ssl - 查找丢失的 TLS 密码
问题描述
我在 traefik 代理后面运行 gitea。一切正常,除了 git push/pull 到这个 git 服务器。http webfrontend 也可以正常工作。
一旦我想克隆存储库,就会出现gnutls_handshake()错误。但是,如果我更改密码或切换到 TLS 1.1,我没有问题。如何找出 git 客户端 ( version 2.30.2) 想要使用的密码?
客户端上的 OpenSSL 版本(debian 靶心):OpenSSL 1.1.1k 2021 年 3 月 25 日
traefik 使用以下密码:
tls:
options:
default:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
preferServerCipherSuites: true
curvePreferences:
- CurveP521
- CurveP384
sniStrict: true
gnutls-cli-debug 的输出:
gnutls-cli-debug git.server.de
GnuTLS debug client 3.7.1
Checking git.server.de:443
whether the server accepts default record size (512 bytes)... yes
whether %ALLOW_SMALL_RECORDS is required... no
whether we need to disable TLS 1.2... no
whether we need to disable TLS 1.1... no
whether we need to disable TLS 1.0... no
whether %NO_EXTENSIONS is required... no
for TLS 1.0 (RFC2246) support... no
for TLS 1.0 (RFC2246) support with TLS 1.0 record version... no
for TLS 1.1 (RFC4346) support... no
fallback from TLS 1.1 to... failed
for TLS 1.2 (RFC5246) support... yes
for TLS 1.3 (RFC8446) support... no
for known TLS or SSL protocols support... yes
TLS1.2 neg fallback from TLS 1.6 to... failed (server requires fallback dance)
for HTTPS server name... unknown
for certificate chain order... sorted
for safe renegotiation (RFC5746) support... yes
for encrypt-then-MAC (RFC7366) support... no
for ext master secret (RFC7627) support... no
for heartbeat (RFC6520) support... no
for version rollback bug in RSA PMS... yes
whether the server ignores the RSA PMS version... yes
whether small records (512 bytes) are tolerated on handshake... yes
whether cipher suites not in SSL 3.0 spec are accepted... yes
whether a bogus TLS record version in the client hello is accepted... yes
whether the server understands TLS closure alerts... yes
whether the server supports session resumption... yes
for anonymous authentication support... no
for RSA key exchange support... no
for ephemeral Diffie-Hellman support... no
for RFC7919 Diffie-Hellman support... no
for ephemeral EC Diffie-Hellman support... yes
for VKO GOST-2012 (draft-smyshlyaev-tls12-gost-suites) support... no
for curve SECP256r1 (RFC4492)... no
for curve SECP384r1 (RFC4492)... yes
for curve SECP521r1 (RFC4492)... yes
for curve X25519 (RFC8422)... no
for AES-GCM cipher (RFC5288) support... yes
for AES-CCM cipher (RFC6655) support... no
for AES-CCM-8 cipher (RFC6655) support... no
for AES-CBC cipher (RFC3268) support... no
for CAMELLIA-GCM cipher (RFC6367) support... no
for CAMELLIA-CBC cipher (RFC5932) support... no
for 3DES-CBC cipher (RFC2246) support... no
for ARCFOUR 128 cipher (RFC2246) support... no
for CHACHA20-POLY1305 cipher (RFC7905) support... yes
for GOST28147-CNT cipher (draft-smyshlyaev-tls12-gost-suites) support... no
for MD5 MAC support... no
for SHA1 MAC support... no
for SHA256 MAC support... no
for GOST28147-IMIT MAC (draft-smyshlyaev-tls12-gost-suites) support... no
for max record size (RFC6066) support... no
for OCSP status response (RFC6066) support... no
解决方案
推荐阅读
- python - 在文件的特定行中插入行
- spring - Spring Boot、Docker、Bash - 自动化测试 url 问题
- c# - 从 C# 中运行完整的 powershell 脚本
- c# - C# HashSet VS C++ std::unordered_set 与自定义类键。C++ 更慢……不可能。如何实现C#的速度?
- haskell - 在 Haskell 中打印排列长度的问题
- swift - 使用 Firebase 身份验证链接多个身份验证提供程序
- python - 循环问题
- c# - 如何根据 ASP.Net Core 中的某些值显示/隐藏列?
- c# - C#:public Delegates:从不同的类调用
- anaconda - Openpyxl 在保存文件时产生 TypeError,为什么?