堆栈内存溢出
  简体   繁体   English

TLS握手成功后,服务器关闭并显示错误的SSL例程:SSL3_GET_RECORD:版本号错误

[英]After Successfull TLS handshake the server closes with error SSL routines:SSL3_GET_RECORD:wrong version number

 原文  2018-07-23 07:49:31       c++/ ssl/ openssl/ tls1.2

问题描述

We are using openssl 1.0.2k for our TLS related functionalities. 我们将openssl 1.0.2k用于TLS相关功能。 In one of our deployment the client is able to complete the TLS handshakes using TLSv1.2 and was able to send application data towards server.After some requests the TLS connections closed from the server side with the below error "error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number" 在我们的部署之一中,客户端能够使用TLSv1.2完成TLS握手,并且能够向服务器发送应用程序数据。在一些请求之后,TLS连接从服务器端关闭,并出现以下错误“ error:1408F10B:SSL例程” :SSL3_GET_RECORD:版本号错误“

TLS handshake steps: TLS握手步骤: 

1. Client hello
2. Server Hello
3. Certificate,Certificate Request, Server hello done
4. Certificate,Client Key Exchange,Change Cipher spec,Encrypted handshake message
5. Change Cipher spec,Encrypted handshake message
6. Application data exchanges between client and server
7. Encrypted Alert(server to client)
8. Encrypted Alert( client to server

The error logs from server side says "error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number" 服务器端的错误日志显示“错误:1408F10B:SSL例程:SSL3_GET_RECORD:版本号错误”

Can you please let us know the cause for this issue. 您能告诉我们这个问题的原因吗? If the ssl version is mismatching then the handshake phase should not succeed right? 如果ssl版本不匹配,那么握手阶段应该不会成功,对吧? But in our case handshake is successful and after some application data transfer our server is failing with this error. 但是在我们的情况下,握手成功,并且在某些应用程序数据传输之后,我们的服务器因该错误而失败。

2 个解决方案

解决方案1
 0  2018-07-23 09:08:55

If the ssl version is mismatching then the handshake phase should not succeed right? 如果ssl版本不匹配,那么握手阶段应该不会成功,对吧?

No. Any TLS packet have header, and header has TLS version inside: 否。任何TLS数据包都具有标头,并且标头内部具有TLS版本: 

(
    byte - record_type
    byte[2] - version
    byte[2] - length
) header
byte[length] - encrypted or raw data

Header is always in raw, it is never encrypted. 标头始终为原始数据,永远不会加密。 Even if during handshake client sent TLS 1.2 version in all TLS packets, he can send another version after handshake is finished. 即使在握手期间客户端在所有TLS数据包中发送了TLS 1.2版本,他也可以在握手完成后发送另一个版本。 Or someone in between can modify network traffic. 或者介于两者之间的某人可以修改网络流量。 In this case OpenSSL throws described error. 在这种情况下,OpenSSL会引发描述的错误。

解决方案2
 0  2019-10-23 03:56:37

In my case, I was using OpenSSL for client functionality. 就我而言,我使用OpenSSL来实现客户端功能。

I was calling SSL_set_connect_state after SSL_connect . 我在SSL_connect 之后调用SSL_set_connect_state It should be called before. 应该先调用它。

SSL_set_connect_state (for client only) cleans up all the state! SSL_set_connect_state(仅适用于客户端)清除所有状态!

snippet: 片段: 

void SSL_set_connect_state(SSL *s)
{
    s->server = 0;
    s->shutdown = 0;
    ossl_statem_clear(s);
    s->handshake_func = s->method->ssl_connect;
    clear_ciphers(s);
}

In my case: 就我而言:

1) Client <-> Server handshake succeeded. 1)客户端<->服务器握手成功。 2) SSL_write from client side (client sending message to server) lead to exact same error as mentioned in question (on server side) 2)来自客户端的SSL_write(客户端向服务器发送消息)导致与上述问题(服务器端)完全相同的错误

I looked at pkt dump on server side. 我在服务器端查看了pkt dump。

read from 0x2651570 [0x2656c63] (5 bytes => 5 (0x5)) . 从0x2651570 [0x2656c63]读取(5个字节=> 5(0x5))。
0000 - 16 03 01 01 e2 ..... 0000-16 03 01 01 e2 .....

ERROR 139688140752544:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong >version number:s3_pkt.c:337: 错误139688140752544:错误:1408F10B:SSL例程:SSL3_GET_RECORD:错误>版本号:s3_pkt.c:337:

1) 5 Bytes read in the above snipped is the size of SSL record. 1)以上片段中读取的5个字节是SSL记录的大小。 Server received data, and it attempted reading SSL record. 服务器收到数据,并尝试读取SSL记录。

2) 1'st byte of the record is the SSL record type In this case ===> x16 => '22' 2)记录的第一个字节是SSL记录类型,在这种情况下===> x16 =>'22'

This itself is wrong, as far as server is concerned, handshake was successful and it was expecting application data. 就服务器而言,这本身是错误的,握手成功并且正在等待应用程序数据。 Instead it received data with SSL record for handshake , hence it was throwing the error. 相反,它接收带有SSL记录的数据进行握手 ,因此抛出了错误。

A correct snippet of application data is as follows: 'x17' ==> 23 正确的应用程序数据片段如下:'x17'==> 23

read from 0x2664f80 [0x2656c63] (5 bytes => 5 (0x5)) . 从0x2664f80 [0x2656c63]读取(5个字节=> 5(0x5))。
0000 - 17 03 03 00 1c 0000-17 03 03 00 1c

Since SSL_set_connect_state was called after connecting, client state was lost and SSL_write will attempt handshake if handshake wasnt performed before (client thought so as its state was lost!) 由于SSL_set_connect_state在连接后被调用,因此客户端状态将丢失,并且如果之前未执行握手(客户端认为其状态已丢失!),则SSL_write将尝试握手。

More data on these SSL records can be found here: https://www.ibm.com/support/knowledgecenter/SSB23S_1.1.0.12/gtps7/s5rcd.html 可以在以下位置找到有关这些SSL记录的更多数据: https : //www.ibm.com/support/knowledgecenter/SSB23S_1.1.0.12/gtps7/s5rcd.html

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 读取:错误的版本号(SSL 例程,ssl3_get_record) - read: wrong version number (SSL routines, ssl3_get_record) SSL例程:SSL3_GET_RECORD:boost ::: asio :: async_read中的解密失败错误 - SSL routines:SSL3_GET_RECORD:decryption failed error in boost::asio::async_read 握手失败,出现致命错误 SSL_ERROR_SSL:错误:100000f7:SSL 例程:OPENSSL_internal:WRONG_VERSION_NUMBER - Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER 使用 Boost ASIO 和 SSL (C++) 时出现“版本号错误”错误 - "Wrong Version Number" error using Boost ASIO & SSL (C++) TLS 初始化失败和 SSL 握手失败 QtNetwork - TLS initialization failed and SSL handshake failed QtNetwork 调用fork之后,gRPC服务器中的SSL握手失败 - SSL handshake fails in gRPC server after calling fork 使用qt进行SSL握手时出错 - Error during SSL Handshake with qt 由于“版本号错误”错误,无法完成握手 - Cannot finish handshake due to 'wrong version number' error SSL / TLS协议版本回退机制 - SSL/TLS protocol version fallback mechanism 与Qt 5.2.1上写的SSL服务器的SSL握手失败 - Failed SSL handshake with ssl server written on Qt 5.2.1
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM