无法建立 SSL 连接，如何修复我的 SSL 证书? [英] Unable to establish SSL connection, how do I fix my SSL cert?

问题描述

我正在尝试 wget 到我自己的盒子，但它不能是 wget 中的内部地址(另一个开发者说).

I'm trying to wget to my own box, and it can't be an internal address in the wget (so says another developer).

当我 wget 时，我得到了这个:

When I wget, I get this:

wget http://example.com
--2013-03-01 15:03:30--  http://example.com/
Resolving example.com... 172.20.0.224
Connecting to example.com|172.20.0.224|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://www.example.com/ [following]
--2013-03-01 15:03:30--  https://www.example.com/
Resolving www.example.com... 172.20.0.224
Connecting to www.example.com|172.20.0.224|:443... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.

我相信这是因为我没有正确设置证书.使用 openssl:

I believe it is because I do not have the certificate setup properly. Using openssl:

openssl s_client -connect example.com:443
CONNECTED(00000003)
15586:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:

虽然如果我在另一个站点上执行相同的命令，它会显示整个证书.

While if I do the same command on another site, it shows the entire cert.

也许从未在 Apache 上的 conf 文件中为该域设置 ssl 证书?

Perhaps the ssl cert was never setup in the conf file on Apache for that domain?

如果是这样，我应该在虚拟主机中指定什么?除了指定 --no-check-certificate 之外还有其他选择吗?

If so, what should I be specifying in the virtualhost? Is there any alternative other than specifying --no-check-certificate because I don't want to do that?

推荐答案

SSL23_GET_SERVER_HELLO:未知协议

SSL23_GET_SERVER_HELLO:unknown protocol

当 OpenSSL 在它从服务器理解的协议版本中接收到除 ServerHello 之外的其他内容时，会发生此错误.如果服务器使用纯(未加密)HTTP 进行响应，就会发生这种情况.如果服务器仅支持例如TLS 1.2 和客户端不了解该协议版本.通常，服务器至少向后兼容 SSL 3.0/TLS 1.0，但也许这个特定的服务器不是(通过实现或配置).

This error happens when OpenSSL receives something other than a ServerHello in a protocol version it understands from the server. It can happen if the server answers with a plain (unencrypted) HTTP. It can also happen if the server only supports e.g. TLS 1.2 and the client does not understand that protocol version. Normally, servers are backwards compatible to at least SSL 3.0 / TLS 1.0, but maybe this specific server isn't (by implementation or configuration).

不清楚您是否尝试通过 --no-check-certificate.如果这行得通，我会感到相当惊讶.

It is unclear whether you attempted to pass --no-check-certificate or not. I would be rather surprised if that would work.

一个简单的测试是使用 wget(或浏览器)请求 http://example.com:443(注意 http://，而不是 https://);如果它工作，SSL 没有在端口 443 上启用.要进一步调试这个，使用 openssl s_client 和 -debug 选项，在错误消息转储前几个OpenSSL 无法解析的服务器响应的字节数.这可能有助于识别问题，尤其是在服务器没有以 ServerHello 消息进行响应的情况下.要查看 OpenSSL 的确切期望，请检查源:在 ssl/s23_clnt.c 中查找 SSL_R_UNKNOWN_PROTOCOL.

A simple test is to use wget (or a browser) to request http://example.com:443 (note the http://, not https://); if it works, SSL is not enabled on port 443. To further debug this, use openssl s_client with the -debug option, which right before the error message dumps the first few bytes of the server response which OpenSSL was unable to parse. This may help to identify the problem, especially if the server does not answer with a ServerHello message. To see what exactly OpenSSL is expecting, check the source: look for SSL_R_UNKNOWN_PROTOCOL in ssl/s23_clnt.c.

无论如何，查看 apache 错误日志也可能提供一些见解.

In any case, looking at the apache error log may provide some insight too.

这篇关于无法建立 SSL 连接，如何修复我的 SSL 证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！