我目前正面臨一個令我困惑的問題。當我在裝有 RHEL 7 和 OpenSSL 1.0.2k 的機器上使用此命令時:
openssl s_client -connect name.name.somename:9093
我得到了我想要的結果。我可以看到證書、證書鏈等。
CONNECTED(00000003)
depth=1 CN = XXXXXXX
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/CN=*XXXXXXX
i:/CN=XXXXXXX
1 s:/CN=XXXXXXX
i:/CN=XXXXXXX
---
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
subject=/xxxxxxxxxxxxxxxxxx
issuer=/xxxxxxxxxxxxxxxxxx
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 3294 bytes and written 479 bytes
---
New, TLSv1/SSLv3, Cipher is xxxxxxxxxxxxxxxxxx
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : xxxxxxxxxxxxxxxxxx
Session-ID: xxxxxxxxxxxxxxxxxx
Session-ID-ctx:
Master-Key: xxxxxxxxxxxxxxxxxx
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1638952814
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
但是每當我從運行較新版本 OpenSSL 的機器上嘗試相同的命令時,我都會收到此錯誤:
CONNECTED(00000003)
139685857744704:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 320 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
是否有任何兼容性問題或新版本的一些新命令或組態檔?|
添加所有密碼:
Obtaining cipher list from OpenSSL 1.1.1k 25 Mar 2021.
Testing TLS_AES_256_GCM_SHA384...NO (SSL_CTX_set_cipher_list)
Testing TLS_CHACHA20_POLY1305_SHA256...NO (SSL_CTX_set_cipher_list)
Testing TLS_AES_128_GCM_SHA256...NO (SSL_CTX_set_cipher_list)
Testing ECDHE-ECDSA-AES256-GCM-SHA384...NO (wrong version number)
Testing ECDHE-RSA-AES256-GCM-SHA384...NO (wrong version number)
Testing DHE-DSS-AES256-GCM-SHA384...YES
Testing DHE-RSA-AES256-GCM-SHA384...NO (wrong version number)
Testing ECDHE-ECDSA-CHACHA20-POLY1305...NO (wrong version number)
Testing ECDHE-RSA-CHACHA20-POLY1305...NO (wrong version number)
Testing DHE-RSA-CHACHA20-POLY1305...NO (wrong version number)
Testing ECDHE-ECDSA-AES256-CCM8...NO (wrong version number)
Testing ECDHE-ECDSA-AES256-CCM...NO (wrong version number)
Testing DHE-RSA-AES256-CCM8...NO (wrong version number)
Testing DHE-RSA-AES256-CCM...NO (wrong version number)
Testing ECDHE-ECDSA-ARIA256-GCM-SHA384...NO (wrong version number)
Testing ECDHE-ARIA256-GCM-SHA384...NO (wrong version number)
Testing DHE-DSS-ARIA256-GCM-SHA384...NO (wrong version number)
Testing DHE-RSA-ARIA256-GCM-SHA384...NO (wrong version number)
Testing ADH-AES256-GCM-SHA384...NO (wrong version number)
Testing ECDHE-ECDSA-AES128-GCM-SHA256...NO (wrong version number)
Testing ECDHE-RSA-AES128-GCM-SHA256...NO (wrong version number)
Testing DHE-DSS-AES128-GCM-SHA256...YES
Testing DHE-RSA-AES128-GCM-SHA256...NO (wrong version number)
Testing ECDHE-ECDSA-AES128-CCM8...NO (wrong version number)
Testing ECDHE-ECDSA-AES128-CCM...NO (wrong version number)
Testing DHE-RSA-AES128-CCM8...NO (wrong version number)
Testing DHE-RSA-AES128-CCM...NO (wrong version number)
Testing ECDHE-ECDSA-ARIA128-GCM-SHA256...NO (wrong version number)
Testing ECDHE-ARIA128-GCM-SHA256...NO (wrong version number)
Testing DHE-DSS-ARIA128-GCM-SHA256...NO (wrong version number)
Testing DHE-RSA-ARIA128-GCM-SHA256...NO (wrong version number)
Testing ADH-AES128-GCM-SHA256...NO (wrong version number)
Testing ECDHE-ECDSA-AES256-SHA384...NO (wrong version number)
Testing ECDHE-RSA-AES256-SHA384...NO (wrong version number)
Testing DHE-RSA-AES256-SHA256...NO (wrong version number)
Testing DHE-DSS-AES256-SHA256...YES
Testing ECDHE-ECDSA-CAMELLIA256-SHA384...NO (wrong version number)
Testing ECDHE-RSA-CAMELLIA256-SHA384...NO (wrong version number)
Testing DHE-RSA-CAMELLIA256-SHA256...NO (wrong version number)
Testing DHE-DSS-CAMELLIA256-SHA256...NO (wrong version number)
Testing ADH-AES256-SHA256...NO (wrong version number)
