Ruby SSL 握手未收到服务器问候 - 使用代理 Net::HTTP [英] Ruby SSL handshake not receiving Server Hello back - using proxy Net::HTTP

问题描述

我正在使用 Ruby SSL 双向身份验证连接到外部 API.

I am connecting to an external API using Ruby SSL two way authentication.

我的最新脚本在这里:

namespace :rnif_message do
  # With Proxy
  task send_test_index: :environment do
  our_cert         = File.read(File.join(Rails.root, 'ssl', 'invoice', 'test', 'cert20190116_ourcert.der'))
  their_test_cert  = File.read(File.join(Rails.root, 'ssl', 'invoice', 'test', 'testcert2016_theircert.der'))


  cert_store = OpenSSL::X509::Store.new
  # Contains their intermediate CA files
  cert_store.add_path File.join(Rails.root, 'ssl', 'invoice', 'test', 'ca')
  cert_store.add_cert  OpenSSL::X509::Certificate.new(their_test_cert)

  uri = URI("https://xml.digital.com/wm.rn/receive")

  proxy_host = "us-static-02.qg.com"
  proxy_port = "port"
  proxy_user = "user"
  proxy_pass = "pass"

  proxy_request = Net::HTTP.new(uri.hostname, '443', proxy_host, proxy_port, proxy_user, proxy_pass)

  proxy_request.verify_mode = OpenSSL::SSL::VERIFY_PEER
  proxy_request.use_ssl = true
  proxy_request.ssl_version = :TLSv1_2
  proxy_request.ciphers = ["AES256-SHA:AES128-SHA:DES-CBC3-SHA"]

  proxy_request.cert = OpenSSL::X509::Certificate.new(our_cert)
  proxy_request.cert_store = cert_store

  post_request = Net::HTTP::Post.new(uri)

  response = proxy_request.request(post_request)
end

回复(因为我更新了密码)现在是

Response back (since I updated the ciphers) is now

而不是我前两个问题中较旧的

Instead of the older from my two previous questions

 # /Users/me/projects/proj/lib/tasks/rnif_message_builder.rake:217:in `block (2 levels) in <top (required)>'

这是我最新的wireshark

Here is my latest wireshark

在我的服务器配置上的证书和 IP 的初始配置中，我可能给了他们错误的 IP 地址，所以我可能会被他们的防火墙阻止.有没有办法使用 openssl s_client 我可以测试这个?

In the initial configuration of my certificate and IP on THEIR server configuration, I may have given them the wrong IP address, so I may be getting blocked by their firewall. Is there ways using openssl s_client I can test this?

到目前为止我一直在尝试

So far i've been trying

openssl s_client -showcerts -connect xml.digitaloilfield.com:https

但是我对使用 openssl s_client 不是很熟悉

But I am not very familiar with using openssl s_client

任何有关故障排除的帮助将不胜感激！

Any help on troubleshooting this would be greatly appreciated!

更新

非常感谢您到目前为止的帮助.我正在试验你发送给我的那些命令，并试图看看我可以从他们那里得到什么信息来帮助我解决这个问题.目前，在他们更改了我的 IP 地址并允许我通过防火墙后，我得到了这个

Thanks you very much for your help so far. I am experimenting with those commands you sent me and trying to see what info I can get from them to help me with this. Currently, after they changed my IP address and allowed me through the firewall, I am getting this

 EOFError: end of file reached /Users/me/projects/xtiri/xtiri.com/lib/tasks/rnif_message_builder.rake:219:in `block (2 levels) in <top (required)>'

推荐答案

这通常会连接到几乎所有服务器.它使用 TLS 1.2 和 SNI.这应该建立 TCP 连接并开始 TLS 握手.握手可能会在稍后失败，但这是一个不同的问题.

This will usually connect to nearly all servers. It uses TLS 1.2 and SNI. That should establish the TCP connection and start the TLS handshake. The handshake may fail later, but that's a different problem.

$ openssl s_client -connect xml.digitaloilfield.com:443 -tls1_2 \
    -servername xml.digitaloilfield.com -debug
<hang>
connect: Connection timed out
connect:errno=110

然而，当 s_client 挂起时，跳转到另一个终端并发出:

However, while s_client is hanging, jump over to another terminal and issue:

$ sudo netstat -a | grep openssl
$ 

Netstat 不会向您显示 SYN_SEND 状态，因此请使用 tcptrack:

Netstat does not show you the SYN_SEND state, so use tcptrack:

$ sudo tcptrack -i eth0
# <next, use s_client>

172.16.2.4:43302      208.38.22.37:443      SYN_SENT     15s    0 B/s

您在 TCP 的等待计时器中.对方没有和你进行三次握手.事实上，他们没有承认你的SYN.可能有几个原因，但是...

You are in TCP's wait timer. The other side did not perform the three-way handshake with you. In fact, they did not acknowledge your SYN. There could be a few reasons for it, but ...

鉴于目标，您似乎遇到了防火墙.不是拒绝连接，而是丢弃连接.它有时被称为隐形模式"；它使它看起来机器上没有运行服务器.这与 OpenSSL 的 connect: Connection timed out 消息一致.

Given the target, it looks like you encountered a firewall. Rather than Reject'ing connections, it is Drop'ing connections. Its sometimes called "Stealth Mode"; it makes it appear there's no server running on the machine. That's consistent with OpenSSL's connect: Connection timed out message.

问题可能出在代理上.你真的想从那里运行测试，但你可能无法做到.可能是您正在使用远程站点指定的密码、协议和端口；但代理正在做自己的事情.另请参阅 Jarmock 的 SSL 拦截代理和传递信任.

The problem could be with the proxy. You really want to run the tests from there, but you probably won't be able to. It could be you are using the ciphers, protocols and ports as specified by the remote site; but the proxy is doing its own thing. Also see Jarmock's SSL Interception Proxies and Transitive Trust.

这里有几个参考:

• 如何监控应用的网络连接
• 在 iptables 中设置 -j REJECT 还是 -j DROP 更好?
• TCP 3 次握手，位于 Wireshark Wiki

• How can I monitor network connections for an app
• Is it better to set -j REJECT or -j DROP in iptables?
• TCP 3-way handshake on the Wireshark Wiki

这篇关于Ruby SSL 握手未收到服务器问候 - 使用代理 Net::HTTP的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！