仅在nginx和iOS 11之间的SSL握手失败(40)

时间:2017-10-26 13:50:43

标签: ios ssl nginx

我有一台运行NextCloud的nginx 1.10.3服务器并从各种客户端访问它。证书由Lets Encrypt提供,并使用2048位RSA密钥。

所有客户端都可以正常运行,包括Web浏览器,但在iPad或iPhone上运行在iOS 11上的浏览器除外。工作浏览器是MacOS和Linux上的Firefox 56,以及MacOS Sierra上的Safari 11。 Linux上的NextCloud客户端也可以正常工作。在iOS上,GoodReader可以将NextCloud作为webdav客户端访问。但Safari不会访问它,声称它无法访问与服务器的安全连接。 iOS NextCloud客户端在尝试连接时返回SSL错误(我假设它使用与Safari相同的库进行连接)。

iOS(Safari或NextCloud应用程序)尝试连接失败时nginx日志中的错误是:

SSL_do_handshake() failed (SSL: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher) while SSL handshaking

我查看了Web服务器上的流量,这是Firefox的Client Hello:

Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
    Content Type: Handshake (22)
    Version: TLS 1.0 (0x0301)
    Length: 512
    Handshake Protocol: Client Hello
        Handshake Type: Client Hello (1)
        Length: 508
        Version: TLS 1.2 (0x0303)
        Random
            GMT Unix Time: Aug  8, 2013 06:38:14.000000000 JST
            Random Bytes: eece37d08b453cedc932958165d0b6c530b31a321554c874...
        Session ID Length: 32
        Session ID: c7...
        Cipher Suites Length: 30
        Cipher Suites (15 suites)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
            Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
            Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
            Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
        Compression Methods Length: 1
        Compression Methods (1 method)
            Compression Method: null (0)
        Extensions Length: 405
        Extension: server_name
            Type: server_name (0x0000)
            Length: 30
            Server Name Indication extension
                Server Name list length: 28
                Server Name Type: host_name (0)
                Server Name length: 25
                Server Name: mydomain.com
        Extension: Extended Master Secret
            Type: Extended Master Secret (0x0017)
            Length: 0
        Extension: renegotiation_info
            Type: renegotiation_info (0xff01)
            Length: 1
            Renegotiation Info extension
                Renegotiation info extension length: 0
        Extension: elliptic_curves
            Type: elliptic_curves (0x000a)
            Length: 10
            Elliptic Curves Length: 8
            Elliptic curves (4 curves)
                Elliptic curve: ecdh_x25519 (0x001d)
                Elliptic curve: secp256r1 (0x0017)
                Elliptic curve: secp384r1 (0x0018)
                Elliptic curve: secp521r1 (0x0019)
        Extension: ec_point_formats
            Type: ec_point_formats (0x000b)
            Length: 2
            EC point formats Length: 1
            Elliptic curves point formats (1)
                EC point format: uncompressed (0)
        Extension: SessionTicket TLS
            Type: SessionTicket TLS (0x0023)
            Length: 208
            Data (208 bytes)
        Extension: Application Layer Protocol Negotiation
            Type: Application Layer Protocol Negotiation (0x0010)
            Length: 14
            ALPN Extension Length: 12
            ALPN Protocol
                ALPN string length: 2
                ALPN Next Protocol: h2
                ALPN string length: 8
                ALPN Next Protocol: http/1.1
        Extension: status_request
            Type: status_request (0x0005)
            Length: 5
            Certificate Status Type: OCSP (1)
            Responder ID list Length: 0
            Request Extensions Length: 0
        Extension: signature_algorithms
            Type: signature_algorithms (0x000d)
            Length: 24
            Signature Hash Algorithms Length: 22
            Signature Hash Algorithms (11 algorithms)
                Signature Hash Algorithm: 0x0403
                    Signature Hash Algorithm Hash: SHA256 (4)
                    Signature Hash Algorithm Signature: ECDSA (3)
                Signature Hash Algorithm: 0x0503
                    Signature Hash Algorithm Hash: SHA384 (5)
                    Signature Hash Algorithm Signature: ECDSA (3)
                Signature Hash Algorithm: 0x0603
                    Signature Hash Algorithm Hash: SHA512 (6)
                    Signature Hash Algorithm Signature: ECDSA (3)
                Signature Hash Algorithm: 0x0804
                    Signature Hash Algorithm Hash: Unknown (8)
                    Signature Hash Algorithm Signature: Unknown (4)
                Signature Hash Algorithm: 0x0805
                    Signature Hash Algorithm Hash: Unknown (8)
                    Signature Hash Algorithm Signature: Unknown (5)
                Signature Hash Algorithm: 0x0806
                    Signature Hash Algorithm Hash: Unknown (8)
                    Signature Hash Algorithm Signature: Unknown (6)
                Signature Hash Algorithm: 0x0401
                    Signature Hash Algorithm Hash: SHA256 (4)
                    Signature Hash Algorithm Signature: RSA (1)
                Signature Hash Algorithm: 0x0501
                    Signature Hash Algorithm Hash: SHA384 (5)
                    Signature Hash Algorithm Signature: RSA (1)
                Signature Hash Algorithm: 0x0601
                    Signature Hash Algorithm Hash: SHA512 (6)
                    Signature Hash Algorithm Signature: RSA (1)
                Signature Hash Algorithm: 0x0203
                    Signature Hash Algorithm Hash: SHA1 (2)
                    Signature Hash Algorithm Signature: ECDSA (3)
                Signature Hash Algorithm: 0x0201
                    Signature Hash Algorithm Hash: SHA1 (2)
                    Signature Hash Algorithm Signature: RSA (1)
        Extension: Padding
            Type: Padding (0x0015)
            Length: 71
            Padding Data: 000000000000000000000000000000000000000000000000...

