ssl - 通过相互 SSL 连接无法读取传入的 changeCipherSpec

标签 ssl ssl-certificate jscript chilkat mutual-authentication

我们需要使用双向 SSL 连接到服务器,但由于某种原因,我们在尝试发出请求时遇到以下错误:

[...]
readIncomingTls_changeCipherSpec2:
  processTlsRecord:
    processAlert:
      TlsAlert:
        level: fatal
        descrip: handshake failure
      --TlsAlert
    --processAlert
  --processTlsRecord
--readIncomingTls_changeCipherSpec2
Failed to read incoming handshake messages. (3)
Client handshake failed. (3)
Failed to connect.
[...]

私钥和 CSR 由我们提出,证书由我们连接的人返回给我们。

将 key 和证书组合成一个 pem 文件并像这样添加到请求中,在其他脚本中使用它们各自的 key 证书和目标没有问题:

var Gateway = new ActiveXObject("Chilkat.Http");
    Gateway.UnlockComponent("redacted");
var pemSuccess = Gateway.SetSslClientCertPem(Server.MapPath(certPath), "");
    Gateway.ConnectTimeout = 10;        
    Gateway.ReadTimeout = 10;

然而,在这种情况下,pemSuccess 不仅返回 0,而且我注意到更改它或完全删除该行不会改变错误,这表明它在此之前中断了吗?

不幸的是,我对这个过程的了解有限,我不确定如何解决这个问题。

一些谷歌搜索导致 chilkat 支持页面建议更新 DLL 并确保 .pem 使用正确的 key 和证书,但这些都是它们应该的。

编辑 08/06/2015: 更改 -----BEGIN CERTIFICATE----- 的格式 页眉/页脚到 -----BEGIN CERTIFICATE----- 已允许 SetSslClientCertPem 返回 true,但除此之外没有更改 LastErrorText...

完整的 LastErrorText:

