OpenSSL s_client - 连接不兼容问题

OpenSSL s_client -connect incompatibility issue

我目前面临一个困扰我的问题。 当我从装有 RHEL 7 和 OpenSSL 1.0.2k 的机器上使用此命令时:

openssl s_client -connect name.name.somename:9093

我得到了我想要的结果。我可以看到证书、证书链等。

CONNECTED(00000003)
depth=1 CN = XXXXXXX
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/CN=*XXXXXXX
   i:/CN=XXXXXXX
 1 s:/CN=XXXXXXX
   i:/CN=XXXXXXX
---
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
subject=/xxxxxxxxxxxxxxxxxx
issuer=/xxxxxxxxxxxxxxxxxx
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 3294 bytes and written 479 bytes
---
New, TLSv1/SSLv3, Cipher is xxxxxxxxxxxxxxxxxx
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : xxxxxxxxxxxxxxxxxx
    Session-ID: xxxxxxxxxxxxxxxxxx
    Session-ID-ctx:
    Master-Key: xxxxxxxxxxxxxxxxxx
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1638952814
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)

但是每当我从机器 运行 较新版本的 OpenSSL 尝试相同的命令时,我都会收到此错误:

CONNECTED(00000003)
139685857744704:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 320 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

新版本是否存在任何兼容性问题或一些新命令或 conf 文件?|

添加所有密码:

Obtaining cipher list from OpenSSL 1.1.1k 25 Mar 2021.
Testing TLS_AES_256_GCM_SHA384...NO (SSL_CTX_set_cipher_list)
Testing TLS_CHACHA20_POLY1305_SHA256...NO (SSL_CTX_set_cipher_list)
Testing TLS_AES_128_GCM_SHA256...NO (SSL_CTX_set_cipher_list)
Testing ECDHE-ECDSA-AES256-GCM-SHA384...NO (wrong version number)
Testing ECDHE-RSA-AES256-GCM-SHA384...NO (wrong version number)
Testing DHE-DSS-AES256-GCM-SHA384...YES
Testing DHE-RSA-AES256-GCM-SHA384...NO (wrong version number)
Testing ECDHE-ECDSA-CHACHA20-POLY1305...NO (wrong version number)
Testing ECDHE-RSA-CHACHA20-POLY1305...NO (wrong version number)
Testing DHE-RSA-CHACHA20-POLY1305...NO (wrong version number)
Testing ECDHE-ECDSA-AES256-CCM8...NO (wrong version number)
Testing ECDHE-ECDSA-AES256-CCM...NO (wrong version number)
Testing DHE-RSA-AES256-CCM8...NO (wrong version number)
Testing DHE-RSA-AES256-CCM...NO (wrong version number)
Testing ECDHE-ECDSA-ARIA256-GCM-SHA384...NO (wrong version number)
Testing ECDHE-ARIA256-GCM-SHA384...NO (wrong version number)
Testing DHE-DSS-ARIA256-GCM-SHA384...NO (wrong version number)
Testing DHE-RSA-ARIA256-GCM-SHA384...NO (wrong version number)
Testing ADH-AES256-GCM-SHA384...NO (wrong version number)
Testing ECDHE-ECDSA-AES128-GCM-SHA256...NO (wrong version number)
Testing ECDHE-RSA-AES128-GCM-SHA256...NO (wrong version number)
Testing DHE-DSS-AES128-GCM-SHA256...YES
Testing DHE-RSA-AES128-GCM-SHA256...NO (wrong version number)
Testing ECDHE-ECDSA-AES128-CCM8...NO (wrong version number)
Testing ECDHE-ECDSA-AES128-CCM...NO (wrong version number)
Testing DHE-RSA-AES128-CCM8...NO (wrong version number)
Testing DHE-RSA-AES128-CCM...NO (wrong version number)
Testing ECDHE-ECDSA-ARIA128-GCM-SHA256...NO (wrong version number)
Testing ECDHE-ARIA128-GCM-SHA256...NO (wrong version number)
Testing DHE-DSS-ARIA128-GCM-SHA256...NO (wrong version number)
Testing DHE-RSA-ARIA128-GCM-SHA256...NO (wrong version number)
Testing ADH-AES128-GCM-SHA256...NO (wrong version number)
Testing ECDHE-ECDSA-AES256-SHA384...NO (wrong version number)
Testing ECDHE-RSA-AES256-SHA384...NO (wrong version number)
Testing DHE-RSA-AES256-SHA256...NO (wrong version number)
Testing DHE-DSS-AES256-SHA256...YES
Testing ECDHE-ECDSA-CAMELLIA256-SHA384...NO (wrong version number)
Testing ECDHE-RSA-CAMELLIA256-SHA384...NO (wrong version number)
Testing DHE-RSA-CAMELLIA256-SHA256...NO (wrong version number)
Testing DHE-DSS-CAMELLIA256-SHA256...NO (wrong version number)
Testing ADH-AES256-SHA256...NO (wrong version number)
Testing ADH-CAMELLIA256-SHA256...NO (wrong version number)
Testing ECDHE-ECDSA-AES128-SHA256...NO (wrong version number)
Testing ECDHE-RSA-AES128-SHA256...NO (wrong version number)
Testing DHE-RSA-AES128-SHA256...NO (wrong version number)
Testing DHE-DSS-AES128-SHA256...YES
Testing ECDHE-ECDSA-CAMELLIA128-SHA256...NO (wrong version number)
Testing ECDHE-RSA-CAMELLIA128-SHA256...NO (wrong version number)
Testing DHE-RSA-CAMELLIA128-SHA256...NO (wrong version number)
Testing DHE-DSS-CAMELLIA128-SHA256...NO (wrong version number)
Testing ADH-AES128-SHA256...NO (wrong version number)
Testing ADH-CAMELLIA128-SHA256...NO (wrong version number)
Testing ECDHE-ECDSA-AES256-SHA...NO (wrong version number)
Testing ECDHE-RSA-AES256-SHA...NO (wrong version number)
Testing DHE-RSA-AES256-SHA...NO (wrong version number)
Testing DHE-DSS-AES256-SHA...YES
Testing DHE-RSA-CAMELLIA256-SHA...NO (wrong version number)
Testing DHE-DSS-CAMELLIA256-SHA...NO (wrong version number)
Testing AECDH-AES256-SHA...NO (wrong version number)
Testing ADH-AES256-SHA...NO (wrong version number)
Testing ADH-CAMELLIA256-SHA...NO (wrong version number)
Testing ECDHE-ECDSA-AES128-SHA...NO (wrong version number)
Testing ECDHE-RSA-AES128-SHA...NO (wrong version number)
Testing DHE-RSA-AES128-SHA...NO (wrong version number)
Testing DHE-DSS-AES128-SHA...YES
Testing DHE-RSA-SEED-SHA...NO (wrong version number)
Testing DHE-DSS-SEED-SHA...NO (wrong version number)
Testing DHE-RSA-CAMELLIA128-SHA...NO (wrong version number)
Testing DHE-DSS-CAMELLIA128-SHA...NO (wrong version number)
Testing AECDH-AES128-SHA...NO (wrong version number)
Testing ADH-AES128-SHA...NO (wrong version number)
Testing ADH-SEED-SHA...NO (wrong version number)
Testing ADH-CAMELLIA128-SHA...NO (wrong version number)
Testing RSA-PSK-AES256-GCM-SHA384...NO (wrong version number)
Testing DHE-PSK-AES256-GCM-SHA384...NO (wrong version number)
Testing RSA-PSK-CHACHA20-POLY1305...NO (wrong version number)
Testing DHE-PSK-CHACHA20-POLY1305...NO (wrong version number)
Testing ECDHE-PSK-CHACHA20-POLY1305...NO (wrong version number)
Testing DHE-PSK-AES256-CCM8...NO (wrong version number)
Testing DHE-PSK-AES256-CCM...NO (wrong version number)
Testing RSA-PSK-ARIA256-GCM-SHA384...NO (wrong version number)
