linux - openssl 在使用 TLS 1.2 或更低版本时卡住
问题描述
我正在尝试从强制使用 TLS 1.2 版本 (files.pythonhosted.org) 的网站下载,但在握手后我就卡住了。
这是正在发生的事情,google.com
以示例为例
$ curl -vvv --tlsv1.2 --tls-max 1.2 --ipv4 https://google.com:443
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
从这里开始,我什么都做不了,连CTRL+C
命令都做不了。
如果我使用 TLS 1.3,一切正常:
$ curl -vvv --tlsv1.3 --tls-max 1.3 --ipv4 https://google.com:443
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/7.69.1
> Accept: */*
...
通过稍微挖掘,我尝试了一些在网上找到的命令,但我还是被卡住了:
$ openssl s_client -connect files.pythonhosted.org:443 -showcerts
CONNECTED(00000004)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign CloudSSL CA - SHA256 - G3
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Fastly, Inc", CN = r.ssl.fastly.net
verify return:1
我对 TLS 协议一点也不满意,而且我正在开发基于 Yocto 的 Linux 构建,而我根本没有手。所以我很难调试......你知道这里发生了什么吗?
谢谢!
编辑 1
这是最后一个带有更多调试信息的命令。我被困在这最后:
# openssl s_client -connect files.pythonhosted.org:443 -showcerts -debug -state
CONNECTED(00000004)
SSL_connect:before SSL initialization
write to 0x7cc6f70 [0x7cd57f0] (324 bytes => 324 (0x144))
0000 - 16 03 01 01 3f 01 00 01-3b 03 03 c0 0b d1 75 04 ....?...;.....u.
... .r.-
SSL_connect:SSLv3/TLS write client hello
read from 0x7cc6f70 [0x7ccc553] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 45 ....E
read from 0x7cc6f70 [0x7ccc558] (69 bytes => 69 (0x45))
0000 - 02 00 00 41 03 03 12 a4-c6 8e 7a 35 64 94 31 18 ...A......z5d.1.
...
SSL_connect:SSLv3/TLS write client hello
read from 0x7cc6f70 [0x7ccc553] (5 bytes => 5 (0x5))
0000 - 16 03 03 0d e3 .....
read from 0x7cc6f70 [0x7ccc558] (3555 bytes => 3555 (0xDE3))
0000 - 0b 00 0d df 00 0d dc 00-09 47 30 82 09 43 30 82 .........G0..C0.
...
SSL_connect:SSLv3/TLS read server hello
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign CloudSSL CA - SHA256 - G3
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Fastly, Inc", CN = r.ssl.fastly.net
verify return:1
read from 0x7cc6f70 [0x7ccc553] (5 bytes => 5 (0x5))
0000 - 16 03 03 01 2c ....,
read from 0x7cc6f70 [0x7ccc558] (300 bytes => 300 (0x12C))
0000 - 0c 00 01 28 03 00 1d 20-3b 9a 1d 4d ed f2 14 45 ...(... ;..M...E
...
SSL_connect:SSLv3/TLS read server certificate
read from 0x7cc6f70 [0x7ccc553] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 04 .....
read from 0x7cc6f70 [0x7ccc558] (4 bytes => 4 (0x4))
0000 - 0e 00 00 00 ....
SSL_connect:SSLv3/TLS read server key exchange
SSL_connect:SSLv3/TLS read server done
编辑 2
根据我在上面的调试跟踪中的理解,客户端甚至不发送证书密钥。
解决方案
推荐阅读
- python - TensorFlow - tensorflow.python.framework.errors_impl.FailedPreconditionError
- r - R quantmod:拉取数据时出现连接错误
- ssh - 将 Visual Studio Code (VSCode) 连接到 VirtualBox VM
- javascript - 拖拽逐渐变慢
- mysql - 通讯链路故障,Spring Boot + MySql +Docker + Hibernate
- entity-framework-6 - 在包含 EF6 中加载引用属性的引用属性
- c# - 在函数调用中实例化对象的性能(解释?)
- maven - Maven - 如何使用两个镜像
- c# - 并行化 Selenium 测试并保证线程安全
- javascript - 如何在 JavaScript 中使用标签初始化字符串而不拆分它或在斜杠之前添加反斜杠