MD5]
[Thu Jul 23 06:57:37.604318 2020] [ssl:debug] [pid 20920] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[Thu Jul 23 06:57:37.604328 2020] [ssl:debug] [pid 20920] ssl_engine_init.c(933): AH02232: Configuring RSA server certificate
[Thu Jul 23 06:57:37.604368 2020] [ssl:trace3] [pid 20920] ssl_util_ssl.c(484): [test.thestack.ca:443] SSL_X509_match_name: expecting name 'test.thestack.ca', matched by ID 'test.thestack.ca'
[Thu Jul 23 06:57:37.604388 2020] [ssl:debug] [pid 20920] ssl_util_ssl.c(495): AH02412: [test.thestack.ca:443] Cert matches for name 'test.thestack.ca' [subject: CN=test.thestack.ca / issuer: CN=git-W123P-CA,DC=git,DC=ca / serial: 31000002BD03131CEFB23880BF0000000002BD / notbefore: Jul 21 16:45:58 2020 GMT / notafter: Jul 21 16:45:58 2022 GMT]
[Thu Jul 23 06:57:37.604392 2020] [ssl:debug] [pid 20920] ssl_engine_init.c(988): AH02236: Configuring RSA server private key
[Thu Jul 23 06:57:37.609350 2020] [proxy:debug] [pid 20921] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/upload/renewApp shared
[Thu Jul 23 06:57:37.609384 2020] [proxy:debug] [pid 20921] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/upload/renewApp local
[Thu Jul 23 06:57:37.609421 2020] [proxy:debug] [pid 20921] proxy_util.c(1936): AH00931: initialized single connection worker in child 20921 for (localhost)
[Thu Jul 23 06:57:37.609446 2020] [proxy:debug] [pid 20921] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/upload/createApp shared
[Thu Jul 23 06:57:37.609472 2020] [proxy:debug] [pid 20921] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/upload/createApp local
[Thu Jul 23 06:57:37.609502 2020] [proxy:debug] [pid 20921] proxy_util.c(1936): AH00931: initialized single connection worker in child 20921 for (localhost)
[Thu Jul 23 06:57:37.609522 2020] [proxy:debug] [pid 20921] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/consents/user shared
[Thu Jul 23 06:57:37.609548 2020] [proxy:debug] [pid 20921] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/consents/user local
[Thu Jul 23 06:57:37.609592 2020] [proxy:debug] [pid 20921] proxy_util.c(1936): AH00931: initialized single connection worker in child 20921 for (localhost)
[Thu Jul 23 06:57:37.609883 2020] [ssl:info] [pid 20921] [client 10.204.39.1:31073] AH01964: Connection to child 0 established (server test.thestack.ca:443)
[Thu Jul 23 06:57:37.610028 2020] [ssl:trace2] [pid 20921] ssl_engine_rand.c(124): Seeding PRNG with 144 bytes of entropy
[Thu Jul 23 06:57:37.610351 2020] [ssl:trace3] [pid 20921] ssl_engine_kernel.c(1771): [client 10.204.39.1:31073] OpenSSL: Handshake: start
[Thu Jul 23 06:57:37.610422 2020] [ssl:trace3] [pid 20921] ssl_engine_kernel.c(1780): [client 10.204.39.1:31073] OpenSSL: Loop: before/accept initialization
[Thu Jul 23 06:57:37.610471 2020] [core:trace6] [pid 20921] core_filters.c(525): [client 10.204.39.1:31073] core_output_filter: flushing because of FLUSH bucket
[Thu Jul 23 06:57:37.610516 2020] [ssl:trace4] [pid 20921] ssl_engine_io.c(2079): [client 10.204.39.1:31073] OpenSSL: I/O error, 11 bytes expected to read on BIO#55900da46090 [mem: 55900da4d700]
[Thu Jul 23 06:57:37.610528 2020] [ssl:trace3] [pid 20921] ssl_engine_kernel.c(1809): [client 10.204.39.1:31073] OpenSSL: Exit: error in SSLv2/v3 read client hello A
[Thu Jul 23 06:57:37.610541 2020] [ssl:debug] [pid 20921] ssl_engine_io.c(1202): (70014)End of file found: [client 10.204.39.1:31073] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Thu Jul 23 06:57:37.610556 2020] [ssl:info] [pid 20921] [client 10.204.39.1:31073] AH01998: Connection closed to child 0 with abortive shutdown (server test.thestack.ca:443)
[Thu Jul 23 06:57:37.611919 2020] [proxy:debug] [pid 20923] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/upload/renewApp shared
[Thu Jul 23 06:57:37.611939 2020] [proxy:debug] [pid 20923] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/upload/renewApp local
[Thu Jul 23 06:57:37.612041 2020] [proxy:debug] [pid 20923] proxy_util.c(1936): AH00931: initialized single connection worker in child 20923 for (localhost)
[Thu Jul 23 06:57:37.612075 2020] [proxy:debug] [pid 20923] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/upload/createApp shared
[Thu Jul 23 06:57:37.612083 2020] [proxy:debug] [pid 20923] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/upload/createApp local
[Thu Jul 23 06:57:37.612131 2020] [proxy:debug] [pid 20922] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/upload/renewApp shared
[Thu Jul 23 06:57:37.612149 2020] [proxy:debug] [pid 20922] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/upload/renewApp local
[Thu Jul 23 06:57:37.612168 2020] [proxy:debug] [pid 20923] proxy_util.c(1936): AH00931: initialized single connection worker in child 20923 for (localhost)
[Thu Jul 23 06:57:37.612192 2020] [proxy:debug] [pid 20923] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/consents/user shared
[Thu Jul 23 06:57:37.612211 2020] [proxy:debug] [pid 20923] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/consents/user local
