Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/ssl/3.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Php Ubuntu cUrl/OpenSSL与fritzbox握手失败_Php_Ssl_Curl_Openssl_Fritzbox - Fatal编程技术网
Fatal编程技术网
  • php/
  • Php Ubuntu cUrl/OpenSSL与fritzbox握手失败

Php Ubuntu cUrl/OpenSSL与fritzbox握手失败

php ssl curl openssl

Php Ubuntu cUrl/OpenSSL与fritzbox握手失败,php,ssl,curl,openssl,fritzbox,Php,Ssl,Curl,Openssl,Fritzbox,我尝试在我的VPS上使用一个简单的php脚本将一些数据插入我的fritz.box(6360电缆) Anotherserver.net是来自我的fritzbox的有效无ip地址(并且fritzbox可以从公共站点访问) php脚本试图卷曲服务器以获得ssl会话,但是,它以握手错误结束。因此,我尝试了简单的curl命令,如下面所示。curl命令以相同的错误结束。 令人困惑的是,-k/--unsecure开关不会改变任何东西。其次,您可以在下面看到的openssl命令工作得非常好 root@serve

我尝试在我的VPS上使用一个简单的php脚本将一些数据插入我的fritz.box(6360电缆)

Anotherserver.net是来自我的fritzbox的有效无ip地址(并且fritzbox可以从公共站点访问)

php脚本试图卷曲服务器以获得ssl会话,但是,它以握手错误结束。因此,我尝试了简单的curl命令,如下面所示。curl命令以相同的错误结束。 令人困惑的是,-k/--unsecure开关不会改变任何东西。其次,您可以在下面看到的openssl命令工作得非常好

root@server:/var/www/mycurl# curl -v -L  --sslv3  --cacert cert_file.pem https://anotherserver.net
Rebuilt URL to: https://anotherserver.net/
Hostname was NOT found in DNS cache
Trying 37.xxx.xxx.xx...
Connected to anotherserver.net (37.xxx.xxx.xx) port 443 (#0)
successfully set certificate verify locations:
CAfile: cert_file.pem
CApath: /etc/ssl/certs
SSLv3, TLS handshake, Client hello (1):
SSLv3, TLS alert, Server hello (2):
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
Closing connection 0
curl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
openssl:

