无法建立SSL连接，如何解决我的SSL证书？ [英] Unable to establish SSL connection, how do I fix my SSL cert?

问题描述

我试图的wget 我自己的盒子，它不能在wget的（所以说，另一个开发者）。

一个内部地址

当我wget的，我得到这样的：

  wget的http://example.com
--2013-03-01 15：03：30-- http://example.com/
解决example.com ... 172.20.0.224
连接到example.com | 172.20.0.224 |：80 ...连接。
发送HTTP请求，正在等待回应... 302找到
地点：https://www.example.com/ [下]
--2013-03-01 15：03：30-- https://www.example.com/
解决www.example.com ... 172.20.0.224
连接到www.example.com | 172.20.0.224 |：443 ...连接。
OpenSSL的：错误：140770FC：SSL例程：SSL23_GET_SERVER_HELLO：未知协议
无法建立SSL连接。
 

我相信这是因为我没有证书正确安装。使用OpenSSL：

 的OpenSSL的s_client.First -connect example.com:443
CONNECTED（00000003）
15586：错误：140770FC：SSL例程：SSL23_GET_SERVER_HELLO：未知协议：s23_clnt.c：588：
 

虽然如果我在其他网站相同的命令，它显示了整个证书。

也许SSL证书从来没有在该域在Apache conf文件设置？

如果是这样，我应该在虚拟主机来指定？难道还有比指定其他任何替代 - 无证书检查，因为我不想这样做。

解决方案

  

SSL23_GET_SERVER_HELLO：未知协议

当OpenSSL的接收从服务器能够理解的协议版本比 ServerHello 其他的东西发生此错误。它可以发生，如果服务器则以纯（未加密）HTTP。它也可以发生，如果服务器只支持例如TLS 1.2和客户端不明白，协议版本。通常情况下，服务器到至少3.0 SSL / TLS 1.0向后兼容，但也许这特定的服务器是不是（按实施或配置）。

目前还不清楚是否试图通过 - 不检查证书与否。我会相当惊讶，如果这是可行的。

一个简单的测试是使用的wget （或浏览器）请求 http://example.com:443 （注意的http：// ，而不是的https：// ）;如果一切正常，SSL未在端口443启用了进一步调试这一点，使用的OpenSSL的s_client.First 与 -debug 选项​​，其中所述错误消息之前权利转储服务器响应的前几个字节其中OpenSSL的无法分析。这可能有助于确定问题，特别是如果服务器不以 ServerHello 消息回答。要知道到底OpenSSL的期待，检查源：寻找 SSL_R_UNKNOWN_PROTOCOL 在 SSL / s23_clnt.c

在任何情况下，看着apache的错误日志可能提供一些见解了。

I'm trying to wget to my own box, and it can't be an internal address in the wget (so says another developer).

When I wget, I get this:

wget http://example.com
--2013-03-01 15:03:30--  http://example.com/
Resolving example.com... 172.20.0.224
Connecting to example.com|172.20.0.224|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://www.example.com/ [following]
--2013-03-01 15:03:30--  https://www.example.com/
Resolving www.example.com... 172.20.0.224
Connecting to www.example.com|172.20.0.224|:443... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.

I believe it is because I do not have the certificate setup properly. Using openssl:

openssl s_client -connect example.com:443
CONNECTED(00000003)
15586:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:

While if I do the same command on another site, it shows the entire cert.

Perhaps the ssl cert was never setup in the conf file on Apache for that domain?

If so, what should I be specifying in the virtualhost? Is there any alternative other than specifying --no-certificate-check because I don't want to do that?

解决方案

SSL23_GET_SERVER_HELLO:unknown protocol

This error happens when OpenSSL receives something other than a ServerHello in a protocol version it understands from the server. It can happen if the server answers with a plain (unencrypted) HTTP. It can also happen if the server only supports e.g. TLS 1.2 and the client does not understand that protocol version. Normally, servers are backwards compatible to at least SSL 3.0 / TLS 1.0, but maybe this specific server isn't (by implementation or configuration).

It is unclear whether you attempted to pass --no-check-certificate or not. I would be rather surprised if that would work.

A simple test is to use wget (or a browser) to request http://example.com:443 (note the http://, not https://); if it works, SSL is not enabled on port 443. To further debug this, use openssl s_client with the -debug option, which right before the error message dumps the first few bytes of the server response which OpenSSL was unable to parse. This may help to identify the problem, especially if the server does not answer with a ServerHello message. To see what exactly OpenSSL is expecting, check the source: look for SSL_R_UNKNOWN_PROTOCOL in ssl/s23_clnt.c.

In any case, looking at the apache error log may provide some insight too.

这篇关于无法建立SSL连接，如何解决我的SSL证书？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！