[Thu Jul 23 06:57:37.612214 2020] [proxy:debug] [pid 20922] proxy_util.c(1936): AH00931: initialized single connection worker in child 20922 for (localhost)
[Thu Jul 23 06:57:37.612239 2020] [proxy:debug] [pid 20922] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/upload/createApp shared
[Thu Jul 23 06:57:37.612242 2020] [proxy:debug] [pid 20922] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/upload/createApp local
[Thu Jul 23 06:57:37.612274 2020] [proxy:debug] [pid 20923] proxy_util.c(1936): AH00931: initialized single connection worker in child 20923 for (localhost)
[Thu Jul 23 06:57:37.612315 2020] [proxy:debug] [pid 20922] proxy_util.c(1936): AH00931: initialized single connection worker in child 20922 for (localhost)
[Thu Jul 23 06:57:37.612325 2020] [proxy:debug] [pid 20922] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/consents/user shared
[Thu Jul 23 06:57:37.612334 2020] [proxy:debug] [pid 20922] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/consents/user local
[Thu Jul 23 06:57:37.612350 2020] [proxy:debug] [pid 20922] proxy_util.c(1936): AH00931: initialized single connection worker in child 20922 for (localhost)
[Thu Jul 23 06:57:37.615933 2020] [proxy:debug] [pid 20925] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/upload/renewApp shared
[Thu Jul 23 06:57:37.615949 2020] [proxy:debug] [pid 20925] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/upload/renewApp local
[Thu Jul 23 06:57:37.615967 2020] [proxy:debug] [pid 20925] proxy_util.c(1936): AH00931: initialized single connection worker in child 20925 for (localhost)
[Thu Jul 23 06:57:37.615972 2020] [proxy:debug] [pid 20925] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/upload/createApp shared
[Thu Jul 23 06:57:37.615975 2020] [proxy:debug] [pid 20925] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/upload/createApp local
[Thu Jul 23 06:57:37.615992 2020] [proxy:debug] [pid 20925] proxy_util.c(1936): AH00931: initialized single connection worker in child 20925 for (localhost)
[Thu Jul 23 06:57:37.615996 2020] [proxy:debug] [pid 20925] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/consents/user shared
[Thu Jul 23 06:57:37.616002 2020] [proxy:debug] [pid 20925] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/consents/user local
[Thu Jul 23 06:57:37.616021 2020] [proxy:debug] [pid 20925] proxy_util.c(1936): AH00931: initialized single connection worker in child 20925 for (localhost)
[Thu Jul 23 06:57:37.617882 2020] [proxy:debug] [pid 20924] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/upload/renewApp shared
[Thu Jul 23 06:57:37.617892 2020] [proxy:debug] [pid 20924] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/upload/renewApp local
[Thu Jul 23 06:57:37.617909 2020] [proxy:debug] [pid 20924] proxy_util.c(1936): AH00931: initialized single connection worker in child 20924 for (localhost)
[Thu Jul 23 06:57:37.617914 2020] [proxy:debug] [pid 20924] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/upload/createApp shared
[Thu Jul 23 06:57:37.617917 2020] [proxy:debug] [pid 20924] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/upload/createApp local
[Thu Jul 23 06:57:37.617928 2020] [proxy:debug] [pid 20924] proxy_util.c(1936): AH00931: initialized single connection worker in child 20924 for (localhost)
[Thu Jul 23 06:57:37.617934 2020] [proxy:debug] [pid 20924] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/consents/user shared
[Thu Jul 23 06:57:37.617951 2020] [proxy:debug] [pid 20924] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/consents/user local
[Thu Jul 23 06:57:37.617970 2020] [proxy:debug] [pid 20924] proxy_util.c(1936): AH00931: initialized single connection worker in child 20924 for (localhost)
[Thu Jul 23 06:57:42.602787 2020] [ssl:info] [pid 20921] [client 10.204.39.1:42035] AH01964: Connection to child 0 established (server test.thestack.ca:443)
[Thu Jul 23 06:57:42.602974 2020] [ssl:trace2] [pid 20921] ssl_engine_rand.c(124): Seeding PRNG with 144 bytes of entropy
[Thu Jul 23 06:57:42.603055 2020] [ssl:trace3] [pid 20921] ssl_engine_kernel.c(1771): [client 10.204.39.1:42035] OpenSSL: Handshake: start
[Thu Jul 23 06:57:42.603079 2020] [ssl:trace3] [pid 20921] ssl_engine_kernel.c(1780): [client 10.204.39.1:42035] OpenSSL: Loop: before/accept initialization
[Thu Jul 23 06:57:42.603095 2020] [core:trace6] [pid 20921] core_filters.c(525): [client 10.204.39.1:42035] core_output_filter: flushing because of FLUSH bucket
[Thu Jul 23 06:57:42.603120 2020] [ssl:trace4] [pid 20921] ssl_engine_io.c(2079): [client 10.204.39.1:42035] OpenSSL: I/O error, 11 bytes expected to read on BIO#55900da48120 [mem: 55900da4d700]
[Thu Jul 23 06:57:42.603131 2020] [ssl:trace3] [pid 20921] ssl_engine_kernel.c(1809): [client 10.204.39.1:42035] OpenSSL: Exit: error in SSLv2/v3 read client hello A
[Thu Jul 23 06:57:42.603184 2020] [ssl:debug] [pid 20921] ssl_engine_io.c(1202): (70014)End of file found: [client 10.204.39.1:42035] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Thu Jul 23 06:57:42.603201 2020] [ssl:info] [pid 20921] [client 10.204.39.1:42035] AH01998: Connection closed to child 0 with abortive shutdown (server test.thestack.ca:443)

