OpenSSL的SSL :: :: SSLError：所以SSL_connect返回= 1错误号= 0状态=未知状态：未知协议 [英] OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=unknown state: unknown protocol

问题描述

我跟着就这个问题他们与非帮助了很多帖子。 我想用最简单的IRB命令连接：

 要求开放-URI
开（'https://aristo4stu3.bgu.ac.il）
 

奇怪的是，对于任何其它HTTPS URI我试过了，它工作得很好（即 https://google.com ）。

有关调试的目的，我甚至尝试使用禁用SSL验证：

 的OpenSSL :: SSL :: VERIFY_PEER =的OpenSSL :: SSL :: VERIFY_NONE
 

这并不似乎帮助的。

我的设置是（在AWS）：

  $ RVM -v

RVM 1.21.3（稳定）由韦恩·E. Seguin的＆LT; wayneeseguin@gmail.com> ;,米哈尔Papis＆LT; mpapis@gmail.com> [https://rvm.io/]

$红宝石-v
红宝石2.0.0p247（2013年6月27日修订41674）的x86_64-linux的]

$ lsb_release -a
没有LSB模块可用。
发行编号：Ubuntu的
说明：Ubuntu的13.04
发布：13.04
codeNAME：铆足了劲
 

完善的日志：

  2.0.0-P247：001〕需要开放-URI
 =＆GT;真正
2.0.0-P247：002＆GT;开（'https://aristo4stu3.bgu.ac.il）
OpenSSL的SSL :: :: SSLError：所以SSL_connect返回= 1错误号= 0状态=未知状态：（空）
    从/home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in'连接'
    从/home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in`块连接
    从/home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/timeout.rb:52:in'超时'
    从/home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in'连接'
    从/home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:862:in`do_start
    从/home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:851:in'开始'
    从/home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:313:in`open_http
    从/home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:708:in`buffer_open
    从/home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:210:in`块open_loop
    从/home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:208:in'抓'
    从/home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:208:in`open_loop
    从/home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:149:in`open_uri
    从/home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:688:in'开放'
    从/home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:34:in'开放'
    从（IRB）：2
    从/home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/bin/irb:16:in`＆lt;主＆GT;
 

解决方案

这个问题似乎是，你的目标网站， aristo4stu3.bgu.ac.il ，是挑剔关于SSL / TLS握手。我有两个不同的结果与不同版本的OpenSSL以下OpenSSL的命令：

  OpenSSL的s_client -connect aristo4stu3.bgu.ac.il:443
 

这也跟在OS X 10.7.5股票的OpenSSL 0.9.8x。但是，它的不可以连接使用OpenSSL 1.0.1e - 在这种情况下，服务器只是关闭连接（通过发送关闭通知警告）收到客户端后立刻你好

余捕获Wireshark的数据包，和什么之间这两个版本发送的不同之处在于0.9.8x发送通过TLS 1.0的SSLv2客户端Hello广告支持，而1.0.1e通过TLS 1.2发送的TLSv1客户端Hello广告支持

如果我告诉1.0.1e不使用TLS：

  OpenSSL的s_client -connect aristo4stu3.bgu.ac.il:443 -no_tls1
 

这成功与SSLv3的客户您好广告支持连接通过SSL 3.0。

顺便说一句，我的本地红宝石确实让一个成功的连接开放式的uri 到您的网站：

  $ IRB
＆GT;＆GT;需要开放-URI
=＆GT;真正
＆GT;＆GT;开（'https://aristo4stu3.bgu.ac.il）
=＆GT; ＃＆LT; StringIO的：0x10271fa90＆GT;
＆GT;＆GT;要求的OpenSSL
=＆GT;假
＆GT;＆GT; OpenSSL的:: OPENSSL_VERSION
=＆GT; OpenSSL的0.9.8r 2011年2月8日
＆GT;＆GT;
 

于是表示方法似乎是：

1. 升级服务器处理更多的客户您好变种，或者
2. 在安装使用旧的OpenSSL库，或者红宝石
3. 更改程序发送一个不同的客户你好。

它不会出现在开放式的uri 模块有一个选项可以设置用来通信的SSL / TLS版本。如果不能修改服务器，你可能需要使用不同的模块或库建立连接，或者找到一种方法来修补的OpenSSL 模块，所以它采用了不同的客户你好。

I've followed many posts regarding this issue and non of them helped. I'm trying to connect using simplest irb commands:

require 'open-uri'
open ('https://aristo4stu3.bgu.ac.il')

The weird thing is that for any other https uri I tried, it worked fine (i.e. https://google.com).

For debugging purposes, I even tried to disable SSL verification using:

OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE

which didn't seemed to help either.

My setup is (on AWS):

$ rvm -v

rvm 1.21.3 (stable) by Wayne E. Seguin <wayneeseguin@gmail.com>, Michal Papis <mpapis@gmail.com> [https://rvm.io/]

$ ruby -v
ruby 2.0.0p247 (2013-06-27 revision 41674) [x86_64-linux]

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 13.04
Release:    13.04
Codename:   raring

Complete log:

2.0.0-p247 :001 > require 'open-uri'
 => true 
2.0.0-p247 :002 > open('https://aristo4stu3.bgu.ac.il')
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=unknown state: (null)
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in `connect'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in `block in connect'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/timeout.rb:52:in `timeout'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in `connect'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:862:in `do_start'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:851:in `start'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:313:in `open_http'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:708:in `buffer_open'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:210:in `block in open_loop'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:208:in `catch'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:208:in `open_loop'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:149:in `open_uri'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:688:in `open'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:34:in `open'
    from (irb):2
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/bin/irb:16:in `<main>'

解决方案

The problem appears to be that your target site, aristo4stu3.bgu.ac.il, is picky about SSL/TLS handshaking. I got two different results with the following OpenSSL command with different versions of OpenSSL:

openssl s_client -connect aristo4stu3.bgu.ac.il:443

This does connect with the stock OpenSSL 0.9.8x on OS X 10.7.5. However, it does not connect using OpenSSL 1.0.1e - in that case the server just closes the connection (by sending a Close Notify alert) immediately after receiving the Client Hello.

I captured packets with Wireshark, and the difference between what these two versions send is that 0.9.8x is sending an SSLv2 Client Hello advertising support through TLS 1.0, while 1.0.1e is sending a TLSv1 Client Hello advertising support through TLS 1.2.

If I tell 1.0.1e not to use TLS:

openssl s_client -connect aristo4stu3.bgu.ac.il:443 -no_tls1

This connects successfully with an SSLv3 Client Hello advertising support through SSL 3.0.

Incidentally, my local ruby does make a successful connection with open-uri to your site:

$ irb
>> require 'open-uri'
=> true
>> open('https://aristo4stu3.bgu.ac.il')
=> #<StringIO:0x10271fa90>
>> require 'openssl'
=> false
>> OpenSSL::OPENSSL_VERSION
=> "OpenSSL 0.9.8r 8 Feb 2011"
>>

So the indicated approaches seem to be:

1. Upgrade the server to handle more Client Hello variants, or
2. Install a ruby that uses an older OpenSSL library, or
3. Change your program to send a different Client Hello.

It does not appear that the open-uri module has an option to set the SSL/TLS version used to communicate. If you can't modify the server you may need to use a different module or library to establish the connection, or perhaps find a way to patch the openssl module so it uses a different Client Hello.

这篇关于OpenSSL的SSL :: :: SSLError：所以SSL_connect返回= 1错误号= 0状态=未知状态：未知协议的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！