CouchDB无法通过SSL

时间:2018-04-30 15:58:16

标签: ssl openssl couchdb

我正在运行CouchDB Docker container,V.2.1.1。除SSL之外,此时一切正常。我正在关注CouchDB documentation on SSL setup。容器有OpenSSL 1.0.1t。

如文档中所示,我使用的是自签名证书。当我尝试连接到端口6984上的SSL页面时:

Chrome告诉我

"ERR_CONNECTION_CLOSED".

curl给了我

curl -k https://localhost:6984 

curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:6984

在服务器日志中,我得到了很多。

hello terminated with reason: no function clause matching ssl_cipher:hash_algorithm

搜索此最后一个错误会显示指示Erlang版本存在问题的信息。但是,我相信CouchDB容器有一个已修补的版本。我确实尝试升级:

apt-get install Erlang

这没有任何区别。搜索结果也指向OpenSSL有问题的版本。我从源代码升级到OpenSSL 1.1.1,重新创建了证书,但问题仍然存在。

根据要求,这是几个命令的输出。

openssl s_client -connect localhost:6984 

CONNECTED(00000005)
140736008328136:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/ssl/s23_lib.c:124:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 318 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
---

curl --version 

curl 7.54.0 (x86_64-apple-darwin17.0) libcurl/7.54.0 LibreSSL/2.0.20 zlib/1.2.11 nghttp2/1.24.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy

curl -k -v https://localhost:6984 

* Rebuilt URL to: https://localhost:6984/
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 6984 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:6984
* stopped the pause stream!
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:6984

curl -k --ciphers DEFAULT https://localhost:6984 

curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:6984

curl -k - 访问者ECDHE-RSA-AES256-GCM-SHA384 https://localhost:6984 

curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:6984

以下三个命令的输出非常相似。我只是展示不同之处。但是,似乎现在正在使用所有这些命令进行握手。

$ openssl s_client -tls1 -connect localhost:6984 

CONNECTED(00000005)
SSL handshake has read 1762 bytes and written 400 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 18C5DF9DCA1B8AA0DBD33258BCD253053F8D1D91B524B0561A1C0FAB8CFB5146
    Master-Key: FD0C57E4E8FB992C0323D43930C104D82B69C4200F42E03EDB51E38A47448D62FDCB6E813583E2177A339B74B4D0CC4A
    Start Time: 1525593658
    Timeout   : 7200 (sec)

$ path / to / brew / version / of / openssl s_client -connect localhost:6984 

CONNECTED(00000003)
Peer signing digest: SHA512
Server Temp Key: DH, 1024 bits
SSL handshake has read 1796 bytes and written 537 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA256
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-SHA256
    Session-ID: A19D67CBE634843181859DB2C3C4D1A3416C9F7DAA85CF470D412FE723AD49B4
    Master-Key: 61B711B9BEDB651868607527439D01B421780C7D584FCE68C4754A7A7F3563923409C03F4B68BB7914397B48A92FC756
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1525593604
    Timeout   : 300 (sec)

$ path / to / brew / version / of / openssl s_client -tls1 -connect localhost:6984 

SSL handshake has read 1762 bytes and written 397 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 6CC7FFE1C7CE258F105C7ADD5D8A9C0DFFB26A5A9555EB218EE48E519D361208
    Master-Key: 2D6DFAC01544F6FF5F4138D877A4105485D5A2F77B58B4796822625E2E602455C38E3EEB2CBACE07FA03D207B07C715E
    Start Time: 1525593717
    Timeout   : 7200 (sec)

$ curl -k --tlsv1 https://localhost:6984 

curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:6984

$ curl -k --tlsv1.0 https://localhost:6984 

{"couchdb":"Welcome","version":"2.1.1","features":["scheduler"],"vendor":{"name":"The Apache Software Foundation"}}

所以我猜猜LibreSSL的内置版本存在问题?接下来的问题是可以做些什么呢?

2 个答案:

答案 0 :(得分:2)

为了深入挖掘,您可以发布以下命令的输出吗?

$ openssl s_client -connect localhost:6984

$ curl --version

$ curl -k -v https://localhost:6984

$ curl -k --ciphers DEFAULT https://localhost:6984

$ curl -k --ciphers ECDHE-RSA-AES256-GCM-SHA384 https://localhost:6984

顺便提一下,我注意到您的curl正在使用LibreSSL 而不是 OpenSSL,如您收到的错误消息所示:

  

卷曲:(35) LibreSSL SSL_connect:与连接的SSL_ERROR_SYSCALL   本地主机:6984

当你尝试openssl时:

$ openssl s_client -connect localhost:6984

您收到此错误:

  

CONNECTED(00000005)140736008328136:错误:140790E5:SSL   例程:SSL23_WRITE:ssl握手   失败:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/ssl/s23_lib.c:124:

你能告诉我这个命令的输出:

$ openssl s_client -tls1 -connect localhost:6984

此外,可能会推断出问题的原因是您的macre默认版本的LibreSSL / OpenSSL。要解决此问题,请尝试安装brew版本的OpenSSL并再次运行此命令,并报告输出:

$ path/to/brew/version/of/openssl s_client -connect localhost:6984

另外请发布此输出:

$ path/to/brew/version/of/openssl s_client -tls1 -connect localhost:6984

根据您报告的输出,请尝试以下命令,看看它是否有效:

$ curl -k --tlsv1 https://localhost:6984

答案 1 :(得分:0)

如果您的SSL证书是自签名的:

您没有显示curl命令,但我猜您使用-k选项,但您应该:

-k, --insecure
              (TLS) By default, every SSL connection curl makes is verified to be secure. This option allows curl to proceed and operate even  for
              server connections otherwise considered insecure.
相关问题
最新问题