C ++电子邮件客户端中的OpenSSL - 服务器关闭与TLSv1警报消息的连接
[英]OpenSSL in C++ email client - server closes connection with TLSv1 Alert message
问题描述
My app connects to a IMAP email server. 
我的应用程序连接到IMAP电子邮件服务器。 One client configured his server to reject SSLv2 certificates, and now my app fails to connect to the server. 一个客户端将其服务器配置为拒绝SSLv2证书,现在我的应用程序无法连接到服务器。 All other email clients connect to this server successfully. 所有其他电子邮件客户端都成功连接到此服 My app uses openssl. 我的应用使用openssl。
I debugged by creating minimal openssl client and attempt to connect to the server. 我通过创建最小的openssl客户端并尝试连接到服务器进行调试。 Below is the code with connects to the mail server (using Windows sockets, but same problem is with unix sockets). 下面是连接到邮件服务器的代码(使用Windows套接字,但同样的问题是使用unix套接字)。
Server sends its initial IMAP greeting message, but after client sends 1st command, server closes connection. 服务器发送其初始IMAP问候消息,但在客户端发送第一个命令后,服务器关闭连接。 In Wireshark, I see that after sending command to server, it returns TLSv1 error message 21 (Encrypted Alert) and connection is gone. 在Wireshark中,我看到在向服务器发送命令后,它返回TLSv1错误消息21(加密警报)并且连接已消失。
I'm looking for proper setup of OpenSSL for this connection to succeed. 我正在寻找适当的OpenSSL设置,以使此连接成功。 Thanks 谢谢
#include <stdio.h>
#include <memory.h>
#include <errno.h>
#include <sys/types.h>
#include <winsock2.h>
#include <openssl/crypto.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#define CHK_NULL(x) if((x)==NULL) exit(1)
#define CHK_ERR(err,s) if((err)==-1) { perror(s); exit(1); }
#define CHK_SSL(err) if((err)==-1) { ERR_print_errors_fp(stderr); exit(2); }
SSL *ssl;
char buf[4096];
void write(const char *s){
int err = SSL_write(ssl, s, strlen(s));
printf("> %s\n", s);
CHK_SSL(err);
}
void read(){
int n = SSL_read(ssl, buf, sizeof(buf) - 1);
CHK_SSL(n);
if(n==0){
int e = SSL_get_error(ssl, 0);
printf("Read error %i\n", e);
exit(1);
}
buf[n] = 0;
printf("%s\n", buf);
}
void main(){
int err=0;
SSLeay_add_ssl_algorithms();
SSL_METHOD *meth = SSLv23_client_method();
SSL_load_error_strings();
SSL_CTX *ctx = SSL_CTX_new(meth);
CHK_NULL(ctx);
WSADATA data;
WSAStartup(0x202, &data);
int sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
CHK_ERR(sd, "socket");
struct sockaddr_in sa;
memset(&sa, 0, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = inet_addr("195.137.27.14");
sa.sin_port = htons(993);
err = connect(sd,(struct sockaddr*) &sa, sizeof(sa));
CHK_ERR(err, "connect");
/* ----------------------------------------------- */
/* Now we have TCP connection. Start SSL negotiation. */
ssl = SSL_new(ctx); CHK_NULL(ssl);
SSL_set_fd(ssl, sd);
err = SSL_connect(ssl); CHK_SSL(err);
// Following two steps are optional and not required for data exchange to be successful.
/*
printf("SSL connection using %s\n", SSL_get_cipher(ssl));
X509 *server_cert = SSL_get_peer_certificate(ssl); CHK_NULL(server_cert);
printf("Server certificate:\n");
char *str = X509_NAME_oneline(X509_get_subject_name(server_cert),0,0);
CHK_NULL(str);
printf(" subject: %s\n", str);
OPENSSL_free(str);
str = X509_NAME_oneline(X509_get_issuer_name (server_cert),0,0);
CHK_NULL(str);
printf(" issuer: %s\n", str);
OPENSSL_free(str);
// We could do all sorts of certificate verification stuff here before deallocating the certificate.
