仅 nginx 和 iOS 11 之间的 SSL 握手失败 (40)

Question

我有一个运行 NextCloud 的 nginx 1.10.3 服务器并从各种客户端访问它。 该证书由 Lets Encrypt 提供并使用 2048 位 RSA 密钥。

除了在 iPad 或 iPhone 上运行 iOS 11 的客户端之外，所有客户端都可以正常工作，包括 Web 浏览器。 工作浏览器是 MacOS 和 Linux 上的 Firefox 56，以及 MacOS Sierra 上的 Safari 11。 Linux 上的 NextCloud 客户端也可以正常工作。 在 iOS 上，GoodReader 作为 webdav 客户端访问 NextCloud 没有问题。 但是 Safari 不会访问它，声称它无法访问到服务器的安全连接。 iOS NextCloud 客户端在尝试连接时返回 SSL 错误（我认为它使用与 Safari 相同的库进行连接）。

当 iOS（Safari 或 NextCloud 应用程序）尝试连接但无法连接时，nginx 日志中的错误是：

SSL_do_handshake() failed (SSL: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher) while SSL handshaking

我查看了 Web 服务器上的流量，这是 Firefox 的 Client Hello：

Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
    Content Type: Handshake (22)
    Version: TLS 1.0 (0x0301)
    Length: 512
    Handshake Protocol: Client Hello
        Handshake Type: Client Hello (1)
        Length: 508
        Version: TLS 1.2 (0x0303)
        Random
            GMT Unix Time: Aug  8, 2013 06:38:14.000000000 JST
            Random Bytes: eece37d08b453cedc932958165d0b6c530b31a321554c874...
        Session ID Length: 32
        Session ID: c7...
        Cipher Suites Length: 30
        Cipher Suites (15 suites)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
            Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
            Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
            Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
        Compression Methods Length: 1
        Compression Methods (1 method)
            Compression Method: null (0)
        Extensions Length: 405
        Extension: server_name
            Type: server_name (0x0000)
            Length: 30
            Server Name Indication extension
                Server Name list length: 28
                Server Name Type: host_name (0)
                Server Name length: 25
                Server Name: mydomain.com
        Extension: Extended Master Secret
            Type: Extended Master Secret (0x0017)
            Length: 0
        Extension: renegotiation_info
            Type: renegotiation_info (0xff01)
            Length: 1
            Renegotiation Info extension
                Renegotiation info extension length: 0
        Extension: elliptic_curves
            Type: elliptic_curves (0x000a)
            Length: 10
            Elliptic Curves Length: 8
            Elliptic curves (4 curves)
                Elliptic curve: ecdh_x25519 (0x001d)
                Elliptic curve: secp256r1 (0x0017)
                Elliptic curve: secp384r1 (0x0018)
                Elliptic curve: secp521r1 (0x0019)
        Extension: ec_point_formats
            Type: ec_point_formats (0x000b)
            Length: 2
            EC point formats Length: 1
            Elliptic curves point formats (1)
                EC point format: uncompressed (0)
        Extension: SessionTicket TLS
            Type: SessionTicket TLS (0x0023)
            Length: 208
            Data (208 bytes)
        Extension: Application Layer Protocol Negotiation
            Type: Application Layer Protocol Negotiation (0x0010)
            Length: 14
            ALPN Extension Length: 12
            ALPN Protocol
                ALPN string length: 2
                ALPN Next Protocol: h2
                ALPN string length: 8
                ALPN Next Protocol: http/1.1
        Extension: status_request
            Type: status_request (0x0005)
            Length: 5
            Certificate Status Type: OCSP (1)
            Responder ID list Length: 0
            Request Extensions Length: 0
        Extension: signature_algorithms
            Type: signature_algorithms (0x000d)
            Length: 24
            Signature Hash Algorithms Length: 22
            Signature Hash Algorithms (11 algorithms)
                Signature Hash Algorithm: 0x0403
                    Signature Hash Algorithm Hash: SHA256 (4)
                    Signature Hash Algorithm Signature: ECDSA (3)
                Signature Hash Algorithm: 0x0503
                    Signature Hash Algorithm Hash: SHA384 (5)
                    Signature Hash Algorithm Signature: ECDSA (3)
                Signature Hash Algorithm: 0x0603
                    Signature Hash Algorithm Hash: SHA512 (6)
                    Signature Hash Algorithm Signature: ECDSA (3)
                Signature Hash Algorithm: 0x0804
                    Signature Hash Algorithm Hash: Unknown (8)
                    Signature Hash Algorithm Signature: Unknown (4)
                Signature Hash Algorithm: 0x0805
                    Signature Hash Algorithm Hash: Unknown (8)
                    Signature Hash Algorithm Signature: Unknown (5)
                Signature Hash Algorithm: 0x0806
                    Signature Hash Algorithm Hash: Unknown (8)
                    Signature Hash Algorithm Signature: Unknown (6)
                Signature Hash Algorithm: 0x0401
                    Signature Hash Algorithm Hash: SHA256 (4)
                    Signature Hash Algorithm Signature: RSA (1)
                Signature Hash Algorithm: 0x0501
                    Signature Hash Algorithm Hash: SHA384 (5)
                    Signature Hash Algorithm Signature: RSA (1)
                Signature Hash Algorithm: 0x0601
                    Signature Hash Algorithm Hash: SHA512 (6)
                    Signature Hash Algorithm Signature: RSA (1)
                Signature Hash Algorithm: 0x0203
                    Signature Hash Algorithm Hash: SHA1 (2)
                    Signature Hash Algorithm Signature: ECDSA (3)
                Signature Hash Algorithm: 0x0201
                    Signature Hash Algorithm Hash: SHA1 (2)
                    Signature Hash Algorithm Signature: RSA (1)
        Extension: Padding
            Type: Padding (0x0015)
            Length: 71
            Padding Data: 000000000000000000000000000000000000000000000000...

