ubuntu - OpenSSL v1.1.1 Ubuntu 20 TLSv1 - 没有可用的协议
问题描述
在 Ubuntu 20.04 中,通过 VPN,我无法再访问使用 TLSv1 协议的服务器。
在 Ubuntu 18.04 中,它可以正常工作。
首先我通过 SNX 连接到 VPN,然后我使用访问服务器的程序。
我用 openssl 做了一些测试来突出这个问题。有可能解决这个问题吗?我相信我的问题可能与https://github.com/curl/curl/issues/4097上报告的相同。
我认为OpenSSL v1.1.1 ssl_choose_client_version 不受支持的协议与我的问题有关,但它不同,因为它没有“没有可用的协议”的问题。
当我使用 openssl 进行测试时,我收到错误“不支持的协议”,但是当我使用 openssl强制 TLSv1进行测试时,我收到错误“没有可用的协议”。
测试详情:
Ubuntu 18.04:
Package: openssl
-> Version: 1.1.1-1ubuntu2.1 ~ 18.04.5
openssl s_client -connect host: port
-> works - TLSv1 ("SSL-Session: Protocol: TLSv1.").
openssl s_client -connect host: port -tls1
-> works - TLSv1 ("SSL-Session: Protocol: TLSv1.").
openssl s_client -connect host: port -tls1_1
-> 139786161414592: error: 1425F102: SSL routines: ssl_choose_client_version: unsupported protocol: ../ ssl / statem / statem_lib.c: 1907:
openssl s_client -connect host: port -tls1_2
-> 139786161414592: error: 1425F102: SSL routines: ssl_choose_client_version: unsupported protocol: ../ ssl / statem / statem_lib.c: 1907:
Ubuntu 20.04:
Package: openssl
-> Version: 1.1.1f-1ubuntu2
openssl s_client -connect host: port
-> 140253162648896: error: 1425F102: SSL routines: ssl_choose_client_version: unsupported protocol: ../ ssl / statem / statem_lib.c: 1941:
openssl s_client -connect host: port -tls1
-> 139722831217984: error: 141E70BF: SSL routines: tls_construct_client_hello: no protocols available: ../ ssl / statem / statem_clnt.c: 1112:
openssl s_client -connect host: port -tls1_1
-> 139923839911232: error: 141E70BF: SSL routines: tls_construct_client_hello: no protocols available: ../ ssl / statem / statem_clnt.c: 1112:
openssl s_client -connect host: port -tls1_2
-> 139862992581952: error: 1425F102: SSL routines: ssl_choose_client_version: unsupported protocol: ../ ssl / statem / statem_lib.c: 1941:
Ubuntu 18.04 - 成功详细连接
my@machine: ~ $ openssl s_client -connect my.domain: 9023 -tls1
CONNECTED (00000005)
depth = 2 C = XX, O = XXXXXX, OU = ICP-XX, CN = AC XXXXX vX
verify error: num = 19: self signed certificate in certificate chain
---
Certificate chain
0 s: C = XX, ST = XX, L = XXXXXX, O = XXXXXXXX, OU = XXXXXXXXXXX XXXXX, CN = xxx.com
i: C = XX, O = XXXXXXXX., OU = ICP-XX, CN = AC XXXXX vX
1 s: C = XX, O = XXXXXXXX., OU = ICP-XX, CN = AC XXXXX vX
i: C = XX, O = XXXXXXXX., OU = ICP-XX, CN = AC XXXXX vX
2 s: C = XX, O = XXXXXXXX., OU = ICP-XX, CN = AC XXXXX vX
i: C = XX, O = XXXXXXXX., OU = ICP-XX, CN = AC XXXXX vX
---
Server certificate
----- BEGIN CERTIFICATE -----
(...)
-----END CERTIFICATE-----
subject=X = XX, ST = XX, L = XXXXXX, O = XXXXXXX, OU = XXXXXXXX, CN = mydomain.com
issuer=C = XX, O = XXXXXXXXXX, OU = ICP-XX, CN = AC XXXXXXXXXXXXXXXXXXXXX
---
No client certificate CA names sent
---
SSL handshake has read 4604 bytes and written 449 bytes
Verification error: self signed certificate in certificate chain
---
New, SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol: TLSv1
Cipher: AES256-SHA
Session-ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Session-ID-ctx:
Master-Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1588445847
Timeout: 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
Extended master secret: no
---
Ubuntu 20.04 - 详细的不成功连接:
my@machine: ~ / Documents / $ openssl s_client -connect my.domain: 9023
CONNECTED (00000003)
139912319178048: error: 1425F102: SSL routines: ssl_choose_client_version: unsupported protocol: ../ ssl / statem / statem_lib.c: 1941:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 4545 bytes and written 309 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
my@machine: ~ / Documents / study $ openssl s_client -connect my.domain: 9023 -tls1
CONNECTED (00000003)
140581447836992: error: 141E70BF: SSL routines: tls_construct_client_hello: no protocols available: ../ ssl / statem / statem_clnt.c: 1112:
-
解决方案
我刚刚解决了我的问题 - https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level
只需引用此链接:
您需要将其添加到配置文件的开头:
openssl_conf = default_conf
然后到最后:
[ default_conf ]
ssl_conf = ssl_sect
[ssl_sect]
system_default = ssl_default_sect
[ssl_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=1
对上述链接的评论说:
Note that if you prefer you can make changes to a local copy of the config file, and then ensure your process is started with the environment variable OPENSSL_CONF defined to point at the location of your config file:
export OPENSSL_CONF=/path/to/my/openssl.cnf
This way you can make changes without having to impact your entire system.
我使用了第二个选项“export OPENSSL_CONF=/path/to/my/openssl.cnf”,效果很好!
推荐阅读
- javascript - Javascript Mongoose - 保存后正确关闭
- react-native - 如何避免因更改主题而更新清除/轮廓按钮样式
- azure - 使用 OAuth 2.0 从 Azure B2C AD 访问用户数据
- html - 当文本区域值未与检查元素一起显示时插入 html 代码
- php - PHP - 对数组值执行函数
- python - 显微镜粒径
- git - 如何设置 VSTS 2013 以通过变基到主而不是合并来完成拉取请求?
- excel - 如果单元格包含某些文本,则创建 Outlook 约会
- imagemagick - ImageMagic convert 删除 exif 数据
- javascript - 我想通过输入标签为传单标记设置旋转值