节点为v7.9.0的ERR_SSL_VERSION_OR_CIPHER_MISMATCH https [英] ERR_SSL_VERSION_OR_CIPHER_MISMATCH with node v7.9.0 https
问题描述
此代码在节点v7.9.0(Electron当前使用的版本)中创建一个https服务器,并在端口8000上侦听:
This code creates an https server in node v7.9.0 (the version Electron currently uses), and listens on port 8000:
require('https').createServer(
{},
(req, res) => {
res.writeHead(200);
res.end('hello world/n');
}
).listen(8000);
不幸的是,当我在运行服务器的Chrome中访问 https://localhost:8000 时,收到ERR_SSL_VERSION_OR_CIPHER_MISMATCH.我如何克服这个错误?如何找出服务器可用的密码以及使用的协议(希望是TLS的最新版本)?
Unfortunately, when I visit https://localhost:8000 in Chrome with the server running, I get ERR_SSL_VERSION_OR_CIPHER_MISMATCH. How do I get past this error? How do I find out which ciphers the server is making available and which protocol it is using (hopefully the newest version of TLS)?
编辑:在撰写本文时,Node的最新稳定版本node v8.5.0上也会发生此错误
EDIT This error also occurs on node v8.5.0, the newest stable version of Node at time of writing
推荐答案
但是,通常:SSL/TLS服务器(包括 HTTPS服务器)需要私钥和(匹配的)证书或链才能用于SSL/TLS握手中的公钥算法.请参见如何在Node.js中创建HTTPS服务器?例如.
Late but: normally an SSL/TLS server including an HTTPS server needs a privatekey and (matching) certificate or chain to use for the publickey algorithms in the SSL/TLS handshake. See How to create an HTTPS server in Node.js? for examples.
技术上,协议中定义了一些不需要密钥和证书的匿名"密钥交换机制,但是人们普遍认为它们不够安全,并且默认情况下在OpenSSL(因此也禁用了nodejs)中被禁用.还有一些使用非公钥算法的密钥交换机制,例如PSK,SRP,Kerberos,但是它们使用起来更加困难,并且需要特殊的配置,我不相信可以使用nodejs来完成(而且您当然没有这么做)做).
Technically there are some 'anonymous' key-exchange mechanisms defined in the protocol that do not need a key&cert, but they are widely considered not adequately secure, and are disabled in OpenSSL (and thus nodejs) by default. There are also some key-exchange mechanisms using non-publickey algorithms like PSK, SRP, Kerberos, but they are much more difficult to use and require special configuration that I don't believe can be done with nodejs (and you certainly didn't do).
因此,如果没有密钥和证书,并且没有启用匿名或其他特殊的密钥交换,则服务器支持的密码套件集就是没有元素的空集-并且您进行的每次连接尝试都会失败,因为空集永远不会与客户端提供的一组密码套件有非空交集.
Thus without a key&cert, and without the anonymous or other special key-exchanges enabled, the set of ciphersuites supported by the server is the empty set with no elements -- and every connection attempt you make fails because the empty set never has a nonempty intersection with the set of ciphersuites offered by the client(s).
我认为,您仍然可以通过查看针对不同ClientHello版本返回的警报的版本来找出其支持的协议版本,但是我不确定这样做会有什么用处.自2012年发布OpenSSL 1.0.1以来,无论哪种情况,OpenSSL都支持TLS 1.0至1.2,甚至nodejs 7.9.0都比2012年更新很多.OpenSSL还支持SSLv3,但在最新版本中,它已被禁用或从构建中排除默认;如果您的版本仍包含该版本,则不应使用它,因为POODLE攻击会破坏它. (只有在使用仅支持SSLv3而不支持任何TLS的非常老的客户端时,通常会发生这种情况,因此请不要使用此类客户端.)实际上,低于1.1.0的OpenSSL'支持'SSLv2,因为该代码仍然存在,但是默认配置将其禁用; SSLv2长期以来一直被破坏和禁止,您绝对不应该使用它.
I think you can still find out which protocol version(s) it supports by looking at the version of the alert returned for different ClientHello versions, but I'm not sure what good this would do. In any case OpenSSL has supported TLS 1.0 through 1.2 since OpenSSL 1.0.1 released in 2012, and even nodejs 7.9.0 is quite a bit newer than 2012. OpenSSL also supports SSLv3 but in recent versions it is disabled or excluded from the build by default; if your version still includes it you should not use it because the POODLE attack breaks it. (This would normally occur only if you use a very old client that is capable only of SSLv3 and not any TLS, so don't use such clients.) Actually OpenSSL below 1.1.0 'supports' SSLv2 in that the code is still present, but the default configuration disables it; SSLv2 has long been broken and prohibited and you should definitely not use it.
截至2018年9月,OpenSSL 1.1.1已发布并支持TLS 1.3.我不知道NodeJS是否/何时使用/支持它.
As of Sep. 2018, OpenSSL 1.1.1 is released and supports TLS 1.3 as well. I don't know if/when nodejs uses/supports this.
这篇关于节点为v7.9.0的ERR_SSL_VERSION_OR_CIPHER_MISMATCH https的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
