带有fritzbox的Ubuntu cUrl / OpenSSL握手失败
[英]Ubuntu cUrl/OpenSSL handshake failure with fritzbox
问题描述
我试图在VPS上使用简单的PHP脚本将一些数据插入到fritz.box(6360电缆)中。
Anotherserver.net是我的fritzbox中的有效no-ip地址(可以从公共位置访问fritzbox)。
php脚本尝试使服务器卷曲以获取ssl会话,但是,它以握手错误结束。 所以我尝试了简单的curl命令,如下所示。 curl命令以相同的错误结束。 令人困惑的是,-k /-insecure开关不会对此进行任何更改。 其次,您可以在下面看到的openssl命令完全正常。
root@server:/var/www/mycurl# curl -v -L --sslv3 --cacert cert_file.pem https://anotherserver.net
Rebuilt URL to: https://anotherserver.net/
Hostname was NOT found in DNS cache
Trying 37.xxx.xxx.xx...
Connected to anotherserver.net (37.xxx.xxx.xx) port 443 (#0)
successfully set certificate verify locations:
CAfile: cert_file.pem
CApath: /etc/ssl/certs
SSLv3, TLS handshake, Client hello (1):
SSLv3, TLS alert, Server hello (2):
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
Closing connection 0
curl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
OpenSSL的:
root@server:/var/www/mycurl# openssl s_client -connect anotherserver.net:443 -CAfile cert_file.pem
CONNECTED(00000003)
depth=0 CN = anotherServer.net
verify return:1
---
Certificate chain
0 s:/CN=anotherserver.net
i:/CN=anotherserver.net
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDuzCCAqOgAwIBAgIJANSTbhTXe9WfMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNV
BAMTDmJqYXV4LmRkbnMubmV0MB4XDTE0MDgxODE1NTQ0M1oXDTM4MDExNTE1NTQ0
M1owGTEXMBUGA1UEAxMOYmphdXguZGRucy5uZXQwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCy2fXZVUfe1znuSb5wXzrn3mhIk9a2e+iRBRO9v7mQ4rsO
FU1vyB0bP71r6vkCXUnV7fp5NqnsMw6lEIJxkpJl6CLA1lyP+E05SchYFHCAdo7N
/u3Rpa2Oc4OdDh457ZiEuVizOMXO2dgcKJhjC8i2JtbyITcRBRVrXXudlRdsAnTN
iTD65CLWVUOLHKrXKqxkdFZ7wJ0Xsdv4I5TTmocBb6LMd4yEgTYXT2vwz6wRAX1K
l1yhSlpXHqK+2WDfc42JDfYW4NvhbNTRf7dC/PrY9oI7RK1jxt9y8GrT1XuJL768
qjbrJ2JC8UkiCr9C6s02OIKIidfpybrYPtWDKkt5AgMBAAGjggEEMIIBADAdBgNV
HQ4EFgQUcsDrKlzjGvuMg25sGTdtBIMWGZ0wSQYDVR0jBEIwQIAUcsDrKlzjGvuM
g25sGTdtBIMWGZ2hHaQbMBkxFzAVBgNVBAMTDmJqYXV4LmRkbnMubmV0ggkA1JNu
FNd71Z8wDAYDVR0TBAUwAwEB/zCBhQYDVR0RAQH/BHsweYIOYmphdXguZGRucy5u
ZXSCHGp6OHl6bXJsaDVlcTN4b2YubXlmcml0ei5uZXSCEWZyaXR6LmZvbndsYW4u
Ym94gglmcml0ei5ib3iCDXd3dy5mcml0ei5ib3iCC215ZnJpdHouYm94gg93d3cu
bXlmcml0ei5ib3gwDQYJKoZIhvcNAQEFBQADggEBAJ5LA2+3Z2svWkOrWmJlw3kK
3Iz749HDak9gzYaLP0HB5ssHWJw6H20DEDlsJ4YO8RvSFW3TKnOSooYlFDBg7ips
orElIl9nTQwnS9djp2DOeOWpHAaCMyoUdksOVeF0e6QFo9KlKkAU8tEmzUqsQSQ2
