我在irb
require 'mechanize'
agent = Mechanize.new
agent.get('https://monabo.lemonde.fr/customer/account/forgotpassword/')
我收到了这个错误:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert handshake failure
我试过mac,它有效我没有这个错误。但是,它在我的计算机上不起作用(运行Linux Mint 17)。
我尝试了什么:
导出此变量:
export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
设置此变量:
agent.agent.http.ca_file = '/etc/ssl/certs/ca-certificates.crt'
设置:
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
更改ruby版本(我目前正在使用ruby 2.1.5p275)
这些解决方案都没有改变这个问题。我怀疑服务器需要一个特定的OpenSSL版本。
请注意,我可以https://google.com mechanize申请https://monabo.lemonde.fr/customer/account/forgotpassword/,但有效➜ swiff git:(master) ✗ openssl s_client -connect monabo.lemonde.fr/customer/account/forgotpassword:443 -tls1 -servername monabo.lemonde.fr/customer/account/forgotpassword | openssl x509 -text -noout
gethostbyname failure
connect:errno=0
unable to load certificate
140045809014432:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
。
它在mac上运行的事实可能会假设我的配置错误。
编辑:这是此命令的输出:
{{1}}
其他一些数据:
答案 0 :(得分:4)
服务器仅支持SSLv3和TLSv1,并且仅支持密码DES-CBC3-SHA。此密码不包含在您的ruby版本使用的默认密码集中,如https://github.com/ruby/ruby/blob/ruby_2_1/ext/openssl/lib/openssl/ssl.rb中所示。 这个设置很奇怪,因为据我所知,DES-CBC3-SHA(即DES3)被认为比它们的密码集中的RC4-SHA更安全。
我试图找到一种方法来设置机械化对象的密码,但我对编写ruby知之甚少,而且系统上只有旧版本的ruby。您可以尝试agent.agent.http.ciphers = [ 'des-cbc3-sha' ]之类的问题或咨询一些红宝石专家。
答案 1 :(得分:1)
openssl s_client -connect monabo.lemonde.fr/customer/account/forgotpassword:443 -tls1 -servername monabo.lemonde.fr/customer/account/forgotpassword | openssl x509 -text -noout
来自外界,我能够连接。我可以通过使用带有OpenSSL命令的-CApath来解决"无法获得本地颁发者证书" 错误(因为它不是问题所以留给读者)。
这可能会帮助您解决问题......
获取证书转储
$ openssl s_client -connect monabo.lemonde.fr:443 -tls1 -servername monabo.lemonde.fr | openssl x509 -text -noout
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Domain Validation CA - G2
verify error:num=20:unable to get local issuer certificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
11:21:56:eb:c5:b1:54:fb:88:02:47:ec:cd:51:d9:38:89:d2
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Domain Validation CA - G2
Validity
Not Before: Dec 18 17:19:34 2013 GMT
Not After : Jan 19 18:10:24 2017 GMT
Subject: OU=Domain Control Validated, CN=*.lemonde.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d3:59:62:60:4e:18:52:3d:f5:f9:e2:54:5a:dd:
54:09:05:27:ae:f9:42:20:d6:ff:0a:5f:97:64:33:
64:5c:9a:80:67:de:6a:be:f9:6a:cb:1c:14:14:df:
90:cb:77:9a:d9:22:15:45:eb:ac:9a:c3:36:1f:52:
ee:22:b5:9f:67:22:35:52:64:e0:4e:44:f8:ab:01:
3a:e8:f6:57:81:27:3b:28:3c:b1:da:e2:59:12:63:
99:89:e2:ed:bf:42:09:4c:39:f3:d7:2e:4a:5d:d1:
d7:4c:d1:cd:2c:98:f9:da:da:a0:10:85:17:92:05:
62:c1:89:f0:ff:5a:cd:f7:72:a8:e0:3d:f2:ad:c7:
44:64:88:72:40:84:53:fc:80:f9:5f:44:7b:bf:ce:
3c:93:87:05:af:d6:95:00:44:63:be:55:ac:25:8e:
25:3c:1c:2c:99:2d:d0:d0:72:da:f1:5f:a0:9b:4e:
56:20:10:4e:db:a7:cd:32:c8:32:48:cd:f9:bf:45:
8c:ca:b3:68:88:6d:61:fa:4c:80:87:0b:d6:f8:e6:
d9:73:5d:27:b7:bf:0f:35:81:89:93:ee:fa:84:15:
de:d4:99:45:d6:7a:fe:19:dc:71:56:29:00:6d:fb:
1b:1f:48:16:17:12:fe:0b:05:76:37:b7:f0:11:7a:
32:fb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
CPS: https://www.globalsign.com/repository/
X509v3 Subject Alternative Name:
DNS:*.lemonde.fr, DNS:lemonde.fr
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.globalsign.com/gs/gsdomainvalg2.crl
Authority Information Access:
CA Issuers - URI:http://secure.globalsign.com/cacert/gsdomainvalg2.crt
OCSP - URI:http://ocsp2.globalsign.com/gsdomainvalg2
X509v3 Subject Key Identifier:
49:7C:AB:DD:45:95:AB:8C:15:8E:9A:E2:0E:FE:79:39:FF:5C:A6:3C
X509v3 Authority Key Identifier:
keyid:96:AD:FA:B0:5B:B9:83:64:2A:76:C2:1C:8A:69:DA:42:DC:FE:FD:28
Signature Algorithm: sha1WithRSAEncryption
33:65:d5:4d:39:4d:c9:86:52:bf:0f:d0:85:28:50:36:21:ac:
1d:f4:b4:69:22:48:5b:6b:99:64:19:51:71:0e:fc:c9:ca:5e:
05:e2:fc:ff:b8:e1:50:b8:4d:1c:82:a6:06:3e:3b:85:d2:ab:
fe:1e:18:02:d3:c1:e6:54:f4:26:ce:20:af:a3:52:90:5c:a8:
bb:ad:a0:a9:29:30:50:bd:64:f3:1e:26:76:d7:5d:05:2e:9e:
57:f2:3a:2a:fe:49:30:74:76:9f:b2:95:07:47:de:9e:8f:74:
5d:97:62:45:2b:16:d3:ae:80:66:22:b7:3a:b4:34:f0:33:e2:
40:bf:3d:39:3d:64:3f:94:b4:d7:a9:c6:e3:ca:76:76:86:67:
58:82:e9:95:4a:c4:70:93:6f:bc:34:5e:a6:6d:93:05:ae:41:
ae:8a:ac:ef:c2:65:6c:8f:af:46:31:c1:98:ca:11:6c:56:87:
98:44:9d:8b:8a:29:03:a3:cf:c7:6c:d5:3c:29:9f:ba:ff:db:
2f:38:a6:be:29:3d:be:ec:01:dc:1f:6c:55:1d:7d:74:7e:f4:
74:18:5a:f3:ca:64:2b:1e:d7:82:36:2c:ee:08:a5:35:c2:54:
0b:b5:cc:8b:28:03:6e:1e:ad:b6:05:c3:01:67:34:59:db:8b:
d4:20:b8:cb
执行HTML GET (请注意-ign_eof):
riemann::cryptopp$ echo -e "GET /customer/account/forgotpassword HTTP/1.1\r\nHost:monabo.lemonde.fr\r\n\r\n" | openssl s_client -connect monabo.lemonde.fr:443 -tls1 -ign_eof -servername monabo.lemonde.fr
CONNECTED(00000003)
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Domain Validation CA - G2
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.lemonde.fr
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE2TCCA8GgAwIBAgISESFW68WxVPuIAkfszVHZOInSMA0GCSqGSIb3DQEBBQUA
MFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS0wKwYD
VQQDEyRHbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0aW9uIENBIC0gRzIwHhcNMTMx
MjE4MTcxOTM0WhcNMTcwMTE5MTgxMDI0WjA6MSEwHwYDVQQLExhEb21haW4gQ29u
dHJvbCBWYWxpZGF0ZWQxFTATBgNVBAMMDCoubGVtb25kZS5mcjCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANNZYmBOGFI99fniVFrdVAkFJ675QiDW/wpf
l2QzZFyagGfear75asscFBTfkMt3mtkiFUXrrJrDNh9S7iK1n2ciNVJk4E5E+KsB
Ouj2V4EnOyg8sdriWRJjmYni7b9CCUw589cuSl3R10zRzSyY+draoBCFF5IFYsGJ
8P9azfdyqOA98q3HRGSIckCEU/yA+V9Ee7/OPJOHBa/WlQBEY75VrCWOJTwcLJkt
0NBy2vFfoJtOViAQTtunzTLIMkjN+b9FjMqzaIhtYfpMgIcL1vjm2XNdJ7e/DzWB
iZPu+oQV3tSZRdZ6/hnccVYpAG37Gx9IFhcS/gsFdje38BF6MvsCAwEAAaOCAbow
ggG2MA4GA1UdDwEB/wQEAwIFoDBJBgNVHSAEQjBAMD4GBmeBDAECATA0MDIGCCsG
AQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAj
BgNVHREEHDAaggwqLmxlbW9uZGUuZnKCCmxlbW9uZGUuZnIwCQYDVR0TBAIwADAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwPwYDVR0fBDgwNjA0oDKgMIYu
aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9ncy9nc2RvbWFpbnZhbGcyLmNybDCB
iAYIKwYBBQUHAQEEfDB6MEEGCCsGAQUFBzAChjVodHRwOi8vc2VjdXJlLmdsb2Jh
bHNpZ24uY29tL2NhY2VydC9nc2RvbWFpbnZhbGcyLmNydDA1BggrBgEFBQcwAYYp
aHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL2dzZG9tYWludmFsZzIwHQYDVR0O
BBYEFEl8q91FlauMFY6a4g7+eTn/XKY8MB8GA1UdIwQYMBaAFJat+rBbuYNkKnbC
HIpp2kLc/v0oMA0GCSqGSIb3DQEBBQUAA4IBAQAzZdVNOU3JhlK/D9CFKFA2Iawd
9LRpIkhba5lkGVFxDvzJyl4F4vz/uOFQuE0cgqYGPjuF0qv+HhgC08HmVPQmziCv
o1KQXKi7raCpKTBQvWTzHiZ2110FLp5X8joq/kkwdHafspUHR96ej3Rdl2JFKxbT
roBmIrc6tDTwM+JAvz05PWQ/lLTXqcbjynZ2hmdYgumVSsRwk2+8NF6mbZMFrkGu
iqzvwmVsj69GMcGYyhFsVoeYRJ2LiikDo8/HbNU8KZ+6/9svOKa+KT2+7AHcH2xV
HX10fvR0GFrzymQrHteCNizuCKU1wlQLtcyLKANuHq22BcMBZzRZ24vUILjL
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.lemonde.fr
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2
---
No client certificate CA names sent
---
SSL handshake has read 2528 bytes and written 584 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID:
Session-ID-ctx:
Master-Key: 5CB47D92BE13BC28113D333A7B3BEECBF90B78EB4751BC1285F4EB1EA129914D8E61629E1EE84E9B6177ADC1E2CA9AE9
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1428944574
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
HTTP/1.0 200 OK
Set-Cookie: ARVATO=R212127208; path=/
Set-Cookie: ARVATO=R1228432574; path=/
Date: Mon, 13 Apr 2015 16:56:33 GMT
Server: Apache
Set-Cookie: frontend=8b5a9c59bc8c3e36259d9bb9c5d786b6; expires=Thu, 03-Mar-2332 10:43:14 GMT; path=/; domain=monabo.lemonde.fr; HttpOnly
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, public
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Cache: MISS from cache-02
X-Cache-Lookup: MISS from cache-02:80
Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr" lang="fr">
<head>
<title>Magento Commerce</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="description" content="Default Description" />
<meta name="keywords" content="Magento, Varien, E-commerce" />
<meta name="robots" content="INDEX,FOLLOW" />
...
</body>
</html>
closed
尝试强制SSLv3失败(请注意使用-ssl3,但缺少-servername):
$ openssl s_client -connect monabo.lemonde.fr:443 -ssl3 | openssl x509 -text -noout
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Domain Validation CA - G2
verify error:num=20:unable to get local issuer certificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
11:21:56:eb:c5:b1:54:fb:88:02:47:ec:cd:51:d9:38:89:d2
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Domain Validation CA - G2
Validity
Not Before: Dec 18 17:19:34 2013 GMT
Not After : Jan 19 18:10:24 2017 GMT
Subject: OU=Domain Control Validated, CN=*.lemonde.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d3:59:62:60:4e:18:52:3d:f5:f9:e2:54:5a:dd:
54:09:05:27:ae:f9:42:20:d6:ff:0a:5f:97:64:33:
64:5c:9a:80:67:de:6a:be:f9:6a:cb:1c:14:14:df:
90:cb:77:9a:d9:22:15:45:eb:ac:9a:c3:36:1f:52:
ee:22:b5:9f:67:22:35:52:64:e0:4e:44:f8:ab:01:
3a:e8:f6:57:81:27:3b:28:3c:b1:da:e2:59:12:63:
99:89:e2:ed:bf:42:09:4c:39:f3:d7:2e:4a:5d:d1:
d7:4c:d1:cd:2c:98:f9:da:da:a0:10:85:17:92:05:
62:c1:89:f0:ff:5a:cd:f7:72:a8:e0:3d:f2:ad:c7:
44:64:88:72:40:84:53:fc:80:f9:5f:44:7b:bf:ce:
3c:93:87:05:af:d6:95:00:44:63:be:55:ac:25:8e:
25:3c:1c:2c:99:2d:d0:d0:72:da:f1:5f:a0:9b:4e:
56:20:10:4e:db:a7:cd:32:c8:32:48:cd:f9:bf:45:
8c:ca:b3:68:88:6d:61:fa:4c:80:87:0b:d6:f8:e6:
d9:73:5d:27:b7:bf:0f:35:81:89:93:ee:fa:84:15:
de:d4:99:45:d6:7a:fe:19:dc:71:56:29:00:6d:fb:
1b:1f:48:16:17:12:fe:0b:05:76:37:b7:f0:11:7a:
32:fb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
CPS: https://www.globalsign.com/repository/
X509v3 Subject Alternative Name:
DNS:*.lemonde.fr, DNS:lemonde.fr
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.globalsign.com/gs/gsdomainvalg2.crl
Authority Information Access:
CA Issuers - URI:http://secure.globalsign.com/cacert/gsdomainvalg2.crt
OCSP - URI:http://ocsp2.globalsign.com/gsdomainvalg2
X509v3 Subject Key Identifier:
49:7C:AB:DD:45:95:AB:8C:15:8E:9A:E2:0E:FE:79:39:FF:5C:A6:3C
X509v3 Authority Key Identifier:
keyid:96:AD:FA:B0:5B:B9:83:64:2A:76:C2:1C:8A:69:DA:42:DC:FE:FD:28
Signature Algorithm: sha1WithRSAEncryption
33:65:d5:4d:39:4d:c9:86:52:bf:0f:d0:85:28:50:36:21:ac:
1d:f4:b4:69:22:48:5b:6b:99:64:19:51:71:0e:fc:c9:ca:5e:
05:e2:fc:ff:b8:e1:50:b8:4d:1c:82:a6:06:3e:3b:85:d2:ab:
fe:1e:18:02:d3:c1:e6:54:f4:26:ce:20:af:a3:52:90:5c:a8:
bb:ad:a0:a9:29:30:50:bd:64:f3:1e:26:76:d7:5d:05:2e:9e:
57:f2:3a:2a:fe:49:30:74:76:9f:b2:95:07:47:de:9e:8f:74:
5d:97:62:45:2b:16:d3:ae:80:66:22:b7:3a:b4:34:f0:33:e2:
40:bf:3d:39:3d:64:3f:94:b4:d7:a9:c6:e3:ca:76:76:86:67:
58:82:e9:95:4a:c4:70:93:6f:bc:34:5e:a6:6d:93:05:ae:41:
ae:8a:ac:ef:c2:65:6c:8f:af:46:31:c1:98:ca:11:6c:56:87:
98:44:9d:8b:8a:29:03:a3:cf:c7:6c:d5:3c:29:9f:ba:ff:db:
2f:38:a6:be:29:3d:be:ec:01:dc:1f:6c:55:1d:7d:74:7e:f4:
74:18:5a:f3:ca:64:2b:1e:d7:82:36:2c:ee:08:a5:35:c2:54:
0b:b5:cc:8b:28:03:6e:1e:ad:b6:05:c3:01:67:34:59:db:8b:
d4:20:b8:cb
答案 2 :(得分:0)
对于Ruby&lt; 2.5
您可以将密码添加到默认密码列表中:
OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers] += ':DES-CBC3-SHA'
然后:
require 'mechanize'
agent = Mechanize.new
agent.get 'https://monabo.lemonde.fr/customer/account/forgotpassword/'
答案 3 :(得分:0)
安装certified gem为我解决了这个问题,在Windows 7上使用了以下版本的ruby / rubygems。
> ruby -v
ruby 2.2.3p173 (2015-08-18 revision 51636) [i386-mingw32]
> gem -v
2.6.6
答案 4 :(得分:0)
我对红宝石一无所知,但问题似乎出在证书链验证问题上。
即openssl错误“验证错误:num = 20:无法获取本地发行者证书”
是您失败的原因。
失败的原因是无法加载完整链。即缺少一个或多个证书。
第一点是服务器提供的证书链缺少中间层。这确实是Web服务器设置问题,因为它们在该Web服务器设置中缺少intermediate证书。
您可以通过在本地CA文件中提供此中间体来解决此问题。这很可能是它在另一台计算机上运行的原因,因为该计算机的CA文件在您的CA文件中包含intermediate和root证书。
我会检查您的CA文件(/etc/ssl/certs/ca-certificates.crt)中是否同时包含这两个证书,如果没有,则添加它们。一旦openssl命令运行而没有“验证错误:num = 20:无法获取本地发行者证书”错误,则将排除您的ruy代码问题(假设您的rude代码使用相同的ca文件)。
如果您可以更新Web服务器以使用包含服务器证书和intermediate证书的证书链文件,那也应该可以解决该问题。