root@server:/var/www/mycurl# openssl s_client -connect anotherserver.net:443 -CAfile cert_file.pem
CONNECTED(00000003)
depth=0 CN = anotherServer.net
verify return:1
---
Certificate chain
 0 s:/CN=anotherserver.net
   i:/CN=anotherserver.net
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDuzCCAqOgAwIBAgIJANSTbhTXe9WfMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNV
BAMTDmJqYXV4LmRkbnMubmV0MB4XDTE0MDgxODE1NTQ0M1oXDTM4MDExNTE1NTQ0
M1owGTEXMBUGA1UEAxMOYmphdXguZGRucy5uZXQwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCy2fXZVUfe1znuSb5wXzrn3mhIk9a2e+iRBRO9v7mQ4rsO
FU1vyB0bP71r6vkCXUnV7fp5NqnsMw6lEIJxkpJl6CLA1lyP+E05SchYFHCAdo7N
/u3Rpa2Oc4OdDh457ZiEuVizOMXO2dgcKJhjC8i2JtbyITcRBRVrXXudlRdsAnTN
iTD65CLWVUOLHKrXKqxkdFZ7wJ0Xsdv4I5TTmocBb6LMd4yEgTYXT2vwz6wRAX1K
l1yhSlpXHqK+2WDfc42JDfYW4NvhbNTRf7dC/PrY9oI7RK1jxt9y8GrT1XuJL768
qjbrJ2JC8UkiCr9C6s02OIKIidfpybrYPtWDKkt5AgMBAAGjggEEMIIBADAdBgNV
HQ4EFgQUcsDrKlzjGvuMg25sGTdtBIMWGZ0wSQYDVR0jBEIwQIAUcsDrKlzjGvuM
g25sGTdtBIMWGZ2hHaQbMBkxFzAVBgNVBAMTDmJqYXV4LmRkbnMubmV0ggkA1JNu
FNd71Z8wDAYDVR0TBAUwAwEB/zCBhQYDVR0RAQH/BHsweYIOYmphdXguZGRucy5u
ZXSCHGp6OHl6bXJsaDVlcTN4b2YubXlmcml0ei5uZXSCEWZyaXR6LmZvbndsYW4u
Ym94gglmcml0ei5ib3iCDXd3dy5mcml0ei5ib3iCC215ZnJpdHouYm94gg93d3cu
bXlmcml0ei5ib3gwDQYJKoZIhvcNAQEFBQADggEBAJ5LA2+3Z2svWkOrWmJlw3kK
3Iz749HDak9gzYaLP0HB5ssHWJw6H20DEDlsJ4YO8RvSFW3TKnOSooYlFDBg7ips
orElIl9nTQwnS9djp2DOeOWpHAaCMyoUdksOVeF0e6QFo9KlKkAU8tEmzUqsQSQ2
p1mCFHx86pna8dlfG8hcMhW+aVp/i889rLRp7zjtwIYpY/pugpuFHK34PNheGVG7
Y2+bWnnaXVxVteFydbvpxsIUDaegkQoZYbE1AjHV1b7y/eSdX1LEvXOqPDu2jUzT
Y2i9Kr76R6EUKMXiYiBCCGc8pN7dskQl8m/xxXDA6z6+Zh8T32kRHcE0PeRN8Yc=
-----END CERTIFICATE-----
subject=/CN=anotherserver.net
issuer=/CN=anotherserver.net
---
No client certificate CA names sent
---
SSL handshake has read 1109 bytes and written 631 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: A93D457B5DF416DFA40F5934B6C2FC2E6365266104B3300B873E5FC89759E395
    Session-ID-ctx:
    Master-Key: 790ABDC0B114C882B69FBA693712C08AA43EA409B242F0B2E92EB953A8BC71DD16527F8B3561206A21FD11E7EA8DC04E
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1408397806
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
我的服务器openssl版本是:

root@server:/var/www/mycurl# openssl version
OpenSSL 1.0.1f 6 Jan 2014

root@server:/var/www/mycurl# curl --version
curl 7.35.0 (x86_64-pc-linux-gnu) libcurl/7.35.0 OpenSSL/1.0.1f zlib/1.2.8 libidn/1.28 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP
我的服务器版本是:

root@server:/var/www/mycurl# openssl version
OpenSSL 1.0.1f 6 Jan 2014

root@server:/var/www/mycurl# curl --version
curl 7.35.0 (x86_64-pc-linux-gnu) libcurl/7.35.0 OpenSSL/1.0.1f zlib/1.2.8 libidn/1.28 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP
我的fritz.box的OpenSSL版本似乎是0.98

2014年8月19日编辑:
cert_file.pem实际上是bjax.ddns.net.pem——另一台服务器(即bjax.ddns.net)的cert文件,我用谷歌chrome从给定的站点下载了该文件。我还尝试将其重命名为bjax-ddns-net.pem,但curl无法工作。请注意,openssl s_客户端始终返回验证返回代码0-openssl s_客户端正常工作。完全地从那时起它就起作用了。只有curl命令才能解决握手问题。

获取此自签名证书:

