ssl - Openssl:我在 1.0.2 和 1.1.1 中使用相同的 TLS 和 CipherSuite,但它们的行为不同
问题描述
openssl s_client 出现以下错误。
# /usr/local/ssl102u/bin/openssl s_client -connect www.fujitsu.com:443 -cipher ECDHE-ECDSA-AES256-GCM-SHA384 -tls1_2
CONNECTED(00000003)
140636402054832:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:s3_pkt.c:1498:SSL alert number 80
140636402054832:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
我尝试将 Openssl 的版本从 1.0.2u 更新到 1.1.1j。然后错误消失,连接成功。
# /usr/local/ssl111j/bin/openssl s_client -connect www.fujitsu.com:443 -cipher ECDHE-ECDSA-AES256-GCM-SHA384 -tls1_2
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert ECC Extended Validation Server CA
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 businessCategory = Private Organization, jurisdictionC = JP, serialNumber = 020001071491, C = JP, ST = Tokyo, L = Minato-Ku, O = FUJITSU LIMITED, CN = www.fujitsu.com
verify return:1
---
Certificate chain
...
...
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2909 bytes and written 292 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES256-GCM-SHA384
...
...
Extended master secret: no
---
我已经确认两个 openssl 都支持 TLS v1.2 的 CDHE-ECDSA-AES256-GCM-SHA384。
# /usr/local/ssl102u/bin/openssl ciphers -v | grep ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
#
#/usr/local/ssl111j/bin/openssl ciphers -v | grep ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
当 TLS 和 CipherSuite 相同时,为什么行为会有所不同?不幸的是,我无法在服务器端调试它,所以我只知道这些。
用于重现事件的 Dockerfile 如下。
FROM centos:7
RUN yum -y install perl wget gcc make perl-IPC-Cmd perl-Data-Dumper
RUN cd /usr/local/src && \
wget https://www.openssl.org/source/old/1.0.2/openssl-1.0.2u.tar.gz && \
tar zxvf openssl-1.0.2u.tar.gz && rm -f openssl-1.0.2u.tar.gz && cd openssl-1.0.2u && \
./config --prefix=/usr/local/ssl102u shared && make depend && make && make install && make clean
RUN cd /usr/local/src && \
wget https://www.openssl.org/source/old/1.1.1/openssl-1.1.1j.tar.gz && \
tar zxvf openssl-1.1.1j.tar.gz && rm -f openssl-1.1.1j.tar.gz && cd openssl-1.1.1j && \
./config --prefix=/usr/local/ssl111j shared && make depend && make && make install && make clean
RUN cd /usr/local/src && \
wget https://www.openssl.org/source/old/3.0/openssl-3.0.0-alpha16.tar.gz && \
tar zxvf openssl-3.0.0-alpha16.tar.gz && rm -f openssl-3.0.0-alpha16.tar.gz && cd openssl-3.0.0-alpha16 && \
./config --prefix=/usr/local/ssl300a16 shared && make depend && make && make install && make clean
RUN echo /usr/local/ssl102u/lib >> /etc/ld.so.conf.d/local.conf && \
echo /usr/local/ssl111j/lib >> /etc/ld.so.conf.d/local.conf && \
echo /usr/local/ssl300a16/lib >> /etc/ld.so.conf.d/local.conf && \
ldconfig
解决方案
推荐阅读
- python - 一个好的实践python装饰器
- python - Celery - 如果组任务失败则继续回调(有效记录任务失败)
- c# - 使用 ApplicationUserManager 创建 ASP.NET MVC 用户会引发 DbContext 已处理错误
- xpath - 如何进行网络抓取以获取我只有谷歌电子表格的产品价格?动态查询
- loops - 使用 with_items 在同一循环中的 Ansible 循环
- node.js - 使用 Node JS 脚本对 MongoDb 进行多线程 100 万次插入
- java - JPA 多对多和单向删除
- r - 在 R 中为 NMDS 转换数据的快速方法?
- javascript - 将 className 设置为映射元素中的特定状态
- rust - 多次借用 mutable