500 SSL 协商失败 [英] 500 SSL negotiation failed

问题描述

我在我的 Windows XP Pro 系统上遇到了一个新问题，下面的 Perl 代码证明了这一点(当然，这是一个来自更大程序的非常精简的示例).

I have a new-onset problem on my Windows XP Pro system, demonstrated by the Perl code below (which is, of course, a very cut down example from a much larger program).

它在几天前还可以使用，我正在努力弄清楚系统上可能发生了什么变化以使其停止工作，我希望这里有人能给我一些线索.(它在我的 Windows 8.1 系统上仍然可以正常工作.)

It used to work until a few days ago, and I'm pulling my hair out trying to figure out what might have changed on the system to stop it working, and I'm hoping someone here might be able to give me some clues. (It still works fine on my Windows 8.1 system.)

问题是下面的代码(现在)失败并显示500 SSL协商失败".

The issue is that the code below (now) fails with "500 SSL negotiation failed".

use strict;
use warnings;

use HTTP::Request;
use LWP::UserAgent;

$ENV{HTTPS_DEBUG} = 1;

my $url = "https://secure.quksdns4.net:2087/";
my $ua  = LWP::UserAgent->new;
my $req = HTTP::Request->new (GET => $url);
my $res = $ua->request($req);
my $sts = $res->code;
my $hdr = $res->headers_as_string;
my $txt = $res->content;

print "\n".$sts."\n\n".$hdr."\n";
print $txt if ($sts == 500);

exit;

输出为:

SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL3 alert read:fatal:handshake failure
SSL_connect:failed in SSLv3 read server hello A
SSL_connect:before/connect initialization
SSL_connect:SSLv2 write client hello A
SSL_connect:error in SSLv2 read server hello A

500

Content-Type: text/plain
Client-Date: Sat, 25 Oct 2014 14:52:43 GMT
Client-Warning: Internal response

500 SSL negotiation failed:

奇怪的是，如果删除端口号 (:2087)，它仍然有效(尽管不是很有用！).

Curiously however it works (albeit not very usefully!) if the port number (:2087) is removed.

Active Perl v5.8.8(我多年来一直没有改变)，ssleay32 &libeay32 dll 是 0.9.8.1(多年来也没有变化)，虽然系统上有一些在 C:\Perl\bin 中的 dll 是路径中唯一的.

Active Perl v5.8.8 (which I haven't changed in years), ssleay32 & libeay32 dlls are 0.9.8.1 (also unchanged in years), and while there's a few on the system those in C:\Perl\bin are the only ones in the path.

感谢您收到有关停止上述工作可能发生的变化的任何提示！

Any hints as to what might have changed to stop the above working gratefully received!

推荐答案

简而言之:我猜对方只是禁用了 SSL 3.0(至少在端口 2087 上)，因为 POODLE 攻击 并且因为您仍在不受支持的操作系统上使用非常旧的软件，所以您仍然尝试连接 SSL 3.0.

In short: I guess the peer just disabled SSL 3.0 (at least on port 2087) because of the POODLE attack and because you are still using really old software on an unsupported OS you still attempt to connect with SSL 3.0.

看起来 Crypt::SSLeay 的 0.57 版(此时需要 LWP)已经使用了 SSLv23 握手，理论上应该与 TLS 1.x 兼容.这也可以在调试输出(SSLv2/v3 write client hello)中看到.所以我想原因可能至少是以下之一:

It looks like version 0.57 of Crypt::SSLeay (needed for LWP at this time) used already SSLv23 handshakes which should in theory be compatible with TLS 1.x. This can also be seen in the debug output (SSLv2/v3 write client hello). So I guess that the reasons might be at least one of the following:

• 您使用的是不支持 TLS1.0 的 openssl 版本.您给出的版本号为 0.9.8.1，但这种版本从未存在过.要么你的意思是 0.9.8l 看起来很相似(并且支持 TLS1.0)，要么你的意思完全不同.
• 他们不仅从对等方中删除了 SSL 3.0，而且还修正了密码，使其现在需要您的旧 OpenSSL 尚不支持的密码.
• 或者他们不仅需要 TLS 1.0+，还需要 TLS 1.1+.但仅从 OpenSSL 版本 1.0.1 开始支持 TLS1.1.

这篇关于500 SSL 协商失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！