【发布时间】:2020-04-05 06:48:26
【问题描述】:
我已经在我的 dns (cloudflare) 上安装了自定义 ssl,当我想检查 openssl s_client -connect www.website.com:443 时,这是我的输出显示。
CONNECTED(00000003)
6870300:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:802:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1586067870
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
但是当我用相同的命令与其他网站比较时,它显示出非常不同
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=*.ssl.hwcdn.net
i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=*.ssl.hwcdn.net
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 6300 bytes and written 434 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 6189DF5D01CEEF48EE50AF6DD40542D77D083B889A07B8603942BAB5D6579AB4
Session-ID-ctx:
Master-Key: EEE2D439E6CF417D8D932A460EDEA22125676FD139A2DDA1662A415DC959A516FB1AD2D01778C3CD30521B23013A81B2
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 43200 (seconds)
TLS session ticket:
0000 - ea 64 d2 dc 93 ae 32 b9-c5 80 e5 8c f1 98 8d 60 .d....2........`
0010 - 27 f1 af 82 96 4b 30 a7-db c5 ed 28 9a 5a fa 31 '....K0....(.Z.1
0020 - b7 1f 58 f8 46 72 c7 b2-90 1f fc 85 a4 25 dc 3d ..X.Fr.......%.=
0030 - b2 70 8d 6d 71 fa fc d1-88 33 fd 01 24 31 3c a4 .p.mq....3..$1<.
0040 - 6c 0d 00 9f 8f 2c 4e 3a-e5 f2 63 60 f3 0c 64 ef l....,N:..c`..d.
0050 - 44 c5 7e 1b 64 55 bc 89-ea f1 8e 2d 8d 23 f4 d0 D.~.dU.....-.#..
0060 - 0e 63 47 a7 c8 8a 98 b9-ee e6 13 cd ed fe 81 d6 .cG.............
0070 - c1 d4 c3 3c c4 b7 75 57-c7 fb 4b a6 0a 18 f2 76 ...<..uW..K....v
0080 - 6b b7 83 5e d3 bc 72 8b-28 f9 0b 5a 68 2e fb d7 k..^..r.(..Zh...
0090 - 7e 17 fe 1d b5 52 1b fa-31 83 6b ff 9f c0 31 e6 ~....R..1.k...1.
Start Time: 1586068272
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
closed
我还检查了网站 ssl 检查器,它们没有显示任何错误,并且一切都配置正确。但是我很好奇从网站 ssl 检查器到 openssl 连接检查器有什么不同,或者我错过了什么?任何想法 ?谢谢
【问题讨论】:
-
尝试将
-servername添加到将在SNI中发送服务器名称openssl s_client -connect www.website.com:443 -servername www.website.com的命令
标签: ssl openssl ssl-certificate