通过相互 SSL 连接无法读取传入的 changeCipherSpec
Connecting via mutual SSL fails reading incoming changeCipherSpec
我们需要使用双向 SSL 连接到服务器,但由于某种原因,我们在尝试发出请求时遇到以下错误:
[...]
readIncomingTls_changeCipherSpec2:
processTlsRecord:
processAlert:
TlsAlert:
level: fatal
descrip: handshake failure
--TlsAlert
--processAlert
--processTlsRecord
--readIncomingTls_changeCipherSpec2
Failed to read incoming handshake messages. (3)
Client handshake failed. (3)
Failed to connect.
[...]
私钥和 CSR 由我们提出,证书由我们正在连接的人return提供给我们。
将密钥和证书组合到一个 pem 文件中,并像这样添加到请求中,在其他脚本中使用它们各自的密钥证书和目标没有问题:
var Gateway = new ActiveXObject("Chilkat.Http");
Gateway.UnlockComponent("redacted");
var pemSuccess = Gateway.SetSslClientCertPem(Server.MapPath(certPath), "");
Gateway.ConnectTimeout = 10;
Gateway.ReadTimeout = 10;
然而,在这种情况下,不仅 pemSuccess returning 为 0,而且我注意到更改它或完全删除该行不会改变错误,这表明它在此之前中断了吗?
不幸的是,我对这个过程的了解有限,我不确定如何解决这个问题。
一些谷歌搜索导致 chilkat 支持页面建议更新 DLL 并确保 .pem 使用正确的密钥和证书,但这些都是它们应该的。
编辑 08/06/2015:
更改 -----BEGIN CERTIFICATE----- 的格式
header/footer 到——-开始证书——-
已允许 SetSslClientCertPem 为 return true,但除此之外没有更改 LastErrorText...
完整的 LastErrorText:
SynchronousRequest:
DllDate: Dec 12 2012
UnlockPrefix: [redacted]
Username: [redacted]
Architecture: Little Endian; 32-bit
Language: ActiveX
VerboseLogging: 0
domain: [redacted]
port: 9000
ssl: 1
RequestData:
HttpVersion: 1.1
Verb: POST
Path: [redacted]
Charset: utf-8
SendCharset: 0
MimeHeader: SOAPAction:
Content-Type: text/xml
--RequestData
ReadTimeout: 10
ConnectTimeout: 10
httpConnect:
hostname: [redacted]
port: 9000
ssl: 1
Need to establish connection to the HTTP server...
ConnectTimeoutMs_1: 10000
calling ConnectSocket2
IPV6 enabled connect with NO heartbeat.
connectingTo: [redacted]
resolveHostname1:
dnsCacheLookup: [redacted]
dnsCacheHit: [redacted]
--resolveHostname1
GetHostByNameHB_ipv4: Elapsed time: 0 millisec
myIP_1: [redacted]
myPort_1: [redacted]
connect successful (1)
clientHelloMajorMinorVersion: 3.1
buildClientHello:
majorVersion: 3
minorVersion: 1
numRandomBytes: 32
sessionIdSize: 0
numCipherSuites: 10
numCompressionMethods: 1
--buildClientHello
readIncomingTls_serverHello:
processTlsRecord:
processHandshake:
handshakeMessageType: ServerHello
handshakeMessageLen: 0x46
processHandshakeMessage:
MessageType: ServerHello
Processing ServerHello...
ServerHello:
MajorVersion: 3
MinorVersion: 1
SessionIdLen: 32
CipherSuite: RSA_WITH_AES_256_CBC_SHA
CipherSuite: 00,35
CompressionMethod: 0
Queueing ServerHello message.
ServerHello is OK.
--ServerHello
--processHandshakeMessage
--processHandshake
--processTlsRecord
--readIncomingTls_serverHello
HandshakeQueue:
MessageType: ServerHello
--HandshakeQueue
Dequeued ServerHello message.
readIncomingTls_6:
processTlsRecord:
processHandshake:
handshakeMessageType: Certificate
handshakeMessageLen: 0xf13
processHandshakeMessage:
MessageType: Certificate
ProcessCertificates:
Certificate:
[cert info]
--Certificate
Certificate:
[cert info]
--Certificate
Certificate:
[cert info]
--Certificate
NumCertificates: 3
Queueing Certificates message...