-----BEGIN CERTIFICATE-----
MIIDuzCCAqOgAwIBAgIJANSTbhTXe9WfMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNV
BAMTDmJqYXV4LmRkbnMubmV0MB4XDTE0MDgxODE1NTQ0M1oXDTM4MDExNTE1NTQ0
M1owGTEXMBUGA1UEAxMOYmphdXguZGRucy5uZXQwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCy2fXZVUfe1znuSb5wXzrn3mhIk9a2e+iRBRO9v7mQ4rsO
FU1vyB0bP71r6vkCXUnV7fp5NqnsMw6lEIJxkpJl6CLA1lyP+E05SchYFHCAdo7N
/u3Rpa2Oc4OdDh457ZiEuVizOMXO2dgcKJhjC8i2JtbyITcRBRVrXXudlRdsAnTN
iTD65CLWVUOLHKrXKqxkdFZ7wJ0Xsdv4I5TTmocBb6LMd4yEgTYXT2vwz6wRAX1K
l1yhSlpXHqK+2WDfc42JDfYW4NvhbNTRf7dC/PrY9oI7RK1jxt9y8GrT1XuJL768
qjbrJ2JC8UkiCr9C6s02OIKIidfpybrYPtWDKkt5AgMBAAGjggEEMIIBADAdBgNV
HQ4EFgQUcsDrKlzjGvuMg25sGTdtBIMWGZ0wSQYDVR0jBEIwQIAUcsDrKlzjGvuM
g25sGTdtBIMWGZ2hHaQbMBkxFzAVBgNVBAMTDmJqYXV4LmRkbnMubmV0ggkA1JNu
FNd71Z8wDAYDVR0TBAUwAwEB/zCBhQYDVR0RAQH/BHsweYIOYmphdXguZGRucy5u
ZXSCHGp6OHl6bXJsaDVlcTN4b2YubXlmcml0ei5uZXSCEWZyaXR6LmZvbndsYW4u
Ym94gglmcml0ei5ib3iCDXd3dy5mcml0ei5ib3iCC215ZnJpdHouYm94gg93d3cu
bXlmcml0ei5ib3gwDQYJKoZIhvcNAQEFBQADggEBAJ5LA2+3Z2svWkOrWmJlw3kK
3Iz749HDak9gzYaLP0HB5ssHWJw6H20DEDlsJ4YO8RvSFW3TKnOSooYlFDBg7ips
orElIl9nTQwnS9djp2DOeOWpHAaCMyoUdksOVeF0e6QFo9KlKkAU8tEmzUqsQSQ2
p1mCFHx86pna8dlfG8hcMhW+aVp/i889rLRp7zjtwIYpY/pugpuFHK34PNheGVG7
Y2+bWnnaXVxVteFydbvpxsIUDaegkQoZYbE1AjHV1b7y/eSdX1LEvXOqPDu2jUzT
Y2i9Kr76R6EUKMXiYiBCCGc8pN7dskQl8m/xxXDA6z6+Zh8T32kRHcE0PeRN8Yc=
-----END CERTIFICATE-----
将其保存在名为
bjax ddns net.pem的文件中
。然后尝试:

openssl s_client -connect anotherserver.net:443 -CAfile bjaux-ddns-net.pem
您将以一个
验证结果完成:0(确定)

fritz的服务器!box似乎只支持两个密码:RC4-SHA和RC4-MD5。虽然
openssl s_client
提供了这些密码,但curl没有。看起来他们已经明确删除了任何RC4密码,另请参见

如果将
--密码“RC4-SHA”
明确添加到选项中,连接将成功。

什么是
cert_file.pem
?cert_file.pem实际上是bjax.ddns.net.pem—“另一台服务器”(即bjax.ddns.net)的cert文件,我用google chrome从给定的site.cert_file.pem下载的文件实际上是bjax.ddns.net.pem——我用google chrome从给定的站点下载的“另一个服务器”(即bjax.ddns.net)的证书文件。我还尝试将其重命名为bjax-ddns-net.pem,但curl无法工作。请注意,openssl s_客户端始终返回验证返回代码0-openssl s_客户端正常工作。完全地从那时起它就起作用了。只有curl命令才能解决握手问题。这完全解决了问题!经过进一步的修复,整个用例终于可以正常工作了!非常感谢:)只是想添加一条注释,如果您的cURL是针对libnss编译的,那么您需要使用nss样式的密码定义。在本例中,仅使用“RC4”。