Testing ADH-CAMELLIA256-SHA256...NO (wrong version number)
Testing ECDHE-ECDSA-AES128-SHA256...NO (wrong version number)
Testing ECDHE-RSA-AES128-SHA256...NO (wrong version number)
Testing DHE-RSA-AES128-SHA256...NO (wrong version number)
Testing DHE-DSS-AES128-SHA256...YES
Testing ECDHE-ECDSA-CAMELLIA128-SHA256...NO (wrong version number)
Testing ECDHE-RSA-CAMELLIA128-SHA256...NO (wrong version number)
Testing DHE-RSA-CAMELLIA128-SHA256...NO (wrong version number)
Testing DHE-DSS-CAMELLIA128-SHA256...NO (wrong version number)
Testing ADH-AES128-SHA256...NO (wrong version number)
Testing ADH-CAMELLIA128-SHA256...NO (wrong version number)
Testing ECDHE-ECDSA-AES256-SHA...NO (wrong version number)
Testing ECDHE-RSA-AES256-SHA...NO (wrong version number)
Testing DHE-RSA-AES256-SHA...NO (wrong version number)
Testing DHE-DSS-AES256-SHA...YES
Testing DHE-RSA-CAMELLIA256-SHA...NO (wrong version number)
Testing DHE-DSS-CAMELLIA256-SHA...NO (wrong version number)
Testing AECDH-AES256-SHA...NO (wrong version number)
Testing ADH-AES256-SHA...NO (wrong version number)
Testing ADH-CAMELLIA256-SHA...NO (wrong version number)
Testing ECDHE-ECDSA-AES128-SHA...NO (wrong version number)
Testing ECDHE-RSA-AES128-SHA...NO (wrong version number)
Testing DHE-RSA-AES128-SHA...NO (wrong version number)
Testing DHE-DSS-AES128-SHA...YES
Testing DHE-RSA-SEED-SHA...NO (wrong version number)
Testing DHE-DSS-SEED-SHA...NO (wrong version number)
Testing DHE-RSA-CAMELLIA128-SHA...NO (wrong version number)
Testing DHE-DSS-CAMELLIA128-SHA...NO (wrong version number)
Testing AECDH-AES128-SHA...NO (wrong version number)
Testing ADH-AES128-SHA...NO (wrong version number)
Testing ADH-SEED-SHA...NO (wrong version number)
Testing ADH-CAMELLIA128-SHA...NO (wrong version number)
Testing RSA-PSK-AES256-GCM-SHA384...NO (wrong version number)
Testing DHE-PSK-AES256-GCM-SHA384...NO (wrong version number)
Testing RSA-PSK-CHACHA20-POLY1305...NO (wrong version number)
Testing DHE-PSK-CHACHA20-POLY1305...NO (wrong version number)
Testing ECDHE-PSK-CHACHA20-POLY1305...NO (wrong version number)
Testing DHE-PSK-AES256-CCM8...NO (wrong version number)
Testing DHE-PSK-AES256-CCM...NO (wrong version number)
Testing RSA-PSK-ARIA256-GCM-SHA384...NO (wrong version number)
Testing DHE-PSK-ARIA256-GCM-SHA384...NO (wrong version number)
Testing AES256-GCM-SHA384...NO (wrong version number)
Testing AES256-CCM8...NO (wrong version number)
Testing AES256-CCM...NO (wrong version number)
Testing ARIA256-GCM-SHA384...NO (wrong version number)
Testing PSK-AES256-GCM-SHA384...NO (wrong version number)
Testing PSK-CHACHA20-POLY1305...NO (wrong version number)
Testing PSK-AES256-CCM8...NO (wrong version number)
Testing PSK-AES256-CCM...NO (wrong version number)
Testing PSK-ARIA256-GCM-SHA384...NO (wrong version number)
Testing RSA-PSK-AES128-GCM-SHA256...NO (wrong version number)
Testing DHE-PSK-AES128-GCM-SHA256...NO (wrong version number)
Testing DHE-PSK-AES128-CCM8...NO (wrong version number)
Testing DHE-PSK-AES128-CCM...NO (wrong version number)
Testing RSA-PSK-ARIA128-GCM-SHA256...NO (wrong version number)
Testing DHE-PSK-ARIA128-GCM-SHA256...NO (wrong version number)
Testing AES128-GCM-SHA256...NO (wrong version number)
Testing AES128-CCM8...NO (wrong version number)
Testing AES128-CCM...NO (wrong version number)
Testing ARIA128-GCM-SHA256...NO (wrong version number)
Testing PSK-AES128-GCM-SHA256...NO (wrong version number)
Testing PSK-AES128-CCM8...NO (wrong version number)
Testing PSK-AES128-CCM...NO (wrong version number)
Testing PSK-ARIA128-GCM-SHA256...NO (wrong version number)
