BIO_do_connect()似乎由于使用了SSL v3而失败,有没有办法获取更多诊断信息?
[英]BIO_do_connect() fails seemingly because SSL v3 is used, is there a way to get more diagnostics?
问题描述
I wrote a class to handle SSL connections that I use to communicate with Paypal. 
我编写了一个类来处理用于与Paypal通信的SSL连接。
It worked just fine for about a year and now it fails right away. 它工作了大约一年,现在却立即失效。 From the error I get, it would seem that this happens because they (finally) turned off the SSLv3 cipher. 根据我得到的错误,似乎发生这种情况是因为它们(最终)关闭了SSLv3密码。 Yet, I thought it was turned off on my end already. 但是,我认为它已经关闭了。
There is the error I get when attempting my connection with my code: 尝试与我的代码建立连接时出现错误:
139673112286976:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1262:SSL alert number 40
I get the exact same error if I try to connect with -ssl3 using the command line tool: 如果尝试使用命令行工具与-ssl3连接, -ssl3得到完全相同的错误:
openssl s_client -connect api.sandbox.paypal.com:443 -ssl3
Note that the command line without the -ssl3 option works as expected. 请注意,不带-ssl3选项的命令行可以正常工作。
And I have seen a couple of posts that say that the error means there is a problem with the cipher used, leading me to think that is the problem I'm running into. 而且我看到过几篇文章说该错误意味着所使用的密码存在问题,导致我认为这是我遇到的问题。
For those interested, the whole class is found in our snapcpp git (go up one to get the .h and other files from the snapwebsites library). 对于那些感兴趣的人,整个类都可以在我们的snapcpp git中找到(上一级从snapwebsites库中获取.h和其他文件)。
There is the relevant code. 有相关的代码。 I removed the error checking happening before the one that triggers the current failure: 我删除了触发当前故障的错误检查:
std::shared_ptr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLSv1_client_method()), ssl_ctx_deleter);
SSL_CTX_set_verify_depth(ssl_ctx.get(), 4);
SSL_CTX_set_options(ssl_ctx.get(), SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_COMPRESSION);
SSL_CTX_set_cipher_list(ssl_ctx.get(), "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4");
SSL_CTX_load_verify_locations(ssl_ctx.get(), NULL, "/etc/ssl/certs");
std::shared_ptr<BIO> bio(BIO_new_ssl_connect(ssl_ctx.get()), bio_deleter);
SSL * ssl(nullptr);
BIO_get_ssl(bio.get(), &ssl);
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
BIO_set_conn_hostname(bio.get(), const_cast<char *>(addr.c_str()));
BIO_set_conn_int_port(bio.get(), &port);
if(BIO_do_connect(bio.get()) <= 0)
{
ERR_print_errors_fp(stderr);
throw tcp_client_server_initialization_error("failed connecting BIO object to server");
}
So my class throws because the BIO_do_connect() gets the error I mentioned earlier. 所以我的课抛出了,因为BIO_do_connect()得到了我前面提到的错误。 Yet I would think that these options: 但是我认为这些选择是:
SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1
would be enough to avoid SSLv3. 足以避免使用SSLv3。
What else could be the culprit? 罪魁祸首是什么?
1 个解决方案
解决方案1
1 已采纳 2016-01-21 10:28:19
You stated SSL_OP_NO_TLSv1 yet you use TLSv1 method. 您已声明SSL_OP_NO_TLSv1但仍使用TLSv1方法。
Try changing TLSv1_client_method() to SSLv23_client_method() . 尝试将TLSv1_client_method()更改为SSLv23_client_method() 。 This will alow usage of any method (in fact it will negotiate the highest available SSL/TLS version). 这将降低任何方法的使用率(实际上,它将协商最高可用的SSL / TLS版本)。 You can limit it with SSL_CTX_set_options as you did in your code. 您可以像在代码中那样使用SSL_CTX_set_options对其进行限制。
For some reasons the documentation says that SSLv23_method() is deprecated and one should use TLS_method() . 由于某些原因,文档说SSLv23_method()已过时,应该使用TLS_method() 。 Howerer, there isn't such thing in their newest (OpenSSL 1.0.2e) code. Howerer的最新(OpenSSL 1.0.2e)代码中没有这样的东西。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.