使用TLS 1.2或更低版本时，openssl卡住了

Question

我试图从强制使用TLS 1.2版本的网站（files.pythonhosted.org）下载，并且握手后卡住了。

这里是发生的事情，以google.com为例

$ curl -vvv --tlsv1.2 --tls-max 1.2 --ipv4 https://google.com:443
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

从这里开始，我什至无法执行任何操作，甚至CTRL+C命令也没有。

如果我使用TLS 1.3，一切正常：

$ curl -vvv --tlsv1.3 --tls-max 1.3 --ipv4 https://google.com:443
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/7.69.1
> Accept: */*
...

通过做一些挖掘，我尝试了一些在网上找到的命令，但都卡住了：

$ openssl s_client -connect files.pythonhosted.org:443  -showcerts
CONNECTED(00000004)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign CloudSSL CA - SHA256 - G3
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Fastly, Inc", CN = r.ssl.fastly.net
verify return:1

我对TLS协议完全不满意，并且我正在Yocto上的Linux构建上工作，而我完全没有帮助。所以我很难调试... 您对这里发生的事情有想法吗？

谢谢！

编辑1

这是带有更多调试信息的最后一条命令。我被困在这结尾：

# openssl s_client -connect files.pythonhosted.org:443  -showcerts -debug -state
CONNECTED(00000004)
SSL_connect:before SSL initialization
write to 0x7cc6f70 [0x7cd57f0] (324 bytes => 324 (0x144))
0000 - 16 03 01 01 3f 01 00 01-3b 03 03 c0 0b d1 75 04   ....?...;.....u.
...                                  .r.-
SSL_connect:SSLv3/TLS write client hello
read from 0x7cc6f70 [0x7ccc553] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 45                                    ....E
read from 0x7cc6f70 [0x7ccc558] (69 bytes => 69 (0x45))
0000 - 02 00 00 41 03 03 12 a4-c6 8e 7a 35 64 94 31 18   ...A......z5d.1.
...
SSL_connect:SSLv3/TLS write client hello
read from 0x7cc6f70 [0x7ccc553] (5 bytes => 5 (0x5))
0000 - 16 03 03 0d e3                                    .....
read from 0x7cc6f70 [0x7ccc558] (3555 bytes => 3555 (0xDE3))
0000 - 0b 00 0d df 00 0d dc 00-09 47 30 82 09 43 30 82   .........G0..C0.
...
SSL_connect:SSLv3/TLS read server hello
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign CloudSSL CA - SHA256 - G3
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Fastly, Inc", CN = r.ssl.fastly.net
verify return:1
read from 0x7cc6f70 [0x7ccc553] (5 bytes => 5 (0x5))
0000 - 16 03 03 01 2c                                    ....,
read from 0x7cc6f70 [0x7ccc558] (300 bytes => 300 (0x12C))
0000 - 0c 00 01 28 03 00 1d 20-3b 9a 1d 4d ed f2 14 45   ...(... ;..M...E
...
SSL_connect:SSLv3/TLS read server certificate
read from 0x7cc6f70 [0x7ccc553] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 04                                    .....
read from 0x7cc6f70 [0x7ccc558] (4 bytes => 4 (0x4))
0000 - 0e 00 00 00                                       ....
SSL_connect:SSLv3/TLS read server key exchange
SSL_connect:SSLv3/TLS read server done

编辑2

根据我在上面的调试跟踪中所了解的，客户端甚至没有发送证书密钥。