p1mCFHx86pna8dlfG8hcMhW+aVp/i889rLRp7zjtwIYpY/pugpuFHK34PNheGVG7
Y2+bWnnaXVxVteFydbvpxsIUDaegkQoZYbE1AjHV1b7y/eSdX1LEvXOqPDu2jUzT
Y2i9Kr76R6EUKMXiYiBCCGc8pN7dskQl8m/xxXDA6z6+Zh8T32kRHcE0PeRN8Yc=
-----END CERTIFICATE-----
subject=/CN=anotherserver.net
issuer=/CN=anotherserver.net
---
No client certificate CA names sent
---
SSL handshake has read 1109 bytes and written 631 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID: A93D457B5DF416DFA40F5934B6C2FC2E6365266104B3300B873E5FC89759E395
Session-ID-ctx:
Master-Key: 790ABDC0B114C882B69FBA693712C08AA43EA409B242F0B2E92EB953A8BC71DD16527F8B3561206A21FD11E7EA8DC04E
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1408397806
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
我的服务器openssl版本是:
root@server:/var/www/mycurl# openssl version
OpenSSL 1.0.1f 6 Jan 2014
我的服务器curl版本是:
root@server:/var/www/mycurl# curl --version
curl 7.35.0 (x86_64-pc-linux-gnu) libcurl/7.35.0 OpenSSL/1.0.1f zlib/1.2.8 libidn/1.28 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP
我的fritz.box的OpenSSL版本似乎是0.98。
编辑2014年8月19日:cert_file.pem实际上是bjaux.ddns.net.pem-“另一台服务器”(bjaux.ddns.net)的证书文件,我使用google chrome从给定站点下载了该文件。 我还尝试将其重命名为bjaux-ddns-net.pem,但是curl无法正常工作。 请注意,openssl s_client始终返回验证返回码0-Openssl s_client有效。 完全。 从那以后它一直有效。 只有curl命令才总是会遇到握手问题。
2 个解决方案
解决方案1
1 已采纳 2014-08-19 15:22:24
fritz!box上的服务器似乎仅支持两种密码:RC4-SHA和RC4-MD5。 虽然openssl s_client提供了这些密码,但是curl没有提供。 看来他们已明确删除了所有RC4密码,另请参见http://curl.haxx.se/mail/tracker-2014-03/0014.html 。
如果您在选项中明确添加--ciphers 'RC4-SHA' ,则连接将成功。
解决方案2
0 2014-08-18 23:10:34
取得此自签名证书:
-----BEGIN CERTIFICATE-----
MIIDuzCCAqOgAwIBAgIJANSTbhTXe9WfMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNV
BAMTDmJqYXV4LmRkbnMubmV0MB4XDTE0MDgxODE1NTQ0M1oXDTM4MDExNTE1NTQ0
M1owGTEXMBUGA1UEAxMOYmphdXguZGRucy5uZXQwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCy2fXZVUfe1znuSb5wXzrn3mhIk9a2e+iRBRO9v7mQ4rsO
FU1vyB0bP71r6vkCXUnV7fp5NqnsMw6lEIJxkpJl6CLA1lyP+E05SchYFHCAdo7N
/u3Rpa2Oc4OdDh457ZiEuVizOMXO2dgcKJhjC8i2JtbyITcRBRVrXXudlRdsAnTN
iTD65CLWVUOLHKrXKqxkdFZ7wJ0Xsdv4I5TTmocBb6LMd4yEgTYXT2vwz6wRAX1K
l1yhSlpXHqK+2WDfc42JDfYW4NvhbNTRf7dC/PrY9oI7RK1jxt9y8GrT1XuJL768
qjbrJ2JC8UkiCr9C6s02OIKIidfpybrYPtWDKkt5AgMBAAGjggEEMIIBADAdBgNV
HQ4EFgQUcsDrKlzjGvuMg25sGTdtBIMWGZ0wSQYDVR0jBEIwQIAUcsDrKlzjGvuM
g25sGTdtBIMWGZ2hHaQbMBkxFzAVBgNVBAMTDmJqYXV4LmRkbnMubmV0ggkA1JNu