X509_free(server_cert);
*/
printf("\n\n");
read(); // get initial IMAP greeting
write("1 CAPABILITY\r\n"); // send 1st command
read(); // get reply to cmd; server closes connection here
write("2 LOGIN a b\r\n");
read();
SSL_shutdown(ssl);
closesocket(sd);
SSL_free(ssl);
SSL_CTX_free(ctx);
}
1 个解决方案
解决方案1
4 已采纳 2012-03-24 13:20:43
It seems that the host you are trying to connect to has a buggy TLS implementation. 您尝试连接的主机似乎有一个错误的TLS实现。 Using the openssl command-line tool, I have discovered the following. 使用openssl命令行工具,我发现了以下内容。
First of all, the file imap contains a silly IMAP session: 首先,文件imap包含一个愚蠢的IMAP会话:
A1 CAPABILITY
A2 LOGIN foo bar
Then, the command: 然后,命令:
openssl s_client -ign_eof -crlf -pause -connect 195.137.27.14:993 < imap
Fails as follows: 失败如下:
CONNECTED(00000003)
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/serialNumber=iGXzgDJpD6t8m5jQNY0xwwcCiwwlXzET/C=GB/O=mail1.firedupgroup.co.uk/OU=GT57369617/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=mail1.firedupgroup.co.uk
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE6TCCA9GgAwIBAgIDA+NwMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTExMTA2MTQ1MDQwWhcNMTQxMTA4MTUwNTIwWjCB9zEpMCcGA1UEBRMgaUdY
emdESnBENnQ4bTVqUU5ZMHh3d2NDaXd3bFh6RVQxCzAJBgNVBAYTAkdCMSEwHwYD
VQQKExhtYWlsMS5maXJlZHVwZ3JvdXAuY28udWsxEzARBgNVBAsTCkdUNTczNjk2
MTcxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTExLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMSEwHwYDVQQDExhtYWlsMS5maXJlZHVwZ3JvdXAuY28udWswggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC80HlFa86b8C4N9NEpu904iluVyYEH
rwZaIYNR6cvfHl/QXut+h4080UoIxxFmSsuVI9YBJBf/J6ZnJoFTZsJITuoI89G/
4/nmcuGPOeJIrlMnWHZE56N5bVNDFDsNeroE2ieQKiJN2IT9lUA7uZHtJuokXlfz
Xg6DEWBXokAjPc3VeS2eBDfajY2SLZNdRxGYzyQkaW43pMaz4FR9WKljsRvvvKUI
G0Hnsy1vpjCDw3io4C+IY8tClZFVnLthQQEbceD93LS/AUsaZEZWf4pppFviYHze
HuiZ6IlYvLzLaYtCurNaJhs2Yf6kNPDbfCFSWbCrfdf86feQxt/JyR4HAgMBAAGj
ggE2MIIBMjAfBgNVHSMEGDAWgBRraT1qGEJK3Y8CZTn9NSSGeJEWMDAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCMGA1UdEQQc
MBqCGG1haWwxLmZpcmVkdXBncm91cC5jby51azBDBgNVHR8EPDA6MDigNqA0hjJo
dHRwOi8vcmFwaWRzc2wtY3JsLmdlb3RydXN0LmNvbS9jcmxzL3JhcGlkc3NsLmNy
bDAdBgNVHQ4EFgQUC0oWYx2XW3qtt3Xq6mUljQlYb+UwDAYDVR0TAQH/BAIwADBJ
BggrBgEFBQcBAQQ9MDswOQYIKwYBBQUHMAKGLWh0dHA6Ly9yYXBpZHNzbC1haWEu
Z2VvdHJ1c3QuY29tL3JhcGlkc3NsLmNydDANBgkqhkiG9w0BAQUFAAOCAQEAXX5N
EYNlVqiu8LIn39JODWCUbqZQOHOSquC+VxTyLRaUjrkrnU0oCDqKTs/C6qGBqiqC
7gaZKn2k+KjTMu2rTtgO/BHve6y9kKz7oLgXqfjZp6965O+x4BV5/GyVbwmV5gyU