以下是两个网站的虚拟主机配置,它们位于同一个 Linux 网络服务器上。

NameVirtualHost *:443

<VirtualHost *:443>
    SSLEngine on
    DocumentRoot /app/apache-tomcat-8.5.37/webapps/thestack-portal
    ServerName test.thestack.ca
    ErrorLog /app/apache-tomcat-8.5.37/logs/thestack-user-portal-error_log
    CustomLog /app/apache-tomcat-8.5.37/logs/thestack-user-portal-access_log common
    SSLCertificateFile /app/thestack/cert/user-portal/test.thestack.ca-cert.pem
    SSLCertificateKeyFile /app/thestack/cert/user-portal/test.thestack.ca-server.key
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite HIGH:!aNULL:!MD5
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass /rest/createRenApp http://localhost:8080/thestack-admin/upload/renewAppuser
    ProxyPassReverse /rest/createRenApp http://localhost:8080/thestack-admin/upload/renewAppuser
    ProxyPass /rest/createAsdApp http://localhost:8080/thestack-admin/upload/createAppuser
    ProxyPassReverse /rest/createAsdApp http://localhost:8080/thestack-admin/upload/createAppuser
    ProxyPass /rest/consent http://localhost:8080/thestack-admin/consents/user
    ProxyPassReverse /rest/consent http://localhost:8080/thestack-admin/consents/user
</VirtualHost>

<VirtualHost *:443>
    SSLEngine on
    DocumentRoot /app/apache-tomcat-8.5.37/webapps/dev-thestack-portal
    ServerName dev.thestack.ca
    ErrorLog /app/apache-tomcat-8.5.37/logs/dev-thestack-user-portal-error_log
    CustomLog /app/apache-tomcat-8.5.37/logs/dev-thestack-user-portal-access_log common
    SSLCertificateFile /app/thestack/cert/user-portal/dev.thestack.ca-cert.pem
    SSLCertificateKeyFile /app/thestack/cert/user-portal/dev.thestack.ca-server.key
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite HIGH:!aNULL:!MD5
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass /rest/createRenApp http://localhost:8080/dev-thestack-admin/upload/renewAppuser
    ProxyPassReverse /rest/createRenApp http://localhost:8080/dev-thestack-admin/upload/renewAppuser
    ProxyPass /rest/createAsdApp http://localhost:8080/dev-thestack-admin/upload/createAppuser
    ProxyPassReverse /rest/createAsdApp http://localhost:8080/dev-thestack-admin/upload/createAppuser
    ProxyPass /rest/consent http://localhost:8080/dev-thestack-admin/consents/user
    ProxyPassReverse /rest/consent http://localhost:8080/dev-thestack-admin/consents/user
</VirtualHost>

谢谢你!

答案1

检查两台服务器上的 openssl 包版本,检查两台服务器上是否都有 gnutls 包(您在 apache 配置中禁用了 SSL 支持,您可能缺少 gnutls 包)。

您可以尝试暂时更改 apache 配置中的配置,看看它是否能解决您的错误(如果能,则是库问题):

SSLProtocol all
SSLCipherSuite HIGH:!aNULL:!MD5

正如 Michael Hampton 所建议的,如果您需要更多详细信息,可以访问 SSL 配置生成器Mozilla 的维基

我最喜欢的选择是(不确定是否适合您):

SSLProtocol -All +TLSv1.2
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

相关内容