Testing AES256-SHA256...NO (wrong version number)
Testing CAMELLIA256-SHA256...NO (wrong version number)
Testing AES128-SHA256...NO (wrong version number)
Testing CAMELLIA128-SHA256...NO (wrong version number)
Testing ECDHE-PSK-AES256-CBC-SHA384...NO (wrong version number)
Testing ECDHE-PSK-AES256-CBC-SHA...NO (wrong version number)
Testing SRP-DSS-AES-256-CBC-SHA...NO (wrong version number)
Testing SRP-RSA-AES-256-CBC-SHA...NO (wrong version number)
Testing SRP-AES-256-CBC-SHA...NO (wrong version number)
Testing RSA-PSK-AES256-CBC-SHA384...NO (wrong version number)
Testing DHE-PSK-AES256-CBC-SHA384...NO (wrong version number)
Testing RSA-PSK-AES256-CBC-SHA...NO (wrong version number)
Testing DHE-PSK-AES256-CBC-SHA...NO (wrong version number)
Testing ECDHE-PSK-CAMELLIA256-SHA384...NO (wrong version number)
Testing RSA-PSK-CAMELLIA256-SHA384...NO (wrong version number)
Testing DHE-PSK-CAMELLIA256-SHA384...NO (wrong version number)
Testing AES256-SHA...NO (wrong version number)
Testing CAMELLIA256-SHA...NO (wrong version number)
Testing PSK-AES256-CBC-SHA384...NO (wrong version number)
Testing PSK-AES256-CBC-SHA...NO (wrong version number)
Testing PSK-CAMELLIA256-SHA384...NO (wrong version number)
Testing ECDHE-PSK-AES128-CBC-SHA256...NO (wrong version number)
Testing ECDHE-PSK-AES128-CBC-SHA...NO (wrong version number)
Testing SRP-DSS-AES-128-CBC-SHA...NO (wrong version number)
Testing SRP-RSA-AES-128-CBC-SHA...NO (wrong version number)
Testing SRP-AES-128-CBC-SHA...NO (wrong version number)
Testing RSA-PSK-AES128-CBC-SHA256...NO (wrong version number)
Testing DHE-PSK-AES128-CBC-SHA256...NO (wrong version number)
Testing RSA-PSK-AES128-CBC-SHA...NO (wrong version number)
Testing DHE-PSK-AES128-CBC-SHA...NO (wrong version number)
Testing ECDHE-PSK-CAMELLIA128-SHA256...NO (wrong version number)
Testing RSA-PSK-CAMELLIA128-SHA256...NO (wrong version number)
Testing DHE-PSK-CAMELLIA128-SHA256...NO (wrong version number)
Testing AES128-SHA...NO (wrong version number)
Testing SEED-SHA...NO (wrong version number)
Testing CAMELLIA128-SHA...NO (wrong version number)
Testing IDEA-CBC-SHA...NO (wrong version number)
Testing PSK-AES128-CBC-SHA256...NO (wrong version number)
Testing PSK-AES128-CBC-SHA...NO (wrong version number)
Testing PSK-CAMELLIA128-SHA256...NO (wrong version number)
Testing ECDHE-ECDSA-NULL-SHA...NO (wrong version number)
Testing ECDHE-RSA-NULL-SHA...NO (wrong version number)
Testing AECDH-NULL-SHA...NO (wrong version number)
Testing NULL-SHA256...NO (wrong version number)
Testing ECDHE-PSK-NULL-SHA384...NO (wrong version number)
Testing ECDHE-PSK-NULL-SHA256...NO (wrong version number)
Testing ECDHE-PSK-NULL-SHA...NO (wrong version number)
Testing RSA-PSK-NULL-SHA384...NO (wrong version number)
Testing RSA-PSK-NULL-SHA256...NO (wrong version number)
Testing DHE-PSK-NULL-SHA384...NO (wrong version number)
Testing DHE-PSK-NULL-SHA256...NO (wrong version number)
Testing RSA-PSK-NULL-SHA...NO (wrong version number)
Testing DHE-PSK-NULL-SHA...NO (wrong version number)
Testing NULL-SHA...NO (wrong version number)
Testing NULL-MD5...NO (wrong version number)
Testing PSK-NULL-SHA384...NO (wrong version number)
Testing PSK-NULL-SHA256...NO (wrong version number)
Testing PSK-NULL-SHA...NO (wrong version number
)
uj5u.com熱心網友回復:
測驗 DHE-DSS-AES256-GCM-SHA384...是
看起來服務器只支持 DSS 密碼,這很不尋常。從更改日志中可以看出,這些密碼已從 OpenSSL 1.1.0 的默認密碼串列中洗掉。這意味著明確需要啟用密碼,即
$ openssl s_client -cipher 'DHE-DSS-AES256-GCM-SHA384' ...
轉載請註明出處,本文鏈接:https://www.uj5u.com/qiye/382250.html
上一篇:當ingress-nginx啟用sslpasstrough時,所有后端是否都受到性能損失的影響?我應該使用單獨的入口嗎?