SSL 证书和电子链接
SSL certificates and elinks
我有时会使用 elinks 浏览网页,但有时会因为 SSL error
.
而导致某些 https 站点加载失败
一个示例是 https://www.rust-lang.org,它不会在 elinks 中加载,但在其他浏览器(如 chromium 和 firefox)中运行良好。
使用命令行检查 https://www.rust-lang.org 证书会给出非常短的输出:
$ echo | openssl s_client -connect www.rust-lang.org:443 2>/dev/null
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 297 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1459658221
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
作为比较 google 输出是:
$ echo | openssl s_client -connect www.google.com:443 2>/dev/null
CONNECTED(00000003)
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIF8zP738syB4wDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYwMzIzMTk0MTQ0WhcNMTYwNjE1MTkyMDAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoxzls
wT/PC9gErDAme+LX9PAdv8270+BHCaNe/YxZE093ryPQq5PPKHsBNSzNvHwNfWuv
H3z/CBvaIiFgBimSm3cWOvjXipqTL5sHGkLr/RNAxmwo2dUKZ0LBUCXB4YvXkMb0
lI3XpgZk1CUzE7jj3HDgA+IOpT8JgbmKH19Z7+lwBzaunztBk8YM/LKrb9XtDzYW
diPkBwm0xx2dj2jCrj49Hvug9qAGQ5Zx8YuNrwR5qYXW/8aVB6MJ8r/ZLKzU39k3
nvp5ZylyGklJAuGneCblChzpR18ab8k2B/26qgCv7T4MLoAGRTbvTrZ0HxTj8aie
yI0+jZjRQjBeYwGPAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBQKfpRDWX9xAx1/4SBXfKJdHrqPHjAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAiwUNf4uVHi1f8u1m
nd2vEHlOIQkNFLeuj9RPQfsFPL7fX/UzE5HbLzp1y4ICnRuCONKhz08YZ56pQ09A
+MfzIm0/e3yytHRf5f+YWATKkGtEh3pJdkOJM2UYIFFDs382a+bau7dTVyZFgMyS
m2Wlhw/zCLBgIebkSwsrrJAftwKu2AjvG6XJCUd08MSEe6UVF15COudEdVkKoDWR
ZmITWRFSFAeeJ5dKAzRojKVgGYV8tw6ByVKSizl5WS+hrXdD4IHkProKEFbSQgIv
Eyv87d8W8yscamZDU6Da+Djjxf07LkE3qDtd/RQY+IMm4V17ko6WfaV7ibionAA5
uAnzkw==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 3727 bytes and written 423 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: BBBB89FD38DF58981900A70A2F92A01E57888CF80B71AE19DE5F92EDE389D7FE
Session-ID-ctx:
Master-Key: 80B4C5C3F81C7AFDAA226BB0285E9F9088737151CCB4EA742328C727363F9663997E68D757CB73B79EF8E3C90B622E12
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - ee 03 90 3e 12 a6 14 ba-f9 db 39 f7 6f 3c bf 58 ...>......9.o<.X
0010 - 32 5d 0a 6f 08 cf 17 f9-16 49 91 c3 4f 99 50 01 2].o.....I..O.P.
0020 - 6a 90 47 0a 7d 62 5e b8-26 ef 21 9f f3 df a9 35 j.G.}b^.&.!....5
0030 - 17 90 53 cf 6a 1e d8 e7-ef d9 7a fc ea 80 c0 74 ..S.j.....z....t
0040 - c2 ee ba e4 5c ef 04 38-45 58 75 f6 7f f4 cd 78 ....\..8EXu....x
0050 - eb 31 5d be c2 c9 bb cd-dc c1 13 cc 81 84 48 39 .1]...........H9
0060 - 12 52 43 ae c6 24 1b 6e-85 7f 23 90 ff 80 9c 11 .RC..$.n..#.....
0070 - 49 e2 b4 c1 bf 32 08 e5-c4 55 84 de 46 77 d0 a1 I....2...U..Fw..
0080 - 92 7b 7c 1b 54 a1 49 c2-b0 d7 b9 f8 65 d2 1d 19 .{|.T.I.....e...
0090 - 2d 8e 5a 66 72 6c c8 50-7c d7 aa b8 58 28 7c 7d -.Zfrl.P|...X(|}
00a0 - 4c 64 1a 85 Ld..
Start Time: 1459659110
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
为什么 chromium 和 firefox 获得正确的证书而不是 elinks,
有没有办法在电子链接中阅读这些网站?
您需要使用Server Name Indication (SNI)才能成功访问www.rust-lang.org。使用 openssl s_client
这可以通过添加 -servername
参数来完成:
$ openssl s_client -connect www.rust-lang.org:443 \
-servername www.rust-lang.org
...
subject=/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.rust-lang.org
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
所有现代浏览器都支持 SNI,并且它在 Internet 中被大量使用。例如,所有 Cloudflare Free SSL 都需要 SNI。我的猜测是您使用的 elinks 版本尚不支持 SNI。我发现了 related bug report from 09/2015 against elinks 0.12pre6. Given that this version is still the newest version and that it looks like that development of elinks stopped in 2012 我的猜测是问题仍未解决。
elinks 的最新 git 版本似乎解决了所有这些问题。
我有时会使用 elinks 浏览网页,但有时会因为 SSL error
.
