我尝试在 Arch Linux 中使用 piding 连接到我们的内部 XMPP 服务器,但SSL Handshake Failed
在 Pidgin 中总是出现错误。
这些是我运行时收到的错误行pidgin -d
:
(10:52:25) jabber: Sending (user@host): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
(10:52:25) jabber: Recv (50): <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
(10:52:25) nss: Handshake failed (-12173)
(10:52:25) connection: Connection error on 0x16385f0 (reason: 5 description: SSL Handshake Failed)
(10:52:25) account: Disconnecting account user@host/ (0x1820c60)
我搜索了那个 nss 错误,发现这里这个错误意味着服务器正在使用某种不安全的密钥交换(我想)。
不管怎样,我尝试ssltap -s -p 5222 host:5222
指向 Pidgin 来localhost:5222
获取握手日志,就是这样:
Connected to HOST:5222
--> [
<?xml version='1.0' ?><stream:stream to='HOST' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>]
<-- [
<?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="HOST" id="7d2b1460" xml:lang="en" version="1.0">]
<-- [
<stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism></mechanisms></stream:features>]
--> [
<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>]
<-- [
<proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>]
--> [
(151 bytes of 146)
SSLRecord { [Wed Feb 24 10:44:10 2016]
type = 22 (handshake)
version = { 3,1 }
length = 146 (0x92)
handshake {
type = 1 (client_hello)
length = 142 (0x00008e)
ClientHelloV3 {
client_version = {3, 3}
random = {...}
session ID = {
length = 0
contents = {...}
}
cipher_suites[17] = {
(0xc02b) TLS/ECDHE-ECDSA/AES128-GCM/SHA256
(0xc02f) TLS/ECDHE-RSA/AES128-GCM/SHA256
(0xc00a) TLS/ECDHE-ECDSA/AES256-CBC/SHA
(0xc009) TLS/ECDHE-ECDSA/AES128-CBC/SHA
(0xc013) TLS/ECDHE-RSA/AES128-CBC/SHA
(0xc027) TLS/ECDHE-RSA/AES128-CBC/SHA256
(0xc014) TLS/ECDHE-RSA/AES256-CBC/SHA
(0xc007) TLS/ECDHE-ECDSA/RC4-128/SHA
(0xc011) TLS/ECDHE-RSA/RC4-128/SHA
(0x009e) TLS/DHE-RSA/AES128-GCM/SHA256
(0x0033) TLS/DHE-RSA/AES128-CBC/SHA
(0x0032) TLS/DHE-DSS/AES128-CBC/SHA
(0x0067) TLS/DHE-RSA/AES128-CBC/SHA256
(0x0039) TLS/DHE-RSA/AES256-CBC/SHA
(0x006b) TLS/DHE-RSA/AES256-CBC/SHA256
(0x002f) TLS/RSA/AES128-CBC/SHA
(0x0035) TLS/RSA/AES256-CBC/SHA
}
compression[1] = {
(00) NULL
}
extensions[67] = {
extension type server_name, length [14] = {
0: 00 0c 00 00 09 6c 6f 63 61 6c 68 6f 73 74 | .....localhost
}
extension type renegotiation_info, length [1] = {
0: 00 | .
}
extension type elliptic_curves, length [8] = {
0: 00 06 00 17 00 18 00 19 | ........
}
extension type ec_point_formats, length [2] = {
0: 01 00 | ..
}
extension type signature_algorithms, length [22] = {
0: 00 14 04 01 05 01 06 01 02 01 04 03 05 03 06 03 | ................
10: 02 03 04 02 02 02 | ......
}
}
}
}
}
]
<-- [
(2778 bytes of 2773)
SSLRecord { [Wed Feb 24 10:44:10 2016]
type = 22 (handshake)
version = { 3,1 }
length = 2773 (0xad5)
handshake {
type = 2 (server_hello)
length = 70 (0x000046)
ServerHello {
server_version = {3, 1}
random = {...}
session ID = {
length = 32
contents = {...}
}
cipher_suite = (0x0033) TLS/DHE-RSA/AES128-CBC/SHA
compression method = (00) NULL
}
type = 11 (certificate)
length = 2135 (0x000857)
CertificateChain {
chainlength = 2132 (0x0854)
Certificate {
size = 925 (0x039d)
data = { saved in file 'cert.001' }
}
Certificate {
size = 1201 (0x04b1)
data = { saved in file 'cert.002' }
}
}
type = 12 (server_key_exchange)
length = 552 (0x000228)
type = 14 (server_hello_done)
length = 0 (0x000000)
}
}
]
--> [
(7 bytes of 2)
SSLRecord { [Wed Feb 24 10:44:10 2016]
type = 21 (alert)
version = { 3,1 }
length = 2 (0x2)
fatal: illegal_parameter
}
]
Read EOF on Client socket. [Wed Feb 24 10:44:10 2016]
Read EOF on Server socket. [Wed Feb 24 10:44:10 2016]
看起来服务器和客户端同意了TLS/DHE-RSA/AES128-CBC/SHA
,但是客户端失败了。是这样吗?我已将cert.001
和添加cert.002
到 Pidgin 证书中,但这没有帮助。
因为它是内部服务器,所以我不需要安全性,也不关心它。我将 Pidgin 中的帐户设置修改为Use encryption if available
和 ,Allow plaintext auth over unencrypted streams
但它不起作用。
非常感谢有关如何使 Pidgin(或 NSS)接受我的服务器的任何帮助。
输出pidgin --version
Pidgin 2.10.12 (libpurple 2.10.12)
输出pacman -Qi nss
Name : nss
Version : 3.22-1
Description : Mozilla Network Security Services
Architecture : x86_64
URL : http://www.mozilla.org/projects/security/pki/nss/
Licenses : MPL GPL
Groups : None
Provides : None
Depends On : nspr>=4.10.10 sqlite zlib sh p11-kit
Optional Deps : None
Required By : atom-editor firefox jre8-openjdk-headless libnm-glib libpurple qca-qt4 qca-qt5
Optional For : None
Conflicts With : None
Replaces : None
Installed Size : 5.80 MiB
Packager : Jan Alexander Steffens (heftig) <[email protected]>
Build Date : Fri Feb 5 15:09:40 2016
Install Date : Mon Feb 22 17:13:39 2016
Install Reason : Installed as a dependency for another package
Install Script : Yes
Validated By : Signature
编辑:
我忘了提及我无权访问服务器,所以我无法更改那里的任何内容。