--ProcessCertificates
--processHandshakeMessage
--processHandshake
--processTlsRecord
--readIncomingTls_6
Dequeued Certificate message.
readIncomingTls_6:
processTlsRecord:
processHandshake:
handshakeMessageType: CertificateRequest
handshakeMessageLen: 0x6
processHandshakeMessage:
MessageType: CertificateRequest
CertificateRequest:
NumCertificateTypes: 3
Certificate Type: RSA Sign
Certificate Type: DSS Sign
OtherCertificateType: 64
totalLen: 0
NumDistinguishedNames: 0
CertificateRequest message is OK.
Queueing CertificateRequest message.
--CertificateRequest
--processHandshakeMessage
handshakeMessageType: ServerHelloDone
handshakeMessageLen: 0x0
processHandshakeMessage:
MessageType: ServerHelloDone
Queueing HelloDone message.
--processHandshakeMessage
--processHandshake
--processTlsRecord
--readIncomingTls_6
Dequeued CertificateRequest message.
DequeuedMessageType: ServerHelloDone
OK to ServerHelloDone!
Sending 0-length certificate (this is normal).
CertificatesMessage:
numCerts: 0
CertificateSize: 0x3
--CertificatesMessage
Encrypted pre-master secret with server certificate RSA public key is OK.
Sending ClientKeyExchange...
Sent ClientKeyExchange message.
Sending ChangeCipherSpec...
Sent ChangeCipherSpec message.
Derived keys.
Installed new outgoing security params.
Sending FINISHED message..
algorithm: aes
keyLength: 256
Sent FINISHED message..
readIncomingTls_changeCipherSpec2:
processTlsRecord:
processAlert:
TlsAlert:
level: fatal
descrip: handshake failure
--TlsAlert
--processAlert
--processTlsRecord
--readIncomingTls_changeCipherSpec2
Failed to read incoming handshake messages. (3)
Client handshake failed. (3)
Failed to connect.
--httpConnect
connectTime1: Elapsed time: 47 millisec
totalTime: Elapsed time: 47 millisec
Failed.
--SynchronousRequest
--ChilkatLog
所以事实证明,尽管发件人多次坚持证书是正确的,尽管他们坚持(当被问及时)电子邮件编码没有去除任何字符,但事实证明证书不正确并且电子邮件编码从正文中删除了一些字符。
注意以 + 字符开头的行。
我们需要使用双向 SSL 连接到服务器,但由于某种原因,我们在尝试发出请求时遇到以下错误:
[...]
readIncomingTls_changeCipherSpec2:
processTlsRecord:
processAlert:
TlsAlert:
level: fatal
descrip: handshake failure
--TlsAlert
--processAlert
--processTlsRecord
--readIncomingTls_changeCipherSpec2
Failed to read incoming handshake messages. (3)
Client handshake failed. (3)
Failed to connect.
[...]
私钥和 CSR 由我们提出,证书由我们正在连接的人return提供给我们。
将密钥和证书组合到一个 pem 文件中,并像这样添加到请求中,在其他脚本中使用它们各自的密钥证书和目标没有问题:
var Gateway = new ActiveXObject("Chilkat.Http");
Gateway.UnlockComponent("redacted");
var pemSuccess = Gateway.SetSslClientCertPem(Server.MapPath(certPath), "");
Gateway.ConnectTimeout = 10;
Gateway.ReadTimeout = 10;
然而,在这种情况下,不仅 pemSuccess returning 为 0,而且我注意到更改它或完全删除该行不会改变错误,这表明它在此之前中断了吗?
不幸的是,我对这个过程的了解有限,我不确定如何解决这个问题。
一些谷歌搜索导致 chilkat 支持页面建议更新 DLL 并确保 .pem 使用正确的密钥和证书,但这些都是它们应该的。
编辑 08/06/2015: 更改 -----BEGIN CERTIFICATE----- 的格式 header/footer 到——-开始证书——- 已允许 SetSslClientCertPem 为 return true,但除此之外没有更改 LastErrorText...
完整的 LastErrorText:
SynchronousRequest:
DllDate: Dec 12 2012
UnlockPrefix: [redacted]
Username: [redacted]
Architecture: Little Endian; 32-bit
Language: ActiveX
VerboseLogging: 0
domain: [redacted]
port: 9000
ssl: 1
RequestData:
HttpVersion: 1.1
Verb: POST
Path: [redacted]
Charset: utf-8
SendCharset: 0
MimeHeader: SOAPAction:
Content-Type: text/xml
--RequestData
ReadTimeout: 10
ConnectTimeout: 10
httpConnect:
hostname: [redacted]
port: 9000
ssl: 1
Need to establish connection to the HTTP server...