    SynchronousRequest:
    DllDate: Dec 12 2012
    UnlockPrefix: [redacted]
    Username: [redacted]
    Architecture: Little Endian; 32-bit
    Language: ActiveX
    VerboseLogging: 0
    domain: [redacted]
    port: 9000
    ssl: 1
    RequestData:
      HttpVersion: 1.1
      Verb: POST
      Path: [redacted]
      Charset: utf-8
      SendCharset: 0
      MimeHeader: SOAPAction:
Content-Type: text/xml
    --RequestData
    ReadTimeout: 10
    ConnectTimeout: 10
    httpConnect:
      hostname: [redacted]
      port: 9000
      ssl: 1
      Need to establish connection to the HTTP server...
      ConnectTimeoutMs_1: 10000
      calling ConnectSocket2
      IPV6 enabled connect with NO heartbeat.
      connectingTo: [redacted]
      resolveHostname1:
        dnsCacheLookup: [redacted]
        dnsCacheHit: [redacted]
      --resolveHostname1
      GetHostByNameHB_ipv4: Elapsed time: 0 millisec
      myIP_1: [redacted]
      myPort_1: [redacted]
      connect successful (1)
      clientHelloMajorMinorVersion: 3.1
      buildClientHello:
        majorVersion: 3
        minorVersion: 1
        numRandomBytes: 32
        sessionIdSize: 0
        numCipherSuites: 10
        numCompressionMethods: 1
      --buildClientHello
      readIncomingTls_serverHello:
        processTlsRecord:
          processHandshake:
            handshakeMessageType: ServerHello
            handshakeMessageLen: 0x46
            processHandshakeMessage:
              MessageType: ServerHello
              Processing ServerHello...
              ServerHello:
                MajorVersion: 3
                MinorVersion: 1
                SessionIdLen: 32
                CipherSuite: RSA_WITH_AES_256_CBC_SHA
                CipherSuite: 00,35
                CompressionMethod: 0
                Queueing ServerHello message.
                ServerHello is OK.
              --ServerHello
            --processHandshakeMessage
          --processHandshake
        --processTlsRecord
      --readIncomingTls_serverHello
      HandshakeQueue:
        MessageType: ServerHello
      --HandshakeQueue
      Dequeued ServerHello message.
      readIncomingTls_6:
        processTlsRecord:
          processHandshake:
            handshakeMessageType: Certificate
            handshakeMessageLen: 0xf13
            processHandshakeMessage:
              MessageType: Certificate
              ProcessCertificates:
                Certificate:
                  [cert info]
                --Certificate
                Certificate:
                  [cert info]
                --Certificate
                Certificate:
                  [cert info]
                --Certificate
                NumCertificates: 3
                Queueing Certificates message...
              --ProcessCertificates
            --processHandshakeMessage
          --processHandshake
        --processTlsRecord
      --readIncomingTls_6
      Dequeued Certificate message.
      readIncomingTls_6:
        processTlsRecord:
          processHandshake:
            handshakeMessageType: CertificateRequest
            handshakeMessageLen: 0x6
            processHandshakeMessage:
              MessageType: CertificateRequest
              CertificateRequest:
                NumCertificateTypes: 3
                Certificate Type: RSA Sign
                Certificate Type: DSS Sign
                OtherCertificateType: 64
                totalLen: 0
                NumDistinguishedNames: 0
                CertificateRequest message is OK.
                Queueing CertificateRequest message.
              --CertificateRequest
            --processHandshakeMessage
            handshakeMessageType: ServerHelloDone
            handshakeMessageLen: 0x0
            processHandshakeMessage:
              MessageType: ServerHelloDone
              Queueing HelloDone message.
            --processHandshakeMessage
          --processHandshake
        --processTlsRecord
      --readIncomingTls_6
      Dequeued CertificateRequest message.
      DequeuedMessageType: ServerHelloDone
      OK to ServerHelloDone!
      Sending 0-length certificate (this is normal).
      CertificatesMessage:
        numCerts: 0
        CertificateSize: 0x3
      --CertificatesMessage
      Encrypted pre-master secret with server certificate RSA public key is OK.
      Sending ClientKeyExchange...
      Sent ClientKeyExchange message.
      Sending ChangeCipherSpec...
      Sent ChangeCipherSpec message.
      Derived keys.
      Installed new outgoing security params.
      Sending FINISHED message..
      algorithm: aes
      keyLength: 256
      Sent FINISHED message..
      readIncomingTls_changeCipherSpec2:
        processTlsRecord:
          processAlert:
            TlsAlert:
              level: fatal
              descrip: handshake failure
            --TlsAlert
          --processAlert
        --processTlsRecord
      --readIncomingTls_changeCipherSpec2
      Failed to read incoming handshake messages. (3)
      Client handshake failed. (3)
      Failed to connect.
    --httpConnect
    connectTime1: Elapsed time: 47 millisec
    totalTime: Elapsed time: 47 millisec
    Failed.
  --SynchronousRequest
--ChilkatLog

最佳答案

所以事实证明,尽管发件人多次坚持证书是正确的,尽管他们坚持(当被问及时)电子邮件编码没有去除任何字符,但事实证明证书不正确并且电子邮件编码有从正文中删除了一些字符。

注意以 + 字符开头的行。

关于ssl - 通过相互 SSL 连接无法读取传入的 changeCipherSpec,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/30665751/

上一篇:c# - 调用 SSL 支付网关时出错 : "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel"

下一篇:cordova - 不受信任的 SSL 在 Windows Phone 8.1 中不起作用

相关文章:

html - 如何使用模式在表中显示数据库中的数据

javascript - ‘::’(双冒号)在 javascript 中对事件有什么作用?

ssl - 如何使用代理将 boost::asio 连接到 HTTPS 服务器?

android - Google Maps Android API : Failed to load map. 联系 Google 服务器时出错。这可能是 SSL Pinning 实现后的身份验证问题

callback - SSL_CTX_set_cert_verify_callback 与 SSL_CTX_set_verify

Apache HTTP 客户端 javax.net.ssl.SSLPeerUnverifiedException : peer not authenticated

php - 如何检查 SSL bundle 和域证书是否由现有私钥生成

mod-rewrite - mod_rewrite : 2 files should always be SSL, 其余的总是 HTTP

ios - 在 iOS 上保存和加载客户端证书

.net - 如何在不使用任何外部工具的情况下使用批处理文件压缩(/zip)和解压缩(/unzip)文件和文件夹?

©2024 IT工具网  联系我们