openssl 命令握手错误 s_client
Handshake error with the openssl command s_client
我正在使用 openssl 命令测试 https 服务器:
openssl s_client -connect xxx.xxx.com:8773
我收到如下握手错误消息。
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA verify return:1
depth=0 C = CN, ST = \E6\B5\E6\B1F\E7C, L = \E6D\AD\E5\B7E\E5\B8, O = \E6D\AD\E5\B7E\E6\E7F\E8A\B8\E6\B3\B0\E7\BD\E7\BBC\E7\A7\E6A\E6C\E9\E5\AC\E5F\B8, OU = \E6\E7F\E8A\B8\E6\B3\B0\E7\A0\E5F\E9\A8, CN = *.xxx.com verify return:1
140098959959704:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1487:SSL alert number 40
140098959959704:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
是真错误,是不是握手失败了?什么可能导致这种情况以及如何调试它?
添加详细的调试信息:
CONNECTED(00000003)
write to 0x92fa60 [0x92fae0] (265 bytes => 265 (0x109))
0000 - 16 03 01 01 04 01 00 01-00 03 03 db 16 2a 5c d8 .............*\.
0010 - 26 d0 d3 89 36 b2 b0 11-3d 46 3a 1f c2 86 4c e2 &...6...=F:...L.
0020 - 32 e8 ad 2f 99 03 69 72-60 07 2e 00 00 82 c0 30 2../..ir`......0
0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 a3 00 9f 00 6b .,.(.$.........k
0040 - 00 6a 00 39 00 38 00 88-00 87 c0 32 c0 2e c0 2a .j.9.8.....2...*
0050 - c0 26 c0 0f c0 05 00 9d-00 3d 00 35 00 84 c0 2f .&.......=.5.../
0060 - c0 2b c0 27 c0 23 c0 13-c0 09 00 a2 00 9e 00 67 .+.'.#.........g
0070 - 00 40 00 33 00 32 00 9a-00 99 00 45 00 44 c0 31 .@.3.2.....E.D.1
0080 - c0 2d c0 29 c0 25 c0 0e-c0 04 00 9c 00 3c 00 2f .-.).%.......<./
0090 - 00 96 00 41 c0 11 c0 07-c0 0c c0 02 00 05 00 04 ...A............
00a0 - c0 12 c0 08 00 16 00 13-c0 0d c0 03 00 0a 00 ff ................
00b0 - 01 00 00 55 00 0b 00 04-03 00 01 02 00 0a 00 1c ...U............
00c0 - 00 1a 00 17 00 19 00 1c-00 1b 00 18 00 1a 00 16 ................
00d0 - 00 0e 00 0d 00 0b 00 0c-00 09 00 0a 00 23 00 00 .............#..
00e0 - 00 0d 00 20 00 1e 06 01-06 02 06 03 05 01 05 02 ... ............
00f0 - 05 03 04 01 04 02 04 03-03 01 03 02 03 03 02 01 ................
0100 - 02 02 02 03 00 0f 00 01-01 .........
read from 0x92fa60 [0x935040] (7 bytes => 7 (0x7))
0000 - 16 03 03 00 42 02 ....B.
0007 - <SPACES/NULS>
read from 0x92fa60 [0x93504a] (64 bytes => 64 (0x40))
0000 - 00 3e 03 03 d3 e8 11 03-4a 8a 9d 93 85 f2 e4 aa .>......J.......
0010 - 9f 03 d0 b2 eb f3 ef 7e-bd 41 6b 2c 36 70 55 06 .......~.Ak,6pU.
0020 - b8 0d bb 03 00 c0 2f 00-00 16 ff 01 00 01 00 00 ....../.........
0030 - 0b 00 04 03 00 01 02 00-23 00 00 00 0f 00 01 01 ........#.......
read from 0x92fa60 [0x935043] (5 bytes => 5 (0x5))
0000 - 16 03 03 0f 3c
Is it a real error and does it mean that the handshake is failed?
是的。
What may cause that and how to debug it?
由于服务器已经发送了它的证书,因此密钥交换可能不是问题所在。在此阶段握手可能失败的原因之一是服务器正在请求客户端证书,但客户端未发送证书。
read from 0x92fa60 [0x935043] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 54 ....T
read from 0x92fa60 [0x935048] (84 bytes => 84 (0x54))
0000 - 0d 00 00 4c 03 01 02 40-00 1e 06 01 06 02 06 03 ...L...@........
0010 - 05 01 05 02 05 03 04 01-04 02 04 03 03 01 03 02 ................