dRZ5U83Vhwut5MxbiMyxnZHtuz9jGMC08O3Gc84N1Ox18FwOE8HpQIHOO99ISxOi
8TgVe/NJvd4f/nn7GPTyVDQpGOJ2dqHYUNpAMMVXKmCeNq+u0nXXZFXUkkkVxmrC
aINtUJuelF6V4vxtyERwReviAct9vcIrg3011p7NYbZ5fVA8thSYcnacfe1jyp5Z
XSPY6tC26zmbIPmHHg==
-----END CERTIFICATE-----
subject=/serialNumber=iGXzgDJpD6t8m5jQNY0xwwcCiwwlXzET/C=GB/O=mail1.firedupgroup.co.uk/OU=GT57369617/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=mail1.firedupgroup.co.uk
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3300 bytes and written 439 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID: 9F1200004D888506211A976BF1CC755C873789D8256936638BF9C9E66DAA9438
Session-ID-ctx:
Master-Key: A67DE8C76371B8034AA60447ECB97ED631E55E4E713F64FAA49D2DBAC07A6339719F4C4DD4E1FD2BC5E41EDCC2CF22FE
Key-Arg : None
Start Time: 1332595025
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
* OK firedupgroup.co.uk IMAP4rev1 MDaemon 9.6.2 ready
closed
But the command: 但命令:
openssl s_client -bugs -ign_eof -crlf -pause -connect 195.137.27.14:993 < imap
Succeeds: 成功:
CONNECTED(00000003)
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/serialNumber=iGXzgDJpD6t8m5jQNY0xwwcCiwwlXzET/C=GB/O=mail1.firedupgroup.co.uk/OU=GT57369617/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=mail1.firedupgroup.co.uk
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE6TCCA9GgAwIBAgIDA+NwMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTExMTA2MTQ1MDQwWhcNMTQxMTA4MTUwNTIwWjCB9zEpMCcGA1UEBRMgaUdY
emdESnBENnQ4bTVqUU5ZMHh3d2NDaXd3bFh6RVQxCzAJBgNVBAYTAkdCMSEwHwYD
VQQKExhtYWlsMS5maXJlZHVwZ3JvdXAuY28udWsxEzARBgNVBAsTCkdUNTczNjk2
MTcxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTExLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMSEwHwYDVQQDExhtYWlsMS5maXJlZHVwZ3JvdXAuY28udWswggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC80HlFa86b8C4N9NEpu904iluVyYEH
rwZaIYNR6cvfHl/QXut+h4080UoIxxFmSsuVI9YBJBf/J6ZnJoFTZsJITuoI89G/
4/nmcuGPOeJIrlMnWHZE56N5bVNDFDsNeroE2ieQKiJN2IT9lUA7uZHtJuokXlfz
Xg6DEWBXokAjPc3VeS2eBDfajY2SLZNdRxGYzyQkaW43pMaz4FR9WKljsRvvvKUI
G0Hnsy1vpjCDw3io4C+IY8tClZFVnLthQQEbceD93LS/AUsaZEZWf4pppFviYHze
HuiZ6IlYvLzLaYtCurNaJhs2Yf6kNPDbfCFSWbCrfdf86feQxt/JyR4HAgMBAAGj
ggE2MIIBMjAfBgNVHSMEGDAWgBRraT1qGEJK3Y8CZTn9NSSGeJEWMDAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCMGA1UdEQQc
MBqCGG1haWwxLmZpcmVkdXBncm91cC5jby51azBDBgNVHR8EPDA6MDigNqA0hjJo
dHRwOi8vcmFwaWRzc2wtY3JsLmdlb3RydXN0LmNvbS9jcmxzL3JhcGlkc3NsLmNy
bDAdBgNVHQ4EFgQUC0oWYx2XW3qtt3Xq6mUljQlYb+UwDAYDVR0TAQH/BAIwADBJ