FNd71Z8wDAYDVR0TBAUwAwEB/zCBhQYDVR0RAQH/BHsweYIOYmphdXguZGRucy5u
ZXSCHGp6OHl6bXJsaDVlcTN4b2YubXlmcml0ei5uZXSCEWZyaXR6LmZvbndsYW4u
Ym94gglmcml0ei5ib3iCDXd3dy5mcml0ei5ib3iCC215ZnJpdHouYm94gg93d3cu
bXlmcml0ei5ib3gwDQYJKoZIhvcNAQEFBQADggEBAJ5LA2+3Z2svWkOrWmJlw3kK
3Iz749HDak9gzYaLP0HB5ssHWJw6H20DEDlsJ4YO8RvSFW3TKnOSooYlFDBg7ips
orElIl9nTQwnS9djp2DOeOWpHAaCMyoUdksOVeF0e6QFo9KlKkAU8tEmzUqsQSQ2
p1mCFHx86pna8dlfG8hcMhW+aVp/i889rLRp7zjtwIYpY/pugpuFHK34PNheGVG7
Y2+bWnnaXVxVteFydbvpxsIUDaegkQoZYbE1AjHV1b7y/eSdX1LEvXOqPDu2jUzT
Y2i9Kr76R6EUKMXiYiBCCGc8pN7dskQl8m/xxXDA6z6+Zh8T32kRHcE0PeRN8Yc=
-----END CERTIFICATE-----
将其保存在名为bjaux-ddns-net.pem的文件中。 然后尝试:
openssl s_client -connect anotherserver.net:443 -CAfile bjaux-ddns-net.pem
您将获得一个Verify Result: 0 (ok) :
$ openssl s_client -connect ...
...
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID: 839AB358A322AB2ACC8E4182C184A86302B3FB219859EC6B9012861E0D000A20
Session-ID-ctx:
Master-Key: 1328DF3C0A3ECAE2F64539CE407874E8BD322E134DCECCDFB3936714458A1C65
4CB7D1903A326A6EA99EEE8356A03EDE
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1408403326
Timeout : 300 (sec)
Verify return code: 0 (ok)
握手失败虽然安装了根证书(PayPal升级 - g5证书 - openssl)
[英]Handshake failure although the root certificate is installed (PayPal upgrades - g5 certificate - openssl)
Symfony2和PayPal-cURL错误:14077410:SSL(sslv3警报握手失败)
[英]Symfony2 & PayPal - cURL error:14077410:SSL (sslv3 alert handshake failure)
PayPal IPN OPENSSL错误:14077410:SSL例程:SSL23_GET_SERVER_HELLO:sslv3警报握手失败
[英]PayPal IPN OPENSSL error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
php cURL错误:错误:14077410:SSL例程:SSL23_GET_SERVER_HELLO:sslv3警报握手失败
[英]Php cURL error:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Curl 错误:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure111
[英]Curl error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure111
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
CURL PHP握手失败SSL
在Ubuntu 10.04上使用最新OpenSSL的Opdate Curl
如何解决curl ssl v3警报握手失败?
握手失败虽然安装了根证书(PayPal升级 - g5证书 - openssl)
Symfony2和PayPal-cURL错误:14077410:SSL(sslv3警报握手失败)
PHP Soap握手失败
PayPal IPN OPENSSL错误:14077410:SSL例程:SSL23_GET_SERVER_HELLO:sslv3警报握手失败
php cURL错误:错误:14077410:SSL例程:SSL23_GET_SERVER_HELLO:sslv3警报握手失败
Curl 错误:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure111
MPESA SSL握手失败如何
相关标签