OpenSSL命令来检查服务器是否正在提供证书 [英] OpenSSL Command to check if a server is presenting a certificate

问题描述

我正在尝试运行openssl命令以缩小尝试从我们的系统发送出站消息时SSL问题的范围.

I'm trying to run an openssl command to narrow down what the SSL issue might be when trying to send an outbound message from our system.

我在另一个主题中找到了此命令:使用openssl到从服务器获取证书

I found this command in another topic: Using openssl to get the certificate from a server

openssl s_client -connect ip:port -prexit

此输出结果为

CONNECTED(00000003)
15841:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 121 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

这是否意味着服务器没有提供任何证书?我在其他ip:port上尝试了其他系统，它们成功提供了证书.

Does this mean the server isn't presenting any certificate? I tried other systems on a different ip:port and they present a certificate successfully.

相互认证是否会通过-prexit影响此命令?

Does mutual authentication affect this command with -prexit?

-更新-

我再次运行了命令

openssl s_client -connect ip:port -prexit

我现在收到此回复

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 121 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

我在命令中添加了-ssl3

I added -ssl3 to the command

openssl s_client -connect ip:port -prexit -ssl3

响应:

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1403907236
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

也尝试-tls1

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1403907267
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

推荐答案

我今天正在调试SSL问题，该问题导致相同的write:errno=104错误.最终，我发现此行为的原因是服务器需要SNI (servername TLS扩展)才能正常工作.将-servername选项提供给openssl使其成功连接:

I was debugging an SSL issue today which resulted in the same write:errno=104 error. Eventually I found out that the reason for this behaviour was that the server required SNI (servername TLS extensions) to work correctly. Supplying the -servername option to openssl made it connect successfully:

openssl s_client -connect domain.tld:443 -servername domain.tld

希望这会有所帮助.

这篇关于OpenSSL命令来检查服务器是否正在提供证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！