最终，为 Firefox 选择了TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)密码。

这是通过 Safari 为 iPad 提供的 Client Hello：

Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
    Content Type: Handshake (22)
    Version: TLS 1.0 (0x0301)
    Length: 239
    Handshake Protocol: Client Hello
        Handshake Type: Client Hello (1)
        Length: 235
        Version: TLS 1.2 (0x0303)
        Random
            GMT Unix Time: Jul 20, 2002 17:04:33.000000000 JST
            Random Bytes: 8f8602de9622cf56d70fa8d863a3c8d7154eb23ce19b625b...
        Session ID Length: 0
        Cipher Suites Length: 40
        Cipher Suites (20 suites)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
            Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
            Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
            Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
            Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
            Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
        Compression Methods Length: 1
        Compression Methods (1 method)
            Compression Method: null (0)
        Extensions Length: 154
        Extension: renegotiation_info
            Type: renegotiation_info (0xff01)
            Length: 1
            Renegotiation Info extension
                Renegotiation info extension length: 0
        Extension: server_name
            Type: server_name (0x0000)
            Length: 30
            Server Name Indication extension
                Server Name list length: 28
                Server Name Type: host_name (0)
                Server Name length: 25
                Server Name: mydomain.com
        Extension: Extended Master Secret
            Type: Extended Master Secret (0x0017)
            Length: 0
        Extension: signature_algorithms
            Type: signature_algorithms (0x000d)
            Length: 20
            Signature Hash Algorithms Length: 18
            Signature Hash Algorithms (9 algorithms)
                Signature Hash Algorithm: 0x0403
                    Signature Hash Algorithm Hash: SHA256 (4)
                    Signature Hash Algorithm Signature: ECDSA (3)
                Signature Hash Algorithm: 0x0804
                    Signature Hash Algorithm Hash: Unknown (8)
                    Signature Hash Algorithm Signature: Unknown (4)
                Signature Hash Algorithm: 0x0401
                    Signature Hash Algorithm Hash: SHA256 (4)
                    Signature Hash Algorithm Signature: RSA (1)
                Signature Hash Algorithm: 0x0503
                    Signature Hash Algorithm Hash: SHA384 (5)
                    Signature Hash Algorithm Signature: ECDSA (3)
                Signature Hash Algorithm: 0x0805
                    Signature Hash Algorithm Hash: Unknown (8)
                    Signature Hash Algorithm Signature: Unknown (5)
                Signature Hash Algorithm: 0x0501
                    Signature Hash Algorithm Hash: SHA384 (5)
                    Signature Hash Algorithm Signature: RSA (1)
                Signature Hash Algorithm: 0x0806
                    Signature Hash Algorithm Hash: Unknown (8)
                    Signature Hash Algorithm Signature: Unknown (6)
                Signature Hash Algorithm: 0x0601
                    Signature Hash Algorithm Hash: SHA512 (6)
                    Signature Hash Algorithm Signature: RSA (1)
                Signature Hash Algorithm: 0x0201
                    Signature Hash Algorithm Hash: SHA1 (2)
                    Signature Hash Algorithm Signature: RSA (1)
        Extension: status_request
            Type: status_request (0x0005)
            Length: 5
            Certificate Status Type: OCSP (1)
            Responder ID list Length: 0
            Request Extensions Length: 0
        Extension: next_protocol_negotiation
            Type: next_protocol_negotiation (0x3374)
            Length: 0
        Extension: signed_certificate_timestamp
            Type: signed_certificate_timestamp (0x0012)
            Length: 0
            Data (0 bytes)
        Extension: Application Layer Protocol Negotiation
            Type: Application Layer Protocol Negotiation (0x0010)
            Length: 48
            ALPN Extension Length: 46
            ALPN Protocol
                ALPN string length: 2
                ALPN Next Protocol: h2
                ALPN string length: 5
                ALPN Next Protocol: h2-16
                ALPN string length: 5
                ALPN Next Protocol: h2-15
                ALPN string length: 5
                ALPN Next Protocol: h2-14
                ALPN string length: 8
                ALPN Next Protocol: spdy/3.1
                ALPN string length: 6
                ALPN Next Protocol: spdy/3
                ALPN string length: 8
                ALPN Next Protocol: http/1.1
        Extension: ec_point_formats
            Type: ec_point_formats (0x000b)
            Length: 2
            EC point formats Length: 1
            Elliptic curves point formats (1)
                EC point format: uncompressed (0)
        Extension: elliptic_curves
            Type: elliptic_curves (0x000a)
            Length: 8
            Elliptic Curves Length: 6
            Elliptic curves (3 curves)
                Elliptic curve: ecdh_x25519 (0x001d)
                Elliptic curve: secp256r1 (0x0017)
                Elliptic curve: secp384r1 (0x0018)