Testing DHE-PSK-ARIA256-GCM-SHA384...NO (wrong version number)
Testing AES256-GCM-SHA384...NO (wrong version number)
Testing AES256-CCM8...NO (wrong version number)
Testing AES256-CCM...NO (wrong version number)
Testing ARIA256-GCM-SHA384...NO (wrong version number)
Testing PSK-AES256-GCM-SHA384...NO (wrong version number)
Testing PSK-CHACHA20-POLY1305...NO (wrong version number)
Testing PSK-AES256-CCM8...NO (wrong version number)
Testing PSK-AES256-CCM...NO (wrong version number)
Testing PSK-ARIA256-GCM-SHA384...NO (wrong version number)
Testing RSA-PSK-AES128-GCM-SHA256...NO (wrong version number)
Testing DHE-PSK-AES128-GCM-SHA256...NO (wrong version number)
Testing DHE-PSK-AES128-CCM8...NO (wrong version number)
Testing DHE-PSK-AES128-CCM...NO (wrong version number)
Testing RSA-PSK-ARIA128-GCM-SHA256...NO (wrong version number)
Testing DHE-PSK-ARIA128-GCM-SHA256...NO (wrong version number)
Testing AES128-GCM-SHA256...NO (wrong version number)
Testing AES128-CCM8...NO (wrong version number)
Testing AES128-CCM...NO (wrong version number)
Testing ARIA128-GCM-SHA256...NO (wrong version number)
Testing PSK-AES128-GCM-SHA256...NO (wrong version number)
Testing PSK-AES128-CCM8...NO (wrong version number)
Testing PSK-AES128-CCM...NO (wrong version number)
Testing PSK-ARIA128-GCM-SHA256...NO (wrong version number)
Testing AES256-SHA256...NO (wrong version number)
Testing CAMELLIA256-SHA256...NO (wrong version number)
Testing AES128-SHA256...NO (wrong version number)
Testing CAMELLIA128-SHA256...NO (wrong version number)
Testing ECDHE-PSK-AES256-CBC-SHA384...NO (wrong version number)
Testing ECDHE-PSK-AES256-CBC-SHA...NO (wrong version number)
Testing SRP-DSS-AES-256-CBC-SHA...NO (wrong version number)
Testing SRP-RSA-AES-256-CBC-SHA...NO (wrong version number)
Testing SRP-AES-256-CBC-SHA...NO (wrong version number)
Testing RSA-PSK-AES256-CBC-SHA384...NO (wrong version number)
Testing DHE-PSK-AES256-CBC-SHA384...NO (wrong version number)
Testing RSA-PSK-AES256-CBC-SHA...NO (wrong version number)
Testing DHE-PSK-AES256-CBC-SHA...NO (wrong version number)
Testing ECDHE-PSK-CAMELLIA256-SHA384...NO (wrong version number)
Testing RSA-PSK-CAMELLIA256-SHA384...NO (wrong version number)
Testing DHE-PSK-CAMELLIA256-SHA384...NO (wrong version number)
Testing AES256-SHA...NO (wrong version number)
Testing CAMELLIA256-SHA...NO (wrong version number)
Testing PSK-AES256-CBC-SHA384...NO (wrong version number)
Testing PSK-AES256-CBC-SHA...NO (wrong version number)
Testing PSK-CAMELLIA256-SHA384...NO (wrong version number)
Testing ECDHE-PSK-AES128-CBC-SHA256...NO (wrong version number)
Testing ECDHE-PSK-AES128-CBC-SHA...NO (wrong version number)
Testing SRP-DSS-AES-128-CBC-SHA...NO (wrong version number)
Testing SRP-RSA-AES-128-CBC-SHA...NO (wrong version number)
Testing SRP-AES-128-CBC-SHA...NO (wrong version number)
Testing RSA-PSK-AES128-CBC-SHA256...NO (wrong version number)
Testing DHE-PSK-AES128-CBC-SHA256...NO (wrong version number)
Testing RSA-PSK-AES128-CBC-SHA...NO (wrong version number)
Testing DHE-PSK-AES128-CBC-SHA...NO (wrong version number)
Testing ECDHE-PSK-CAMELLIA128-SHA256...NO (wrong version number)
Testing RSA-PSK-CAMELLIA128-SHA256...NO (wrong version number)
Testing DHE-PSK-CAMELLIA128-SHA256...NO (wrong version number)
Testing AES128-SHA...NO (wrong version number)
Testing SEED-SHA...NO (wrong version number)
Testing CAMELLIA128-SHA...NO (wrong version number)
Testing IDEA-CBC-SHA...NO (wrong version number)
Testing PSK-AES128-CBC-SHA256...NO (wrong version number)
Testing PSK-AES128-CBC-SHA...NO (wrong version number)
Testing PSK-CAMELLIA128-SHA256...NO (wrong version number)
Testing ECDHE-ECDSA-NULL-SHA...NO (wrong version number)
Testing ECDHE-RSA-NULL-SHA...NO (wrong version number)
Testing AECDH-NULL-SHA...NO (wrong version number)
Testing NULL-SHA256...NO (wrong version number)
Testing ECDHE-PSK-NULL-SHA384...NO (wrong version number)
Testing ECDHE-PSK-NULL-SHA256...NO (wrong version number)
Testing ECDHE-PSK-NULL-SHA...NO (wrong version number)
Testing RSA-PSK-NULL-SHA384...NO (wrong version number)
Testing RSA-PSK-NULL-SHA256...NO (wrong version number)
Testing DHE-PSK-NULL-SHA384...NO (wrong version number)
Testing DHE-PSK-NULL-SHA256...NO (wrong version number)
Testing RSA-PSK-NULL-SHA...NO (wrong version number)
Testing DHE-PSK-NULL-SHA...NO (wrong version number)
Testing NULL-SHA...NO (wrong version number)
Testing NULL-MD5...NO (wrong version number)
Testing PSK-NULL-SHA384...NO (wrong version number)
Testing PSK-NULL-SHA256...NO (wrong version number)
Testing PSK-NULL-SHA...NO (wrong version number

)

Testing DHE-DSS-AES256-GCM-SHA384...YES

看起来服务器只支持DSS密码,这很不正常。从 the changelog 中可以看出,此类密码已从 OpenSSL 1.1.0 的默认密码列表中删除。这意味着需要明确启用密码,即

$ openssl s_client -cipher 'DHE-DSS-AES256-GCM-SHA384' ...