一个示例是 https://www.rust-lang.org,它不会在 elinks 中加载,但在其他浏览器(如 chromium 和 firefox)中运行良好。
使用命令行检查 https://www.rust-lang.org 证书会给出非常短的输出:
$ echo | openssl s_client -connect www.rust-lang.org:443 2>/dev/null
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 297 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1459658221
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
作为比较 google 输出是:
$ echo | openssl s_client -connect www.google.com:443 2>/dev/null
CONNECTED(00000003)
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIF8zP738syB4wDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYwMzIzMTk0MTQ0WhcNMTYwNjE1MTkyMDAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoxzls
wT/PC9gErDAme+LX9PAdv8270+BHCaNe/YxZE093ryPQq5PPKHsBNSzNvHwNfWuv
H3z/CBvaIiFgBimSm3cWOvjXipqTL5sHGkLr/RNAxmwo2dUKZ0LBUCXB4YvXkMb0
lI3XpgZk1CUzE7jj3HDgA+IOpT8JgbmKH19Z7+lwBzaunztBk8YM/LKrb9XtDzYW
diPkBwm0xx2dj2jCrj49Hvug9qAGQ5Zx8YuNrwR5qYXW/8aVB6MJ8r/ZLKzU39k3
nvp5ZylyGklJAuGneCblChzpR18ab8k2B/26qgCv7T4MLoAGRTbvTrZ0HxTj8aie
yI0+jZjRQjBeYwGPAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBQKfpRDWX9xAx1/4SBXfKJdHrqPHjAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAiwUNf4uVHi1f8u1m
nd2vEHlOIQkNFLeuj9RPQfsFPL7fX/UzE5HbLzp1y4ICnRuCONKhz08YZ56pQ09A
+MfzIm0/e3yytHRf5f+YWATKkGtEh3pJdkOJM2UYIFFDs382a+bau7dTVyZFgMyS
m2Wlhw/zCLBgIebkSwsrrJAftwKu2AjvG6XJCUd08MSEe6UVF15COudEdVkKoDWR
ZmITWRFSFAeeJ5dKAzRojKVgGYV8tw6ByVKSizl5WS+hrXdD4IHkProKEFbSQgIv
Eyv87d8W8yscamZDU6Da+Djjxf07LkE3qDtd/RQY+IMm4V17ko6WfaV7ibionAA5
uAnzkw==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 3727 bytes and written 423 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: BBBB89FD38DF58981900A70A2F92A01E57888CF80B71AE19DE5F92EDE389D7FE
Session-ID-ctx:
Master-Key: 80B4C5C3F81C7AFDAA226BB0285E9F9088737151CCB4EA742328C727363F9663997E68D757CB73B79EF8E3C90B622E12
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - ee 03 90 3e 12 a6 14 ba-f9 db 39 f7 6f 3c bf 58 ...>......9.o<.X
0010 - 32 5d 0a 6f 08 cf 17 f9-16 49 91 c3 4f 99 50 01 2].o.....I..O.P.
0020 - 6a 90 47 0a 7d 62 5e b8-26 ef 21 9f f3 df a9 35 j.G.}b^.&.!....5
0030 - 17 90 53 cf 6a 1e d8 e7-ef d9 7a fc ea 80 c0 74 ..S.j.....z....t
0040 - c2 ee ba e4 5c ef 04 38-45 58 75 f6 7f f4 cd 78 ....\..8EXu....x
0050 - eb 31 5d be c2 c9 bb cd-dc c1 13 cc 81 84 48 39 .1]...........H9
0060 - 12 52 43 ae c6 24 1b 6e-85 7f 23 90 ff 80 9c 11 .RC..$.n..#.....
0070 - 49 e2 b4 c1 bf 32 08 e5-c4 55 84 de 46 77 d0 a1 I....2...U..Fw..
0080 - 92 7b 7c 1b 54 a1 49 c2-b0 d7 b9 f8 65 d2 1d 19 .{|.T.I.....e...
0090 - 2d 8e 5a 66 72 6c c8 50-7c d7 aa b8 58 28 7c 7d -.Zfrl.P|...X(|}
00a0 - 4c 64 1a 85 Ld..
Start Time: 1459659110
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
为什么 chromium 和 firefox 获得正确的证书而不是 elinks, 有没有办法在电子链接中阅读这些网站?
您需要使用Server Name Indication (SNI)才能成功访问www.rust-lang.org。使用 openssl s_client
这可以通过添加 -servername
参数来完成:
$ openssl s_client -connect www.rust-lang.org:443 \
-servername www.rust-lang.org
...
subject=/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.rust-lang.org
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
所有现代浏览器都支持 SNI,并且它在 Internet 中被大量使用。例如,所有 Cloudflare Free SSL 都需要 SNI。我的猜测是您使用的 elinks 版本尚不支持 SNI。我发现了 related bug report from 09/2015 against elinks 0.12pre6. Given that this version is still the newest version and that it looks like that development of elinks stopped in 2012 我的猜测是问题仍未解决。
elinks 的最新 git 版本似乎解决了所有这些问题。