最终,为Firefox选择了TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)密码。

以下是通过Safari的iPad客户端Hello:

Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
    Content Type: Handshake (22)
    Version: TLS 1.0 (0x0301)
    Length: 239
    Handshake Protocol: Client Hello
        Handshake Type: Client Hello (1)
        Length: 235
        Version: TLS 1.2 (0x0303)
        Random
            GMT Unix Time: Jul 20, 2002 17:04:33.000000000 JST
            Random Bytes: 8f8602de9622cf56d70fa8d863a3c8d7154eb23ce19b625b...
        Session ID Length: 0
        Cipher Suites Length: 40
        Cipher Suites (20 suites)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
            Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
            Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
            Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
            Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
            Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
        Compression Methods Length: 1
        Compression Methods (1 method)
            Compression Method: null (0)
        Extensions Length: 154
        Extension: renegotiation_info
            Type: renegotiation_info (0xff01)
            Length: 1
            Renegotiation Info extension
                Renegotiation info extension length: 0
        Extension: server_name
            Type: server_name (0x0000)
            Length: 30
            Server Name Indication extension
                Server Name list length: 28
                Server Name Type: host_name (0)
                Server Name length: 25
                Server Name: mydomain.com
        Extension: Extended Master Secret
            Type: Extended Master Secret (0x0017)
            Length: 0
        Extension: signature_algorithms
            Type: signature_algorithms (0x000d)
            Length: 20
            Signature Hash Algorithms Length: 18
            Signature Hash Algorithms (9 algorithms)
                Signature Hash Algorithm: 0x0403
                    Signature Hash Algorithm Hash: SHA256 (4)
                    Signature Hash Algorithm Signature: ECDSA (3)
                Signature Hash Algorithm: 0x0804
                    Signature Hash Algorithm Hash: Unknown (8)
                    Signature Hash Algorithm Signature: Unknown (4)
                Signature Hash Algorithm: 0x0401
                    Signature Hash Algorithm Hash: SHA256 (4)
                    Signature Hash Algorithm Signature: RSA (1)
                Signature Hash Algorithm: 0x0503
                    Signature Hash Algorithm Hash: SHA384 (5)
                    Signature Hash Algorithm Signature: ECDSA (3)
                Signature Hash Algorithm: 0x0805
                    Signature Hash Algorithm Hash: Unknown (8)
                    Signature Hash Algorithm Signature: Unknown (5)
                Signature Hash Algorithm: 0x0501
                    Signature Hash Algorithm Hash: SHA384 (5)
                    Signature Hash Algorithm Signature: RSA (1)
                Signature Hash Algorithm: 0x0806
                    Signature Hash Algorithm Hash: Unknown (8)
                    Signature Hash Algorithm Signature: Unknown (6)
                Signature Hash Algorithm: 0x0601
                    Signature Hash Algorithm Hash: SHA512 (6)
                    Signature Hash Algorithm Signature: RSA (1)
                Signature Hash Algorithm: 0x0201
                    Signature Hash Algorithm Hash: SHA1 (2)
                    Signature Hash Algorithm Signature: RSA (1)
        Extension: status_request
            Type: status_request (0x0005)
            Length: 5
            Certificate Status Type: OCSP (1)
            Responder ID list Length: 0
            Request Extensions Length: 0
        Extension: next_protocol_negotiation
            Type: next_protocol_negotiation (0x3374)
            Length: 0
        Extension: signed_certificate_timestamp
            Type: signed_certificate_timestamp (0x0012)
            Length: 0
            Data (0 bytes)
        Extension: Application Layer Protocol Negotiation
            Type: Application Layer Protocol Negotiation (0x0010)
            Length: 48
            ALPN Extension Length: 46
            ALPN Protocol
                ALPN string length: 2
                ALPN Next Protocol: h2
                ALPN string length: 5
                ALPN Next Protocol: h2-16
                ALPN string length: 5
                ALPN Next Protocol: h2-15
                ALPN string length: 5
                ALPN Next Protocol: h2-14
                ALPN string length: 8
                ALPN Next Protocol: spdy/3.1
                ALPN string length: 6
                ALPN Next Protocol: spdy/3
                ALPN string length: 8
                ALPN Next Protocol: http/1.1
        Extension: ec_point_formats
            Type: ec_point_formats (0x000b)
            Length: 2
            EC point formats Length: 1
            Elliptic curves point formats (1)
                EC point format: uncompressed (0)
        Extension: elliptic_curves
            Type: elliptic_curves (0x000a)
            Length: 8
            Elliptic Curves Length: 6
            Elliptic curves (3 curves)
                Elliptic curve: ecdh_x25519 (0x001d)
                Elliptic curve: secp256r1 (0x0017)
                Elliptic curve: secp384r1 (0x0018)

