用于检查服务器是否提供证书的 OpenSSL 命令 [英] OpenSSL Command to check if a server is presenting a certificate
问题描述
我正在尝试运行 openssl 命令以缩小在尝试从我们的系统发送出站消息时可能出现的 SSL 问题.
I'm trying to run an openssl command to narrow down what the SSL issue might be when trying to send an outbound message from our system.
我在另一个主题中发现了这个命令:使用 openssl从服务器获取证书
I found this command in another topic: Using openssl to get the certificate from a server
openssl s_client -connect ip:port -prexit
这个结果的输出
CONNECTED(00000003)
15841:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 121 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
这是否意味着服务器没有提供任何证书?我在不同的 ip:port 上尝试了其他系统,它们成功地提供了证书.
Does this mean the server isn't presenting any certificate? I tried other systems on a different ip:port and they present a certificate successfully.
相互认证会影响这个带有 -prexit 的命令吗?
Does mutual authentication affect this command with -prexit?
--更新--
我再次运行命令
openssl s_client -connect ip:port -prexit
我现在收到这个回复
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 121 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
我在命令中添加了 -ssl3
I added -ssl3 to the command
openssl s_client -connect ip:port -prexit -ssl3
回复:
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
Start Time: 1403907236
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
也在尝试 -tls1
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
Start Time: 1403907267
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
推荐答案
我今天调试了一个 SSL 问题,它导致了同样的 write:errno=104
错误.最终我发现这种行为的原因是服务器需要 SNI(servername
TLS 扩展)才能正常工作.向 openssl 提供 -servername
选项使其连接成功:
I was debugging an SSL issue today which resulted in the same write:errno=104
error. Eventually I found out that the reason for this behaviour was that the server required SNI (servername
TLS extensions) to work correctly. Supplying the -servername
option to openssl made it connect successfully:
openssl s_client -connect domain.tld:443 -servername domain.tld
希望这会有所帮助.
这篇关于用于检查服务器是否提供证书的 OpenSSL 命令的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!