我在与 www.howsmyssl.com/a/check 建立安全连接时遇到了一些问题。我正在使用 wolfSSL 进行连接,但是,握手总是失败( fatal error 警报 40)。我试图嗅探网络以查看数据包,以查看到底发送了什么以及支持哪些密码套件,并且我看到根据 ssllabs 的测试,howsmyssl.com 和我的客户有共同的密码套件。所以我真的不知道错误发生在哪里。 这是客户的痕迹:
这是一个 link到 www.howsmyssl.com 的 ssllabs 分析。在这里您可以看到它们有共同的密码套件(例如 0xc02f),所以我认为连接应该成功,还是我遗漏了什么?
编辑: 下面是wolfssl的调试日志
[0;32mI (6565) openssl_example: OpenSSL demo thread start OK[0m
[0;33mW (6565) openssl_example: Size of long = 4, Size of longlong = 8
[0m
[0;32mI (6565) openssl_example: get target IP address[0m
[0;32mI (6595) openssl_example: OK[0m
[0;32mI (6595) openssl_example: 104.196.190.195[0m
wolfSSL Entering wolfSSL_Init
wolfSSL Entering wolfCrypt_Init
[0;32mI (6595) openssl_example: create SSL context ......[0m
wolfSSL Entering WOLFSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
[0;32mI (6615) openssl_example: OK[0m
wolfSSL Entering wolfSSL_CTX_set_verify
wolfSSL Entering wolfSSL_CTX_load_verify_buffer
Getting into SSL_FILETYPE_PEM if
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Parsed new CA
Freeing Parsed CA
Freeing der CA
OK Freeing der CA
wolfSSL Leaving AddCA, return 0
1
Processed a CA
wolfSSL Entering PemToDer
Couldn't find PEM header
-372
CA Parse failed, no progress in file.
Do not continue search for other certs in file
Processed at least one valid CA. Other stuff OK
[0;32mI (6715) openssl_example: create socket ......[0m
[0;32mI (6725) openssl_example: OK[0m
[0;32mI (6725) openssl_example: bind socket ......[0m
[0;32mI (6735) openssl_example: OK[0m
[0;32mI (6735) openssl_example: socket connect to remote www.howsmyssl.com ......[0m
[0;32mI (6865) openssl_example: OK[0m
[0;32mI (6865) openssl_example: create SSL ......[0m
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
[0;32mI (6865) openssl_example: OK[0m
wolfSSL Entering SSL_set_fd
wolfSSL Entering SSL_set_read_fd
wolfSSL Leaving SSL_set_read_fd, return 1
wolfSSL Entering SSL_set_write_fd
wolfSSL Leaving SSL_set_write_fd, return 1
[0;32mI (6885) openssl_example: SSL connected to www.howsmyssl.com port 443 ......[0m
wolfSSL Entering SSL_connect()
growing output buffer
Shrinking output buffer
connect state: CLIENT_HELLO_SENT
received record layer msg
got ALERT!
Got alert
wolfSSL error occurred, error = 40
wolfSSL error occurred, error = -313
[0;32mI (7065) openssl_example: OK[0m
wolfSSL Entering wolfSSL_get_cipher
wolfSSL Entering SSL_get_current_cipher
wolfSSL Entering SSL_CIPHER_get_name
wolfSSL Entering wolfSSL_get_cipher_name_from_suite
READ USED CIPHERSUITE: NONE
[0;32mI (7085) openssl_example: send https request to www.howsmyssl.com port 443 ......[0m
wolfSSL Entering SSL_write()
handshake not complete, trying to finish
wolfSSL Entering wolfSSL_negotiate
wolfSSL Entering SSL_connect()
ProcessReply retry in error state, not allowed
wolfSSL error occurred, error = -313
wolfSSL Leaving wolfSSL_negotiate, return -1
wolfSSL Leaving SSL_write(), return -1
[0;32mI (7115) openssl_example: failed[0m
wolfSSL Entering SSL_shutdown()
wolfSSL Leaving SSL_shutdown(), return -1
wolfSSL Entering SSL_free
CTX ref count not 0 yet, no free
wolfSSL Leaving SSL_free, return 0
wolfSSL Entering SSL_CTX_free
CTX ref count down to 0, doing full free
wolfSSL Entering wolfSSL_CertManagerFree
wolfSSL Leaving SSL_CTX_free, return 0
I (14055) wifi: pm start, type:0
更新 我尝试连接到 www.google.com 并且成功了。没有对我的代码进行任何更改,因此我认为这将是服务器问题。但是,当我使用 mbedtls 连接到 www.howsmyssl.com 时,请求也成功了,通过嗅探网络比较数据包后,我看不出有任何重大差异。
最佳答案
仅仅分享来自客户端的Client Hello在这里无济于事。您需要收集一些与 SSL 相关的日志。我不是 wolfssl 专家,但当您使用 --enable-debug 编译它时,它看起来会暴露额外的日志。我提到了这个:WolfSL - SSL Alert fatal error
Cipher Suites 并不是唯一会出错的东西。如果服务器期望 Client Hello 中的某个 TLS 扩展 以某种格式存在,并且即使在这种情况下也不被接受,Server可以终止握手。
请参阅此线程以供引用:SSL handshake_failure after clientHello
没有调试日志,就像在黑暗中射击一样。
更新:
所以这些是日志中的错误:
wolfSSL error occurred, error = 40
wolfSSL error occurred, error = -313
313 表示服务器不喜欢客户端发送的以下内容之一:
- 密码套件
- TLS 扩展
由于您已经指定了支持的曲线,您可以尝试启用静态 key 密码套件。这些似乎在 WolfSSL 中默认被禁用。 WolfSSL - Supported Cipher Suites
关于ssl - Tls 握手失败,即使密码套件是通用的,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/44900505/