0020 - 03 03 02 01 02 02 02 03-00 26 00 24 30 22 31 20 .........&.[=10=]"1
0030 - 30 1e 06 03 55 04 03 0c-17 59 75 6e 74 61 69 20 0...U....Yuntai
0040 - 4e 65 74 77 6f 72 6b 20-58 69 65 68 65 20 43 41 Network Xiehe CA
0050 - 0e
我猜这部分的意思是服务器需要一个客户端证书,由云台网络协和CA签发。您的客户显然没有提供,这就是握手失败的原因。
我正在使用 openssl 命令测试 https 服务器:
openssl s_client -connect xxx.xxx.com:8773
我收到如下握手错误消息。
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA verify return:1
depth=0 C = CN, ST = \E6\B5\E6\B1F\E7C, L = \E6D\AD\E5\B7E\E5\B8, O = \E6D\AD\E5\B7E\E6\E7F\E8A\B8\E6\B3\B0\E7\BD\E7\BBC\E7\A7\E6A\E6C\E9\E5\AC\E5F\B8, OU = \E6\E7F\E8A\B8\E6\B3\B0\E7\A0\E5F\E9\A8, CN = *.xxx.com verify return:1
140098959959704:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1487:SSL alert number 40
140098959959704:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
是真错误,是不是握手失败了?什么可能导致这种情况以及如何调试它?
添加详细的调试信息:
CONNECTED(00000003)
write to 0x92fa60 [0x92fae0] (265 bytes => 265 (0x109))
0000 - 16 03 01 01 04 01 00 01-00 03 03 db 16 2a 5c d8 .............*\.
0010 - 26 d0 d3 89 36 b2 b0 11-3d 46 3a 1f c2 86 4c e2 &...6...=F:...L.
0020 - 32 e8 ad 2f 99 03 69 72-60 07 2e 00 00 82 c0 30 2../..ir`......0
0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 a3 00 9f 00 6b .,.(.$.........k
0040 - 00 6a 00 39 00 38 00 88-00 87 c0 32 c0 2e c0 2a .j.9.8.....2...*
0050 - c0 26 c0 0f c0 05 00 9d-00 3d 00 35 00 84 c0 2f .&.......=.5.../
0060 - c0 2b c0 27 c0 23 c0 13-c0 09 00 a2 00 9e 00 67 .+.'.#.........g
0070 - 00 40 00 33 00 32 00 9a-00 99 00 45 00 44 c0 31 .@.3.2.....E.D.1
0080 - c0 2d c0 29 c0 25 c0 0e-c0 04 00 9c 00 3c 00 2f .-.).%.......<./
0090 - 00 96 00 41 c0 11 c0 07-c0 0c c0 02 00 05 00 04 ...A............
00a0 - c0 12 c0 08 00 16 00 13-c0 0d c0 03 00 0a 00 ff ................
00b0 - 01 00 00 55 00 0b 00 04-03 00 01 02 00 0a 00 1c ...U............
00c0 - 00 1a 00 17 00 19 00 1c-00 1b 00 18 00 1a 00 16 ................
00d0 - 00 0e 00 0d 00 0b 00 0c-00 09 00 0a 00 23 00 00 .............#..
00e0 - 00 0d 00 20 00 1e 06 01-06 02 06 03 05 01 05 02 ... ............
00f0 - 05 03 04 01 04 02 04 03-03 01 03 02 03 03 02 01 ................
0100 - 02 02 02 03 00 0f 00 01-01 .........
read from 0x92fa60 [0x935040] (7 bytes => 7 (0x7))
0000 - 16 03 03 00 42 02 ....B.
0007 - <SPACES/NULS>
read from 0x92fa60 [0x93504a] (64 bytes => 64 (0x40))
0000 - 00 3e 03 03 d3 e8 11 03-4a 8a 9d 93 85 f2 e4 aa .>......J.......
0010 - 9f 03 d0 b2 eb f3 ef 7e-bd 41 6b 2c 36 70 55 06 .......~.Ak,6pU.
0020 - b8 0d bb 03 00 c0 2f 00-00 16 ff 01 00 01 00 00 ....../.........
0030 - 0b 00 04 03 00 01 02 00-23 00 00 00 0f 00 01 01 ........#.......
read from 0x92fa60 [0x935043] (5 bytes => 5 (0x5))
0000 - 16 03 03 0f 3c
Is it a real error and does it mean that the handshake is failed?
是的。
What may cause that and how to debug it?
由于服务器已经发送了它的证书,因此密钥交换可能不是问题所在。在此阶段握手可能失败的原因之一是服务器正在请求客户端证书,但客户端未发送证书。
read from 0x92fa60 [0x935043] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 54 ....T
read from 0x92fa60 [0x935048] (84 bytes => 84 (0x54))
0000 - 0d 00 00 4c 03 01 02 40-00 1e 06 01 06 02 06 03 ...L...@........
0010 - 05 01 05 02 05 03 04 01-04 02 04 03 03 01 03 02 ................
0020 - 03 03 02 01 02 02 02 03-00 26 00 24 30 22 31 20 .........&.[=10=]"1
0030 - 30 1e 06 03 55 04 03 0c-17 59 75 6e 74 61 69 20 0...U....Yuntai
0040 - 4e 65 74 77 6f 72 6b 20-58 69 65 68 65 20 43 41 Network Xiehe CA
0050 - 0e
我猜这部分的意思是服务器需要一个客户端证书,由云台网络协和CA签发。您的客户显然没有提供,这就是握手失败的原因。