ConnectTimeoutMs_1: 10000
calling ConnectSocket2
IPV6 enabled connect with NO heartbeat.
connectingTo: [redacted]
resolveHostname1:
dnsCacheLookup: [redacted]
dnsCacheHit: [redacted]
--resolveHostname1
GetHostByNameHB_ipv4: Elapsed time: 0 millisec
myIP_1: [redacted]
myPort_1: [redacted]
connect successful (1)
clientHelloMajorMinorVersion: 3.1
buildClientHello:
majorVersion: 3
minorVersion: 1
numRandomBytes: 32
sessionIdSize: 0
numCipherSuites: 10
numCompressionMethods: 1
--buildClientHello
readIncomingTls_serverHello:
processTlsRecord:
processHandshake:
handshakeMessageType: ServerHello
handshakeMessageLen: 0x46
processHandshakeMessage:
MessageType: ServerHello
Processing ServerHello...
ServerHello:
MajorVersion: 3
MinorVersion: 1
SessionIdLen: 32
CipherSuite: RSA_WITH_AES_256_CBC_SHA
CipherSuite: 00,35
CompressionMethod: 0
Queueing ServerHello message.
ServerHello is OK.
--ServerHello
--processHandshakeMessage
--processHandshake
--processTlsRecord
--readIncomingTls_serverHello
HandshakeQueue:
MessageType: ServerHello
--HandshakeQueue
Dequeued ServerHello message.
readIncomingTls_6:
processTlsRecord:
processHandshake:
handshakeMessageType: Certificate
handshakeMessageLen: 0xf13
processHandshakeMessage:
MessageType: Certificate
ProcessCertificates:
Certificate:
[cert info]
--Certificate
Certificate:
[cert info]
--Certificate
Certificate:
[cert info]
--Certificate
NumCertificates: 3
Queueing Certificates message...
--ProcessCertificates
--processHandshakeMessage
--processHandshake
--processTlsRecord
--readIncomingTls_6
Dequeued Certificate message.
readIncomingTls_6:
processTlsRecord:
processHandshake:
handshakeMessageType: CertificateRequest
handshakeMessageLen: 0x6
processHandshakeMessage:
MessageType: CertificateRequest
CertificateRequest:
NumCertificateTypes: 3
Certificate Type: RSA Sign
Certificate Type: DSS Sign
OtherCertificateType: 64
totalLen: 0
NumDistinguishedNames: 0
CertificateRequest message is OK.
Queueing CertificateRequest message.
--CertificateRequest
--processHandshakeMessage
handshakeMessageType: ServerHelloDone
handshakeMessageLen: 0x0
processHandshakeMessage:
MessageType: ServerHelloDone
Queueing HelloDone message.
--processHandshakeMessage
--processHandshake
--processTlsRecord
--readIncomingTls_6
Dequeued CertificateRequest message.
DequeuedMessageType: ServerHelloDone
OK to ServerHelloDone!
Sending 0-length certificate (this is normal).
CertificatesMessage:
numCerts: 0
CertificateSize: 0x3
--CertificatesMessage
Encrypted pre-master secret with server certificate RSA public key is OK.
Sending ClientKeyExchange...
Sent ClientKeyExchange message.
Sending ChangeCipherSpec...
Sent ChangeCipherSpec message.
Derived keys.
Installed new outgoing security params.
Sending FINISHED message..
algorithm: aes
keyLength: 256
Sent FINISHED message..
readIncomingTls_changeCipherSpec2:
processTlsRecord:
processAlert:
TlsAlert:
level: fatal
descrip: handshake failure
--TlsAlert
--processAlert
--processTlsRecord
--readIncomingTls_changeCipherSpec2
Failed to read incoming handshake messages. (3)
Client handshake failed. (3)
Failed to connect.
--httpConnect
connectTime1: Elapsed time: 47 millisec
totalTime: Elapsed time: 47 millisec
Failed.
--SynchronousRequest
--ChilkatLog
所以事实证明,尽管发件人多次坚持证书是正确的,尽管他们坚持(当被问及时)电子邮件编码没有去除任何字符,但事实证明证书不正确并且电子邮件编码从正文中删除了一些字符。
注意以 + 字符开头的行。