用于检查服务器是否提供证书的 OpenSSL 命令 [英] OpenSSL Command to check if a server is presenting a certificate

问题描述

我正在尝试运行 openssl 命令以缩小在尝试从我们的系统发送出站消息时可能出现的 SSL 问题.

I'm trying to run an openssl command to narrow down what the SSL issue might be when trying to send an outbound message from our system.

我在另一个主题中发现了这个命令:使用 openssl从服务器获取证书

I found this command in another topic: Using openssl to get the certificate from a server

openssl s_client -connect ip:port -prexit

这个结果的输出

CONNECTED(00000003)
15841:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 121 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

这是否意味着服务器没有提供任何证书?我在不同的 ip:port 上尝试了其他系统，它们成功地提供了证书.

Does this mean the server isn't presenting any certificate? I tried other systems on a different ip:port and they present a certificate successfully.

相互认证会影响这个带有 -prexit 的命令吗?

Does mutual authentication affect this command with -prexit?

--更新--

我再次运行命令

openssl s_client -connect ip:port -prexit

我现在收到这个回复

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 121 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

我在命令中添加了 -ssl3

I added -ssl3 to the command

openssl s_client -connect ip:port -prexit -ssl3

回复:

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1403907236
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

也在尝试 -tls1

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1403907267
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

推荐答案

我今天调试了一个 SSL 问题，它导致了同样的 write:errno=104 错误.最终我发现这种行为的原因是服务器需要 SNI(servername TLS 扩展)才能正常工作.向 openssl 提供 -servername 选项使其连接成功:

I was debugging an SSL issue today which resulted in the same write:errno=104 error. Eventually I found out that the reason for this behaviour was that the server required SNI (servername TLS extensions) to work correctly. Supplying the -servername option to openssl made it connect successfully:

openssl s_client -connect domain.tld:443 -servername domain.tld

希望这会有所帮助.

这篇关于用于检查服务器是否提供证书的 OpenSSL 命令的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！