SSL23_GET_SERVER_HELLO:tlsv1警告内部错误

时间:2016-12-04 14:31:47

标签: amazon-web-services ssl amazon-s3 openssl amazon-cloudfront

目前遇到类似的问题,但没有一个解决方案有帮助

我无法访问服务器配置,因为这只是一个简单的Cloudfront + S3设置。

root@xxx:~# openssl s_client -connect tracking.kairion.de:443 -servername tracking.kairion.de
CONNECTED(00000003)
140336648943272:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:757:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 318 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1480860654
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Curl返回类似的错误

root@xxx:~# curl 'https://tracking.kairion.de/kairion.gif' -v
* Hostname was NOT found in DNS cache
*   Trying 2400:cb00:2048:1::6818:72f8...
* Connected to tracking.kairion.de (2400:cb00:2048:1::6818:72f8) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

错误在至少两台服务器上可重现:

openssl 1.0.1t-1+deb8u5 (jessie)
openssl 1.0.1t-1+deb7u1 (wheezy)

但适用于

openssl 1.0.2j-1 (stretch)

有趣的部分有时可能会工作一个小时,然后失败一小时。

1 个答案:

答案 0 :(得分:0)

今天发现问题,与cloudflare有关。

因为我为这个子域禁用了cloudflare,所以它没有问题。

似乎cloudflare有时从云端返回正确的CNAME,有时候返回cloudflare IP。只要它直接返回cloudfront,SSL就会工作,当它返回cloudflare IP时,SSL就失败了。