OpenSSL连接错误SSL23_GET_SERVER_HELLO，但浏览器和curl有效 [英] OpenSSL connection error SSL23_GET_SERVER_HELLO, but browser and curl works

问题描述

我正在处理一个问题，由于openssl无法完成握手，因此python无法通过ssl连接到特定服务器. Curl和我的浏览器正常工作.我已经尝试了几个不同的openssl版本和解决方案，但是可以似乎没有联系.

I'm dealing with an issue where python can't connect to a specific server over ssl due to openssl not being able to complete the handshake. Curl and my browser work. I've tried a couple of different openssl versions and solutions, but can't seem to connect.

这是我在以下两个平台上都尝试过的方法.在OpenSSL 1.0.1e上输出的输出略有不同，但是仍然是相同的错误.

Here is what I've tried on both of the following platforms. The output is printed slightly different on OpenSSL 1.0.1e, but it's still the same errors.

Mac OSX Yosemite - OpenSSL 0.9.8zg 14 July 2015
Debian GNU/Linux 7 (wheezy) - OpenSSL 1.0.1e 11 Feb 2013

未指定

openssl s_client -connect www.uk-recruitment.net:443
openssl s_client -connect www.uk-recruitment.net:443 -cipher 'DEFAULT:!ECDH'
openssl s_client -connect www.uk-recruitment.net:443 -CAfile cacert.pem
openssl s_client -connect www.uk-recruitment.net:443 -CAfile cacert.pem -cipher 'DEFAULT:!ECDH'
openssl s_client -connect www.uk-recruitment.net:443 -CAfile cacert.pem -cipher 'DEFAULT:!ECDH' -servername uk-recruitment.net

但我总是得到相同的结果

but I always get the same result

CONNECTED(00000003)
66716:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/ssl/s23_clnt.c:593: 

如果我使用相同的选项添加-tls1，-tls1_1或-tls1_2，我会得到一个略有不同的错误:

If I add -tls1, -tls1_1 or -tls1_2 with all the same options, I get a slightly different error:

openssl s_client -connect www.uk-recruitment.net:443 -tls1
CONNECTED(00000003)
66750:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/ssl/s3_pkt.c:1145:SSL alert number 80
66750:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/ssl/s3_pkt.c:566:

推荐答案

网站需要服务器名称指示( SNI)和不使用SNI的SSL握手会导致失败:

The sites requires Server Name Indication (SNI) and SSL handshakes not using SNI will cause failure:

$ openssl s_client -connect www.uk-recruitment.net:443
CONNECTED(00000003)
139999237719712:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:770:

相反，使用SNI看起来更好:

With SNI instead it looks much better:

$ openssl s_client -connect www.uk-recruitment.net:443 -servername www.uk-recruitment.net
CONNECTED(00000003)
...
   Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256

-servername选项可能不适用于OpenSSL 0.9.8，但应适用于OpenSSL 1.0.1.

It might be that the -servername option is not available with OpenSSL 0.9.8, but it should be with OpenSSL 1.0.1.

这篇关于OpenSSL连接错误SSL23_GET_SERVER_HELLO，但浏览器和curl有效的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！