洋泾浜握手失败

洋泾浜握手失败

我尝试在 Arch Linux 中使用 piding 连接到我们的内部 XMPP 服务器,但SSL Handshake Failed在 Pidgin 中总是出现错误。

这些是我运行时收到的错误行pidgin -d

(10:52:25) jabber: Sending (user@host): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
(10:52:25) jabber: Recv (50): <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
(10:52:25) nss: Handshake failed  (-12173)
(10:52:25) connection: Connection error on 0x16385f0 (reason: 5 description: SSL Handshake Failed)
(10:52:25) account: Disconnecting account user@host/ (0x1820c60)

我搜索了那个 nss 错误,发现这里这个错误意味着服务器正在使用某种不安全的密钥交换(我想)。

不管怎样,我尝试ssltap -s -p 5222 host:5222指向 Pidgin 来localhost:5222获取握手日志,就是这样:

Connected to HOST:5222
--> [
<?xml version='1.0' ?><stream:stream to='HOST' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>]
<-- [
<?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="HOST" id="7d2b1460" xml:lang="en" version="1.0">]
<-- [
<stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism></mechanisms></stream:features>]
--> [
<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>]
<-- [
<proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>]
--> [
(151 bytes of 146)
SSLRecord { [Wed Feb 24 10:44:10 2016]
   type    = 22 (handshake)
   version = { 3,1 }
   length  = 146 (0x92)
   handshake {
      type = 1 (client_hello)
      length = 142 (0x00008e)
         ClientHelloV3 {
            client_version = {3, 3}
            random = {...}
            session ID = {
                length = 0
                contents = {...}
            }
            cipher_suites[17] = {
                (0xc02b) TLS/ECDHE-ECDSA/AES128-GCM/SHA256
                (0xc02f) TLS/ECDHE-RSA/AES128-GCM/SHA256
                (0xc00a) TLS/ECDHE-ECDSA/AES256-CBC/SHA
                (0xc009) TLS/ECDHE-ECDSA/AES128-CBC/SHA
                (0xc013) TLS/ECDHE-RSA/AES128-CBC/SHA
                (0xc027) TLS/ECDHE-RSA/AES128-CBC/SHA256
                (0xc014) TLS/ECDHE-RSA/AES256-CBC/SHA
                (0xc007) TLS/ECDHE-ECDSA/RC4-128/SHA
                (0xc011) TLS/ECDHE-RSA/RC4-128/SHA
                (0x009e) TLS/DHE-RSA/AES128-GCM/SHA256
                (0x0033) TLS/DHE-RSA/AES128-CBC/SHA
                (0x0032) TLS/DHE-DSS/AES128-CBC/SHA
                (0x0067) TLS/DHE-RSA/AES128-CBC/SHA256
                (0x0039) TLS/DHE-RSA/AES256-CBC/SHA
                (0x006b) TLS/DHE-RSA/AES256-CBC/SHA256
                (0x002f) TLS/RSA/AES128-CBC/SHA
                (0x0035) TLS/RSA/AES256-CBC/SHA
            }
            compression[1] = {
                (00) NULL
            }
            extensions[67] = {
              extension type server_name, length [14] = {
   0: 00 0c 00 00  09 6c 6f 63  61 6c 68 6f  73 74        | .....localhost
              }
              extension type renegotiation_info, length [1] = {
   0: 00                                                  | .
              }
              extension type elliptic_curves, length [8] = {
   0: 00 06 00 17  00 18 00 19                            | ........
              }
              extension type ec_point_formats, length [2] = {
   0: 01 00                                               | ..
              }
              extension type signature_algorithms, length [22] = {
   0: 00 14 04 01  05 01 06 01  02 01 04 03  05 03 06 03  | ................
  10: 02 03 04 02  02 02                                  | ......
              }
            }
         }
   }
}
]
<-- [
(2778 bytes of 2773)
SSLRecord { [Wed Feb 24 10:44:10 2016]
   type    = 22 (handshake)
   version = { 3,1 }
   length  = 2773 (0xad5)
   handshake {
      type = 2 (server_hello)
      length = 70 (0x000046)
         ServerHello {
            server_version = {3, 1}
            random = {...}
            session ID = {
                length = 32
                contents = {...}
            }
            cipher_suite = (0x0033) TLS/DHE-RSA/AES128-CBC/SHA
            compression method = (00) NULL
         }
      type = 11 (certificate)
      length = 2135 (0x000857)
         CertificateChain {
            chainlength = 2132 (0x0854)
            Certificate {
               size = 925 (0x039d)
               data = { saved in file 'cert.001' }
            }
            Certificate {
               size = 1201 (0x04b1)
               data = { saved in file 'cert.002' }
            }
         }
      type = 12 (server_key_exchange)
      length = 552 (0x000228)
      type = 14 (server_hello_done)
      length = 0 (0x000000)
   }
}
]
--> [
(7 bytes of 2)
SSLRecord { [Wed Feb 24 10:44:10 2016]
   type    = 21 (alert)
   version = { 3,1 }
   length  = 2 (0x2)
   fatal: illegal_parameter
}
]
Read EOF on Client socket. [Wed Feb 24 10:44:10 2016]
Read EOF on Server socket. [Wed Feb 24 10:44:10 2016]

看起来服务器和客户端同意了TLS/DHE-RSA/AES128-CBC/SHA,但是客户端失败了。是这样吗?我已将cert.001和添加cert.002到 Pidgin 证书中,但这没有帮助。

因为它是内部服务器,所以我不需要安全性,也不关心它。我将 Pidgin 中的帐户设置修改为Use encryption if available和 ,Allow plaintext auth over unencrypted streams但它不起作用。

非常感谢有关如何使 Pidgin(或 NSS)接受我的服务器的任何帮助。

输出pidgin --version

Pidgin 2.10.12 (libpurple 2.10.12)

输出pacman -Qi nss

Name            : nss
Version         : 3.22-1
Description     : Mozilla Network Security Services
Architecture    : x86_64
URL             : http://www.mozilla.org/projects/security/pki/nss/
Licenses        : MPL  GPL
Groups          : None
Provides        : None
Depends On      : nspr>=4.10.10  sqlite  zlib  sh  p11-kit
Optional Deps   : None
Required By     : atom-editor  firefox  jre8-openjdk-headless  libnm-glib  libpurple  qca-qt4  qca-qt5
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 5.80 MiB
Packager        : Jan Alexander Steffens (heftig) <[email protected]>
Build Date      : Fri Feb 5 15:09:40 2016
Install Date    : Mon Feb 22 17:13:39 2016
Install Reason  : Installed as a dependency for another package
Install Script  : Yes
Validated By    : Signature

编辑:

我忘了提及我无权访问服务器,所以我无法更改那里的任何内容。

相关内容