davfs - SSL 握手失败:SSL 错误:sslv3 警报握手失败

davfs - SSL 握手失败:SSL 错误:sslv3 警报握手失败

我正在尝试在我的 Ubuntu 12.04 机器上使用 https 安装远程 WebDAV(OwnCloud)。

我运行此命令,它提示我输入用户名和密码

sudo mount -t davfs -o uid=ne,gid=users https://example/owncloud/remote.php/webdav/ /mount/remote

然后我得到错误

/sbin/mount.davfs:挂载失败。SSL 握手失败:SSL 错误:sslv3 警报握手失败

其他机器(包括Android)能​​够正确连接到WebDAVS。

我该如何避免此错误?如果这有区别的话,该证书是由 CloudFlare 签名的 - 但这似乎不会对访问 OwnCloud 实例的任何其他系统造成问题。

运行curl -v https://example.com一切正常

* About to connect() to example.com port 443 (#0)
*   Trying 104.28.29.14... connected
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-ECDSA-AES128-SHA
* Server certificate:
*    subject: OU=Domain Control Validated; OU=PositiveSSL Multi-Domain; CN=sni29581.cloudflaressl.com
*    start date: 2014-10-26 00:00:00 GMT
*    expire date: 2015-09-30 23:59:59 GMT
*    subjectAltName: example.com matched
*    issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO ECC Domain Validation Secure Server CA 2
*    SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: example.com
> Accept: */*
> 
< HTTP/1.1 302 Moved Temporarily
< Server: cloudflare-nginx
< Date: Mon, 27 Oct 2014 11:30:08 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=da7fc86a1e00780f7eea162120e2c4fe51414409408265; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.example.com; HttpOnly
< Set-Cookie: DYNSRV=lin194; path=/
< CF-RAY: 17fe8f51aaa71365-LHR
< 
* Connection #0 to host example.com left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

我也尝试过,openssl s_client -host example.com -port 443但这让我Verify return code: 20 (unable to get local issuer certificate)

CONNECTED(00000003)
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - G2
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./CN=ssl2000.cloudflare.com
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
(truncated)
bJLtKDaYbNmULxY=
-----END CERTIFICATE-----
subject=/C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./CN=ssl2000.cloudflare.com
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2
---
No client certificate CA names sent
---
SSL handshake has read 3158 bytes and written 363 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-AES128-SHA
    Session-ID: EAC9072E6FFBD3E7AEA20B6C4D57F229DCC887CFAB08C2D47C0A546318A794E0
    Session-ID-ctx: 
    Master-Key: 50ED2846908537665D348FCB07BB69ACEAD182F062F8235E5C7ED4958B4D446D70701E4C6876DE2DA06322BA090C46D5
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 64800 (seconds)
    TLS session ticket:
    0000 - f1 98 d3 dc 67 02 22 1f-24 88 b7 dc 1c 1a 13 6a   ....g.".$......j
    (truncated)
    Start Time: 1414409459
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)

我有尝试更新到最新的 libneon但这并没有什么区别。

更新

自从升级到最新的 OpenSSL 后,我现在收到了不同的错误

SSL 握手失败:收到 SSL 警报:握手失败

正如其他地方所建议的,运行openssl s_client -host example.com -port 443 -ssl3返回:

验证返回代码:0(确定)

我有编译并安装 libneon 30.1

./configure --prefix=/usr --enable-shared --with-ssl=openssl --disable-static

但错误仍然存​​在。

答案1

好的,这就是我所做的!

抓住libneon 30.1- 并将其解压到一个目录中。

编译

./configure --prefix=/usr --enable-shared --with-ssl=openssl --disable-static
make
sudo make install

我们现在需要替换旧的libneon-gnutls.so——我们希望最终结果看起来像

/usr/lib/libneon-gnutls.so.27 -> /usr/lib/libneon.so.27
/usr/lib/libneon.so -> libneon.so.27.3.1
/usr/lib/libneon.so.27 -> libneon.so.27.3.1

首先,备份旧版本。 sudo mv /usr/lib/libneon-gnutls.so.27 /usr/lib/libneon-gnutls.so.27.old

然后,在/usr/lib/

sudo ln -s /usr/lib/libneon.so.27.3.1 libneon.so.27 
sudo ln -s /usr/lib/libneon-gnutls.so.27.3.1 libneon.so 
sudo ln -s /usr/lib/libneon.so.27 libneon-gnutls.so.27

这使得一切都正常!

相关内容