在Ubuntu 14.04 LTS上的wget上无法建立SSL连接 [英] Unable to establish SSL connection upon wget on Ubuntu 14.04 LTS

问题描述

我试图通过wget下载图像，但出现错误:无法建立SSL连接.

I tried to download an image through wget but I got an error: Unable to establish SSL connection.

wget https://www.website.com/image.jpg
--2015-02-26 01:30:17--  https://www.website.com/image.jpg
Resolving www.website.com (www.website.com)... xx.xxx.xx.xx
Connecting to www.website.com (www.website.com)|xx.xxx.xx.xx|:443... connected.
Unable to establish SSL connection.

我的测试用例:

1. 使用Ubuntu 12.04.4 LTS(GNU/Linux 3.8.0-44-通用x86_64)，GNU Wget 1.13.4建立在linux-gnu上，我能够下载映像 使用上面的代码.没错.
2. 使用Ubuntu 14.04 LTS(GNU/Linux 3.13.0-24-通用x86_64)，基于linux-gnu构建的GNU Wget 1.15，我无法下载映像 使用上面的代码.

1. Using Ubuntu 12.04.4 LTS (GNU/Linux 3.8.0-44-generic x86_64), GNU Wget 1.13.4 built on linux-gnu, I was able to download the image using the code above. No error.
2. Using Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic x86_64), GNU Wget 1.15 built on linux-gnu, I was not able to download the image using the code above.

另一个变量是www.website.com使用TLS 1.0.我不知道这如何影响wget.但是，如果我从TLS 1.2网站上获取图像，则两个测试用例都不会出现任何ssl连接错误.

Another variable is that the www.website.com uses TLS 1.0. I don't have an idea how this affects wget. But if I wget an image from TLS 1.2 websites I don't get any ssl connection errors from both test cases.

Ubuntu 14.04或wget 1.15与TLS 1.0网站不兼容吗? 我需要安装/下载任何库/软件来启用此连接吗?

Is Ubuntu 14.04 or wget 1.15 not compatible with TLS 1.0 websites? Do I need to install/download any library/software to enable this connection?

推荐答案

...现在，它仅发生在我正在测试的网站上.我不能在这里发布，因为它是机密的.

... right now it happens only to the website I'm testing. I can't post it here because it's confidential.

然后我想它是与TLS1.2不兼容的站点之一.在12.04中使用的openssl在客户端不使用TLS1.2，而在14.04中使用的是TLS1.2，这可能解释了差异.要变通，请尝试显式使用 --secure-protocol=TLSv1.如果这样做没有帮助，请检查是否可以使用openssl s_client -connect ...(可能不是)和openssl s_client -tls1 -no_tls1_1, -no_tls1_2 ...来访问该站点.

Then I guess it is one of the sites which is incompatible with TLS1.2. The openssl as used in 12.04 does not use TLS1.2 on the client side while with 14.04 it uses TLS1.2 which might explain the difference. To work around try to explicitly use --secure-protocol=TLSv1. If this does not help check if you can access the site with openssl s_client -connect ... (probably not) and with openssl s_client -tls1 -no_tls1_1, -no_tls1_2 ....

请注意，这可能是其他原因，但这是最有可能的原因，并且无法访问该网站，无论如何，一切都只是猜测.

Please note that it might be other causes, but this one is the most probable and without getting access to the site everything is just speculation anyway.

详细假定的问题:通常，客户端使用最兼容的握手来访问服务器.这是SSLv23握手，它与较旧的SSL版本兼容，但会宣布客户端支持的最佳TLS版本，以便服务器可以选择最佳版本.在这种情况下，wget会宣布TLS1.2.但是有一些损坏的服务器从未假设过一天会出现像TLS1.2这样的消息，并且如果客户端宣布支持此热门新版本(从2008年开始！)，而不是仅仅以服务器的最佳版本进行响应，它们将拒绝握手.支持.要访问这些损坏的服务器，客户端必须撒谎并声称它仅支持TLS1.0作为最佳版本.

The assumed problem in detail: Usually clients use the most compatible handshake to access a server. This is the SSLv23 handshake which is compatible to older SSL versions but announces the best TLS version the client supports, so that the server can pick the best version. In this case wget would announce TLS1.2. But there are some broken servers which never assumed that one day there would be something like TLS1.2 and which refuse the handshake if the client announces support for this hot new version (from 2008!) instead of just responding with the best version the server supports. To access these broken servers the client has to lie and claim that it only supports TLS1.0 as the best version.

Ubuntu 14.04或wget 1.15与TLS 1.0网站不兼容吗?我需要安装/下载任何库/软件来启用此连接吗?

Is Ubuntu 14.04 or wget 1.15 not compatible with TLS 1.0 websites? Do I need to install/download any library/software to enable this connection?

问题在于服务器，而不是客户端. 大多数浏览器通过重试较低版本来解决这些损坏的服务器.如果第一次连接尝试失败，大多数其他应用程序将永久失败，即它们不会自行降级，而必须通过某些应用程序特定的设置来强制执行另一个版本.

The problem is the server, not the client. Most browsers work around these broken servers by retrying with a lower version. Most other applications fail permanently if the first connection attempt fails, i.e. they don't downgrade by itself and one has to enforce another version by some application specific settings.

这篇关于在Ubuntu 14.04 LTS上的wget上无法建立SSL连接的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！