我有一个运行 NextCloud 的 nginx 1.10.3 服务器并从各种客户端访问它。该证书由 Lets Encrypt 提供并使用 2048 位 RSA key 。
所有客户端都可以正常工作,包括网络浏览器,但在 iPad 或 iPhone 上运行 iOS 11 的客户端除外。工作浏览器是 MacOS 和 Linux 上的 Firefox 56,以及 MacOS Sierra 上的 Safari 11。 Linux 上的 NextCloud 客户端也可以正常工作。在 iOS 上,GoodReader 作为 webdav 客户端访问 NextCloud 没有问题。但是 Safari 不会访问它,声称它无法访问与服务器的安全连接。 iOS NextCloud 客户端在尝试连接时返回 SSL 错误(我假设它使用与 Safari 相同的库进行连接)。
当 iOS(Safari 或 NextCloud 应用程序)尝试连接但失败时,nginx 日志中的错误是:
SSL_do_handshake() failed (SSL: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher) while SSL handshaking
我查看了 Web 服务器上的流量,这是 Firefox 的客户端问候:
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 512
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 508
Version: TLS 1.2 (0x0303)
Random
GMT Unix Time: Aug 8, 2013 06:38:14.000000000 JST
Random Bytes: eece37d08b453cedc932958165d0b6c530b31a321554c874...
Session ID Length: 32
Session ID: c7...
Cipher Suites Length: 30
Cipher Suites (15 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 405
Extension: server_name
Type: server_name (0x0000)
Length: 30
Server Name Indication extension
Server Name list length: 28
Server Name Type: host_name (0)
Server Name length: 25
Server Name: mydomain.com
Extension: Extended Master Secret
Type: Extended Master Secret (0x0017)
Length: 0
Extension: renegotiation_info
Type: renegotiation_info (0xff01)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
Extension: elliptic_curves
Type: elliptic_curves (0x000a)
Length: 10
Elliptic Curves Length: 8
Elliptic curves (4 curves)
Elliptic curve: ecdh_x25519 (0x001d)
Elliptic curve: secp256r1 (0x0017)
Elliptic curve: secp384r1 (0x0018)
Elliptic curve: secp521r1 (0x0019)
Extension: ec_point_formats
Type: ec_point_formats (0x000b)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
Extension: SessionTicket TLS
Type: SessionTicket TLS (0x0023)
Length: 208
Data (208 bytes)
Extension: Application Layer Protocol Negotiation
Type: Application Layer Protocol Negotiation (0x0010)
Length: 14
ALPN Extension Length: 12
ALPN Protocol
ALPN string length: 2
ALPN Next Protocol: h2
ALPN string length: 8
ALPN Next Protocol: http/1.1
Extension: status_request
Type: status_request (0x0005)
Length: 5
Certificate Status Type: OCSP (1)
Responder ID list Length: 0
Request Extensions Length: 0
Extension: signature_algorithms
Type: signature_algorithms (0x000d)
Length: 24
Signature Hash Algorithms Length: 22
Signature Hash Algorithms (11 algorithms)
Signature Hash Algorithm: 0x0403
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0503
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0603
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0804
Signature Hash Algorithm Hash: Unknown (8)
Signature Hash Algorithm Signature: Unknown (4)
Signature Hash Algorithm: 0x0805
Signature Hash Algorithm Hash: Unknown (8)
Signature Hash Algorithm Signature: Unknown (5)
Signature Hash Algorithm: 0x0806
Signature Hash Algorithm Hash: Unknown (8)
Signature Hash Algorithm Signature: Unknown (6)
Signature Hash Algorithm: 0x0401
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0501
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0601
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0203
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0201
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: RSA (1)
Extension: Padding
Type: Padding (0x0015)
Length: 71
Padding Data: 000000000000000000000000000000000000000000000000...
最终,为 Firefox 选择了 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) 密码。
这是通过 Safari 的 iPad 客户端问候语:
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 239
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 235
Version: TLS 1.2 (0x0303)
Random
GMT Unix Time: Jul 20, 2002 17:04:33.000000000 JST
Random Bytes: 8f8602de9622cf56d70fa8d863a3c8d7154eb23ce19b625b...