BggrBgEFBQcBAQQ9MDswOQYIKwYBBQUHMAKGLWh0dHA6Ly9yYXBpZHNzbC1haWEu
Z2VvdHJ1c3QuY29tL3JhcGlkc3NsLmNydDANBgkqhkiG9w0BAQUFAAOCAQEAXX5N
EYNlVqiu8LIn39JODWCUbqZQOHOSquC+VxTyLRaUjrkrnU0oCDqKTs/C6qGBqiqC
7gaZKn2k+KjTMu2rTtgO/BHve6y9kKz7oLgXqfjZp6965O+x4BV5/GyVbwmV5gyU
dRZ5U83Vhwut5MxbiMyxnZHtuz9jGMC08O3Gc84N1Ox18FwOE8HpQIHOO99ISxOi
8TgVe/NJvd4f/nn7GPTyVDQpGOJ2dqHYUNpAMMVXKmCeNq+u0nXXZFXUkkkVxmrC
aINtUJuelF6V4vxtyERwReviAct9vcIrg3011p7NYbZ5fVA8thSYcnacfe1jyp5Z
XSPY6tC26zmbIPmHHg==
-----END CERTIFICATE-----
subject=/serialNumber=iGXzgDJpD6t8m5jQNY0xwwcCiwwlXzET/C=GB/O=mail1.firedupgroup.co.uk/OU=GT57369617/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=mail1.firedupgroup.co.uk
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3300 bytes and written 423 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID: 261200008CB526A49A014E97D510AA7FDA08DDAC797B8B78B3ABEEF4A64B3228
Session-ID-ctx:
Master-Key: 457E9FFB43C77E028211A0FDB9915FCB374A55445ED15498E2C5AFDBEA52C9A413CC8D79EE29ECA823E038A93363B9D6
Key-Arg : None
Start Time: 1332595088
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
* OK firedupgroup.co.uk IMAP4rev1 MDaemon 9.6.2 ready
* CAPABILITY IMAP4rev1 NAMESPACE AUTH=CRAM-MD5 AUTH=LOGIN AUTH=PLAIN IDLE ACL UNSELECT UIDPLUS
A1 OK CAPABILITY completed
A2 NO LOGIN failed
Which means you need to enable OpenSSL's bug workarounds, as described in the SSL_CTX_set_options(3) manual page. 这意味着您需要启用OpenSSL的错误解决方法,如SSL_CTX_set_options(3)手册页中所述。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
SSL3_READ_BYTES:tlsv1 警报内部错误、安全套接字、OpenSSL、C++、获取 HTTPS 页面 - SSL3_READ_BYTES:tlsv1 alert internal error, secure sockets, OpenSSL, C++, getting HTTPS page
使用 libmosquitto 的客户端使用 TLS 获取“tlsv1 警报内部错误”,在没有 TLS 的情况下工作正常 - Client using libmosquitto gets "tlsv1 alert internal error" using TLS, works fine without TLS
C++ 套接字连接中的 OpenSSL(HTTPS 客户端) - OpenSSL in C++ Socket Connection (HTTPS Client)
用于客户端TLS连接的OpenSSL或LibreSSL C ++示例 - OpenSSL or LibreSSL C++ sample for client TLS connection
C ++服务器-客户端消息同步 - C++ Server - Client Message Sync
客户端到服务器发送字符串消息C ++ - Client to Server sending string message c++
iocp openssl peer server 与 ConnectEx 连接后关闭连接 - iocp openssl peer server closes the connection after connecting with ConnectEx
客户端关闭连接时服务器套接字完成 - Server socket finishes when client closes connection
C++ 多线程关闭 TCP 连接 - C++ multithreading closes TCP connection
C#客户端到C ++服务器Tcp套接字连接错误 - C# client to C++ server Tcp socket connection error
相关标签