在网络流量中给 iOS 的响应是：

Secure Sockets Layer
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
    Content Type: Alert (21)
    Version: TLS 1.2 (0x0303)
    Length: 2
    Alert Message
        Level: Fatal (2)
        Description: Handshake Failure (40)

不幸的是，我不清楚握手中具体失败的原因，因为我无法找到任何更详细的信息。 服务器为 Firefox 选择的确切密码被列为 iOS 支持，但 SSL 握手不仅没有选择它，而且没有选择任何选项。

更奇怪的是，通过 SSL Labs 运行该网站，除了 A+ 评级外，还提供了以下 Safari 握手测试的结果：

Safari 6/iOS 6.0.1    RSA 2048 (SHA256)  TLS 1.2       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA     ECDH secp521r1  FS
Safari 7/iOS 7.1      RSA 2048 (SHA256)  TLS 1.2       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA     ECDH secp521r1  FS
Safari 7/OS X 10.9    RSA 2048 (SHA256)  TLS 1.2       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA     ECDH secp521r1  FS
Safari 8/iOS 8.4      RSA 2048 (SHA256)  TLS 1.2       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA     ECDH secp521r1  FS
Safari 8/OS X 10.10   RSA 2048 (SHA256)  TLS 1.2       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA     ECDH secp521r1  FS
Safari 9/iOS 9        RSA 2048 (SHA256)  TLS 1.2 > h2  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256  ECDH secp521r1  FS
Safari 9/OS X 10.11   RSA 2048 (SHA256)  TLS 1.2 > h2  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256  ECDH secp521r1  FS
Safari 10/iOS 10      RSA 2048 (SHA256)  TLS 1.2 > h2  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256  ECDH secp521r1  FS
Safari 10/OS X 10.12  RSA 2048 (SHA256)  TLS 1.2 > h2  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256  ECDH secp521r1  FS

显然 SSL Lab 的 Safari 模型对我的服务器很满意，但 iOS 上的真正 Safari 则不然。

这是 nginx 服务器的 SSL 密码配置：

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:
  ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:
  ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:
  ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:
  ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:
  DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:
  DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:
  DHE-RSA-AES256-SHA256";

它是从这里拍摄的。 我还尝试了来自Mozilla SSL 配置生成器的配置。 “现代”配置文件是这样的：

ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:
  ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:
  ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:
  ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:
  ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

这给出了与握手失败相同的结果。

让 nginx 使用ssl_ciphers的默认值ssl_ciphers导致 iOS 连接到服务器。 但是，当我检查 TCP 转储时，我发现它选择了密码TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) ，它不提供前向保密当然，当服务器使用默认密码选择时，SSL Labs 也会给站点一个 A- 评级，由于某些浏览器选择没有前向保密的密码。 但即使在这种情况下，SSL Labs 的 Safari 10/iOS 10 握手测试给出了RSA 2048 (SHA256) TLS 1.2 > h2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp521r1 FS的结果，所以我对 iOS 有不同的RSA 2048 (SHA256) TLS 1.2 > h2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp521r1 FS 。

非常感谢解决这种奇怪情况的任何帮助。

Answer 1

我已经找到了问题的根源。 服务器被限制为只接受secp521r1用于椭圆曲线（ ssl_ecdh_curve设置）。 我不记得为什么它是这样设置的； 过去的一些向导告诉我这样做，我盲目地遵守了。

添加一条强度较低的附加曲线secp384r1 ，允许 iOS 成功握手并使用TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384通信。 ssl_ecdh_curve现在设置为secp521r1:secp384r1 。

我不确定 iOS 10 和 11 之间发生了什么变化导致这种情况。 通过深入研究OpenSSL 代码和一些进一步研究，我的最佳猜测是 iOS 11 正试图遵守Suite B 。 Suite B 将曲线限制为 P-256 和 P-384。 但这只是业余爱好者的猜测。