OpenSSL用于检查服务器是否提供证书的命令

时间:2014-06-27 17:13:28

标签: ssl openssl

我尝试运行openssl命令来缩小尝试从系统发送出站邮件时SSL问题的范围。

我在另一个话题中找到了这个命令:Using openssl to get the certificate from a server 

openssl s_client -connect ip:port -prexit

此输出结果为

CONNECTED(00000003)
15841:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 121 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

这是否意味着服务器没有提供任何证书?我在不同的ip:port上尝试了其他系统,并且它们成功地提供了证书。

相互身份验证是否会影响此命令与-prexit?

- 更新 -

我再次运行命令

openssl s_client -connect ip:port -prexit

我现在得到了这个回复

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 121 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

我在命令

中添加了-ssl3 
openssl s_client -connect ip:port -prexit -ssl3

响应:

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1403907236
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

还要尝试-tls1 

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1403907267
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

6 个答案:

答案 0 :(得分:68)

我今天正在调试SSL问题,导致同样的write:errno=104错误。最后我发现这种行为的原因是服务器需要SNI servername TLS扩展名)才能正常工作。向openssl提供-servername选项使其成功连接:

openssl s_client -connect domain.tld:443 -servername domain.tld

希望这有帮助。

答案 1 :(得分:9)

15841:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
...
SSL handshake has read 0 bytes and written 121 bytes

这是握手失败。另一方关闭连接而不发送任何数据("读取0字节")。可能是,另一方根本不会说SSL。但我在破解SSL实施时看到了类似的错误,这些错误不了解更新的SSL版本。如果通过将-ssl3添加到s_client的命令行来获得SSL连接,请尝试。

答案 2 :(得分:2)

在我的情况下,没有为所有站点配置ssl证书(仅适用于非www版本重定向到的www版本)。我正在使用Laravel forge和Nginx Boilerplate config

我的nginx网站有以下配置:

<强> /etc/nginx/sites-available/timtimer.at 

server {
    listen [::]:80;
    listen 80;
    server_name timtimer.at www.timtimer.at;

    include h5bp/directive-only/ssl.conf;

    # and redirect to the https host (declared below)
    # avoiding http://www -> https://www -> https:// chain.
    return 301 https://www.timtimer.at$request_uri;
}

server {
    listen [::]:443 ssl spdy;
    listen 443 ssl spdy;

    # listen on the wrong host
    server_name timtimer.at;

    ### ERROR IS HERE ###
    # You eighter have to include the .crt and .key here also (like below)
    # or include it in the below included ssl.conf like suggested by H5BP

    include h5bp/directive-only/ssl.conf;

    # and redirect to the www host (declared below)
    return 301 https://www.timtimer.at$request_uri;
}

server {
    listen [::]:443 ssl spdy;
    listen 443 ssl spdy;

    server_name www.timtimer.at;

    include h5bp/directive-only/ssl.conf;

    # Path for static files
    root /home/forge/default/public;

    # FORGE SSL (DO NOT REMOVE!)
    ssl_certificate /etc/nginx/ssl/default/2658/server.crt;
    ssl_certificate_key /etc/nginx/ssl/default/2658/server.key;

    # ...

    # Include the basic h5bp config set
    include h5bp/basic.conf;
}

所以在将以下部分移动(剪切和粘贴)到 /etc/nginx/h5bp/directive-only/ssl.conf 文件之后,一切都按预期工作:

# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/default/2658/server.crt;
ssl_certificate_key /etc/nginx/ssl/default/2658/server.key;

如果只是直接调用www版本,那么即使只为www版本指定密钥也是不够的!

答案 3 :(得分:2)

我遇到write:errno=104,试图通过openssl s_client测试连接到启用SSL的RabbitMQ代理端口。

事实证明,问题很简单,用户RabbitMQ正在运行,因为它对证书文件没有读取权限。 RabbitMQ中几乎没有有用的日志记录。

答案 4 :(得分:1)

我有一个类似的问题。根本原因是发送IP不在接收服务器上的白名单IP范围内。因此,所有通信请求都被接收站点杀死。

答案 5 :(得分:0)

由于我们的代理使用他们的自签名证书重写了HTTPS连接,因此我也尝试访问github.com,这是我得到的以下内容:

  

没有可用的对等证书   没有发送客户证书CA名称

在我的输出中还有:

  

协议:TLSv1.3

我添加了-tls1_2,它工作正常,现在我可以看到它在传出请求上使用的是哪个CA。例如:
openssl s_client -connect github.com:443 -tls1_2

相关问题
最新问题