SSL23_GET_SERVER_HELLO:tlsv1 警告内部错误
SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
目前 运行 遇到类似问题,但 none 的解决方案有帮助
我无权访问服务器配置,因为这只是一个普通的 Cloudfront+S3 设置。
root@xxx:~# openssl s_client -connect tracking.kairion.de:443 -servername tracking.kairion.de
CONNECTED(00000003)
140336648943272:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:757:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 318 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1480860654
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Curl 返回类似错误
root@xxx:~# curl 'https://tracking.kairion.de/kairion.gif' -v
* Hostname was NOT found in DNS cache
* Trying 2400:cb00:2048:1::6818:72f8...
* Connected to tracking.kairion.de (2400:cb00:2048:1::6818:72f8) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
错误可在至少两台服务器上重现:
openssl 1.0.1t-1+deb8u5 (jessie)
openssl 1.0.1t-1+deb7u1 (wheezy)
但适用于
openssl 1.0.2j-1 (stretch)
有趣的是,有时它可能会工作一个小时,然后会失败一个小时。
今天发现问题,与cloudflare有关。
由于我为此子域禁用了 cloudflare,因此它可以正常工作。
似乎 cloudflare 有时从 cloudfront 返回正确的 CNAME,有时返回 cloudflare IP。只要它直接返回 cloudfront,SSL 就可以工作,当它返回 cloudflare IP 时,SSL 就会失败。
目前 运行 遇到类似问题,但 none 的解决方案有帮助
我无权访问服务器配置,因为这只是一个普通的 Cloudfront+S3 设置。
root@xxx:~# openssl s_client -connect tracking.kairion.de:443 -servername tracking.kairion.de
CONNECTED(00000003)
140336648943272:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:757:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 318 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1480860654
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Curl 返回类似错误
root@xxx:~# curl 'https://tracking.kairion.de/kairion.gif' -v
* Hostname was NOT found in DNS cache
* Trying 2400:cb00:2048:1::6818:72f8...
* Connected to tracking.kairion.de (2400:cb00:2048:1::6818:72f8) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
错误可在至少两台服务器上重现:
openssl 1.0.1t-1+deb8u5 (jessie)
openssl 1.0.1t-1+deb7u1 (wheezy)
但适用于
openssl 1.0.2j-1 (stretch)
有趣的是,有时它可能会工作一个小时,然后会失败一个小时。
今天发现问题,与cloudflare有关。
由于我为此子域禁用了 cloudflare,因此它可以正常工作。
似乎 cloudflare 有时从 cloudfront 返回正确的 CNAME,有时返回 cloudflare IP。只要它直接返回 cloudfront,SSL 就可以工作,当它返回 cloudflare IP 时,SSL 就会失败。