Session ID Length: 0
Cipher Suites Length: 40
Cipher Suites (20 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 154
Extension: renegotiation_info
Type: renegotiation_info (0xff01)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
Extension: server_name
Type: server_name (0x0000)
Length: 30
Server Name Indication extension
Server Name list length: 28
Server Name Type: host_name (0)
Server Name length: 25
Server Name: mydomain.com
Extension: Extended Master Secret
Type: Extended Master Secret (0x0017)
Length: 0
Extension: signature_algorithms
Type: signature_algorithms (0x000d)
Length: 20
Signature Hash Algorithms Length: 18
Signature Hash Algorithms (9 algorithms)
Signature Hash Algorithm: 0x0403
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0804
Signature Hash Algorithm Hash: Unknown (8)
Signature Hash Algorithm Signature: Unknown (4)
Signature Hash Algorithm: 0x0401
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0503
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0805
Signature Hash Algorithm Hash: Unknown (8)
Signature Hash Algorithm Signature: Unknown (5)
Signature Hash Algorithm: 0x0501
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0806
Signature Hash Algorithm Hash: Unknown (8)
Signature Hash Algorithm Signature: Unknown (6)
Signature Hash Algorithm: 0x0601
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0201
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: RSA (1)
Extension: status_request
Type: status_request (0x0005)
Length: 5
Certificate Status Type: OCSP (1)
Responder ID list Length: 0
Request Extensions Length: 0
Extension: next_protocol_negotiation
Type: next_protocol_negotiation (0x3374)
Length: 0
Extension: signed_certificate_timestamp
Type: signed_certificate_timestamp (0x0012)
Length: 0
Data (0 bytes)
Extension: Application Layer Protocol Negotiation
Type: Application Layer Protocol Negotiation (0x0010)
Length: 48
ALPN Extension Length: 46
ALPN Protocol
ALPN string length: 2
ALPN Next Protocol: h2
ALPN string length: 5
ALPN Next Protocol: h2-16
ALPN string length: 5
ALPN Next Protocol: h2-15
ALPN string length: 5
ALPN Next Protocol: h2-14
ALPN string length: 8
ALPN Next Protocol: spdy/3.1
ALPN string length: 6
ALPN Next Protocol: spdy/3
ALPN string length: 8
ALPN Next Protocol: http/1.1
Extension: ec_point_formats
Type: ec_point_formats (0x000b)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
Extension: elliptic_curves
Type: elliptic_curves (0x000a)
Length: 8
Elliptic Curves Length: 6
Elliptic curves (3 curves)
Elliptic curve: ecdh_x25519 (0x001d)
Elliptic curve: secp256r1 (0x0017)
Elliptic curve: secp384r1 (0x0018)
网络流量中给iOS的响应是:
Secure Sockets Layer
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 2
Alert Message
Level: Fatal (2)
Description: Handshake Failure (40)
不幸的是,我不清楚握手具体失败的原因,因为我无法找到任何更详细的信息。服务器为 Firefox 选择的确切密码被列为 iOS 支持,但 SSL 握手不仅没有选择它,而且没有选择任何选项。
更奇怪的是,通过 SSL Labs 对该网站进行的运行给出了以下 Safari 握手测试结果以及 A+ 评级:
Safari 6/iOS 6.0.1 RSA 2048 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH secp521r1 FS
Safari 7/iOS 7.1 RSA 2048 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH secp521r1 FS
Safari 7/OS X 10.9 RSA 2048 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH secp521r1 FS
Safari 8/iOS 8.4 RSA 2048 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH secp521r1 FS
Safari 8/OS X 10.10 RSA 2048 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH secp521r1 FS
Safari 9/iOS 9 RSA 2048 (SHA256) TLS 1.2 > h2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp521r1 FS
Safari 9/OS X 10.11 RSA 2048 (SHA256) TLS 1.2 > h2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp521r1 FS
Safari 10/iOS 10 RSA 2048 (SHA256) TLS 1.2 > h2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp521r1 FS
Safari 10/OS X 10.12 RSA 2048 (SHA256) TLS 1.2 > h2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp521r1 FS
显然 SSL Lab 的 Safari 模型对我的服务器很满意,但 iOS 上真正的 Safari 却不是。
这是 nginx 服务器的 SSL 密码配置:
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:
ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:
ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:
ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:
DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:
DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:
DHE-RSA-AES256-SHA256";
取自here .我还尝试了 Mozilla SSL configuration generator 中的配置. “现代”简介是这样的:
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:
ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
这给出了握手失败的相同结果。
让 nginx 使用默认的 ssl_ciphers 导致 iOS 连接到服务器。但是,当我检查 TCP 转储时,我发现它选择了密码 TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d),它不提供前向保密。使用默认的密码选择,因为一些浏览器选择没有前向保密的密码。但即使在这种情况下,SSL Labs 的 Safari 10/iOS 10 握手测试也给出了 RSA 2048 (SHA256) TLS 1.2 > h2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp521r1 FS 结果,所以我很困惑为什么 iOS 11 的行为如此不同。
非常感谢任何解决这种奇怪情况的帮助。
最佳答案
我找到了问题的根源。服务器被限制为仅接受椭圆曲线的 secp521r1(ssl_ecdh_curve 设置)。我不记得为什么要这样设置;过去有些向导告诉我这样做,我盲目地服从了。
添加一条强度较低的附加曲线 secp384r1,使 iOS 能够成功握手并使用 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384 进行通信。 ssl_ecdh_curve 现在设置为 secp521r1:secp384r1。
我不确定 iOS 10 和 11 之间发生了什么变化导致了这个问题。我最好的猜测是通过挖掘 OpenSSL 代码和一些 further research , 是 iOS 11 试图遵守 Suite B . Suite B 将曲线限制为 P-256 和 P-384。但这只是业余爱好者的猜测。
关于ios - 仅 nginx 和 iOS 11 之间的 SSL 握手失败 (40),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/46956185/