linux - openssl 在使用 TLS 1.2 或更低版本时卡住

问题描述

我正在尝试从强制使用 TLS 1.2 版本 (files.pythonhosted.org) 的网站下载，但在握手后我就卡住了。

这是正在发生的事情，google.com以示例为例

$ curl -vvv --tlsv1.2 --tls-max 1.2 --ipv4 https://google.com:443
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

从这里开始，我什么都做不了，连CTRL+C命令都做不了。

如果我使用 TLS 1.3，一切正常：

$ curl -vvv --tlsv1.3 --tls-max 1.3 --ipv4 https://google.com:443
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/7.69.1
> Accept: */*
...

通过稍微挖掘，我尝试了一些在网上找到的命令，但我还是被卡住了：

$ openssl s_client -connect files.pythonhosted.org:443  -showcerts
CONNECTED(00000004)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign CloudSSL CA - SHA256 - G3
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Fastly, Inc", CN = r.ssl.fastly.net
verify return:1

我对 TLS 协议一点也不满意，而且我正在开发基于 Yocto 的 Linux 构建，而我根本没有手。所以我很难调试......你知道这里发生了什么吗？

谢谢！

编辑 1

这是最后一个带有更多调试信息的命令。我被困在这最后：

# openssl s_client -connect files.pythonhosted.org:443  -showcerts -debug -state
CONNECTED(00000004)
SSL_connect:before SSL initialization
write to 0x7cc6f70 [0x7cd57f0] (324 bytes => 324 (0x144))
0000 - 16 03 01 01 3f 01 00 01-3b 03 03 c0 0b d1 75 04   ....?...;.....u.
...                                  .r.-
SSL_connect:SSLv3/TLS write client hello
read from 0x7cc6f70 [0x7ccc553] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 45                                    ....E
read from 0x7cc6f70 [0x7ccc558] (69 bytes => 69 (0x45))
0000 - 02 00 00 41 03 03 12 a4-c6 8e 7a 35 64 94 31 18   ...A......z5d.1.
...
SSL_connect:SSLv3/TLS write client hello
read from 0x7cc6f70 [0x7ccc553] (5 bytes => 5 (0x5))
0000 - 16 03 03 0d e3                                    .....
read from 0x7cc6f70 [0x7ccc558] (3555 bytes => 3555 (0xDE3))
0000 - 0b 00 0d df 00 0d dc 00-09 47 30 82 09 43 30 82   .........G0..C0.
...
SSL_connect:SSLv3/TLS read server hello
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign CloudSSL CA - SHA256 - G3
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Fastly, Inc", CN = r.ssl.fastly.net
verify return:1
read from 0x7cc6f70 [0x7ccc553] (5 bytes => 5 (0x5))
0000 - 16 03 03 01 2c                                    ....,
read from 0x7cc6f70 [0x7ccc558] (300 bytes => 300 (0x12C))
0000 - 0c 00 01 28 03 00 1d 20-3b 9a 1d 4d ed f2 14 45   ...(... ;..M...E
...
SSL_connect:SSLv3/TLS read server certificate
read from 0x7cc6f70 [0x7ccc553] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 04                                    .....
read from 0x7cc6f70 [0x7ccc558] (4 bytes => 4 (0x4))
0000 - 0e 00 00 00                                       ....
SSL_connect:SSLv3/TLS read server key exchange
SSL_connect:SSLv3/TLS read server done

编辑 2

根据我在上面的调试跟踪中的理解，客户端甚至不发送证书密钥。

标签： linuxcurlopenssltls1.2