主页 / server / 问题 / 1137203
Accepted
ePi272314
Asked: 2023-07-14 22:04:38 +0800 CST

网站的客户端收到 SSL_ERROR_HANDSHAKE_FAILURE_ALERT (Firefox) 和 ERR_BAD_SSL_CLIENT_AUTH_CERT (Chrome)

  • 772

我正在 AlmaLinux 8.8 (Centos) 和 Apache 2.4.56 上运行一个站点。该网站有一个自签名证书。

当我访问该网站时,由于自签名证书,我收到了常见的警告。接受我要继续后,我SSL_ERROR_HANDSHAKE_FAILURE_ALERT在 Firefox 和ERR_BAD_SSL_CLIENT_AUTH_CERTChrome 中收到错误消息。

在同一服务器上,其他站点可以使用 Cloudflare + Let'Encrypt 正常工作。

我对 Apache 虚拟主机文件上的 SSL 配置没有任何疑问。我也仔细检查了证书。

我运行了这个调试工具,openssl s_client -state -debug -showcerts -verify 1 -connect example.com:443
您可以在下面找到输出的摘要。

我提请大家注意提及 Cloudflare 的行SSL3 alert read:fatal:handshake failure和另一行,即使该网站当前未使用 Cloudflare。

请帮忙。

调试工具的输出:

verify depth is 1
CONNECTED(00000005)
SSL_connect:before SSL initialization
...
SSL_connect:SSLv3/TLS write client hello
...
SSL_connect:SSLv3/TLS write client hello
...
SSL_connect:SSLv3/TLS read server hello
depth=0 C = XX, L = Default City, O = Default Company Ltd, CN = (...)
verify error:num=18:self-signed certificate
...
SSL_connect:SSLv3/TLS read server certificate
...                ...
SSL_connect:SSLv3/TLS read server key exchange
SSL_connect:SSLv3/TLS read server certificate request
SSL_connect:SSLv3/TLS read server done
SSL_connect:SSLv3/TLS write client certificate
SSL_connect:SSLv3/TLS write client key exchange
SSL_connect:SSLv3/TLS write change cipher spec
...
SSL_connect:SSLv3/TLS write finished
...
SSL3 alert read:fatal:handshake failure
SSL_connect:error in error
0036800901000000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1586:SSL alert number 40
---
Certificate chain
 0 s:C = XX, L = Default City, O = Default Company Ltd, CN = (...)
   i:C = XX, L = Default City, O = Default Company Ltd, CN = (...)
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jul 14 11:41:36 2023 GMT; NotAfter: Jul 11 11:41:36 2033 GMT
-----BEGIN CERTIFICATE-----
...

Acceptable client certificate CA names
C = US, O = "CloudFlare, Inc.", OU = Origin Pull, L = San Francisco, ST = California, CN = origin-pull.cloudflare.net
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: 
...
---
SSL handshake has read 1553 bytes and written 456 bytes
Verification error: self-signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 940A6E481407D70D9F5DCFF3DD0760DC10A3A6B4B6F37D602EE8CDB83A736B049DE24DF0C8D4DE57A9E3A403553EC6D6
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1689342131
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
centos

1 个回答

  1. Best Answer

    根据我进行的研究,服务器和客户端上的多个设置可能会导致此错误。

    在其他站点上禁用 Cloudflare 后,我发现即使这些站点具有签名证书,也会发生该错误。所以问题出在一些全局 Apache 配置上。

    我通过将此指令添加SSLVerifyClient none到我的httpd.conf文件中解决了该问题。

    显然,服务器正在向客户端请求证书以进行身份​​验证。虽然我没有SSLVerifyClient require在任何 Apache 配置文件中找到该指令。一个谜;)。

    • 0

相关问题