网络流量中对iOS的响应是:

Secure Sockets Layer
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
    Content Type: Alert (21)
    Version: TLS 1.2 (0x0303)
    Length: 2
    Alert Message
        Level: Fatal (2)
        Description: Handshake Failure (40)

不幸的是,握手中特别失败的是我不清楚,因为我还没有找到更详细的信息。服务器为Firefox选择的确切密码列为iOS支持,但SSL握手不仅没有选择它,而且无法选择任何选项。

进一步的怪异,通过SSL实验室运行的网站,以及A +评级,为Safari的握手测试提供以下结果:

Safari 6/iOS 6.0.1    RSA 2048 (SHA256)  TLS 1.2       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA     ECDH secp521r1  FS
Safari 7/iOS 7.1      RSA 2048 (SHA256)  TLS 1.2       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA     ECDH secp521r1  FS
Safari 7/OS X 10.9    RSA 2048 (SHA256)  TLS 1.2       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA     ECDH secp521r1  FS
Safari 8/iOS 8.4      RSA 2048 (SHA256)  TLS 1.2       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA     ECDH secp521r1  FS
Safari 8/OS X 10.10   RSA 2048 (SHA256)  TLS 1.2       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA     ECDH secp521r1  FS
Safari 9/iOS 9        RSA 2048 (SHA256)  TLS 1.2 > h2  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256  ECDH secp521r1  FS
Safari 9/OS X 10.11   RSA 2048 (SHA256)  TLS 1.2 > h2  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256  ECDH secp521r1  FS
Safari 10/iOS 10      RSA 2048 (SHA256)  TLS 1.2 > h2  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256  ECDH secp521r1  FS
Safari 10/OS X 10.12  RSA 2048 (SHA256)  TLS 1.2 > h2  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256  ECDH secp521r1  FS

显然,SSL实验室的Safari模型对我的服务器很满意,但iOS上真正的Safari却不是。

这是nginx服务器的SSL密码配置:

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:
  ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:
  ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:
  ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:
  ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:
  DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:
  DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:
  DHE-RSA-AES256-SHA256";

取自here。我还尝试了Mozilla SSL configuration generator的配置。 "现代"简介是这样的:

ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:
  ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:
  ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:
  ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:
  ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

这给出了握手失败的相同结果。

让nginx使用ssl_ciphers的默认值导致iOS连接到服务器。但是,当我检查TCP转储时,我发现它选择了密码TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d),它不提供前向保密当然,当服务器使用默认密码选择时,SSL Labs也会为站点提供A-评级由于某些浏览器选择了没有前向保密的密码。但即使在这种情况下,SSL Labs' Safari 10 / iOS 10握手测试为其结果提供了RSA 2048 (SHA256) TLS 1.2 > h2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp521r1 FS,因此我很难理解为什么iOS 11的行为如此不同。

非常感谢任何解决这种奇怪情况的帮助。

1 个答案:

答案 0 :(得分:2)

我找到了问题的根源。服务器被限制为仅接受secp521r1的椭圆曲线(ssl_ecdh_curve设置)。我不记得为什么会这样设置;过去的一些导游告诉我这样做,我盲目地遵守。

添加额外的较低强度曲线secp384r1,可以让iOS成功握手并使用TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384进行通信。 ssl_ecdh_curve现已设置为secp521r1:secp384r1

我不确定iOS 10和11之间的变化导致了这种情况。我最好的猜测是,从挖掘OpenSSL代码和一些further research开始,iOS 11正试图遵守Suite B。 Suite B将曲线限制为P-256和P-384。但这只是业余人士的猜测。