主页 / server / 问题 / 476697
Accepted
Ram Rachum
Asked: 2013-02-08 18:03:44 +0800 CST

错误设置 stunnel 服务器:`SSL3_GET_CLIENT_HELLO:错误的版本号`

  • 772

stunnel在 Windows XP 上设置服务器,当客户端尝试访问时出现此错误:

2013.02.14 00:02:16 LOG7[8848:7664]: Service [https] accepted (FD=320) from 107.20.36.147:56160
2013.02.14 00:02:16 LOG7[8848:7664]: Creating a new thread
2013.02.14 00:02:16 LOG7[8848:7664]: New thread created
2013.02.14 00:02:16 LOG7[8848:9792]: Service [https] started
2013.02.14 00:02:16 LOG5[8848:9792]: Service [https] accepted connection from 107.20.36.147:56160
2013.02.14 00:02:16 LOG7[8848:9792]: SSL state (accept): before/accept initialization
2013.02.14 00:02:16 LOG7[8848:9792]: SSL alert (write): fatal: handshake failure
2013.02.14 00:02:16 LOG3[8848:9792]: SSL_accept: 1408A10B: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number
2013.02.14 00:02:16 LOG5[8848:9792]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2013.02.14 00:02:16 LOG7[8848:9792]: Local socket (FD=320) closed
2013.02.14 00:02:16 LOG7[8848:9792]: Service [https] finished (0 left)

知道该怎么办吗?我在网上读到这可能意味着我的服务器在宣传它可以在 SSL3 中通信,但实际上不能。如果这是真的,我想知道如何解决这个问题。我正在编辑该stunnel.conf文件,但我不知道要在其中更改什么来解决此问题。

更新:

仅当 Twilio 客户端(即 Twilio 的服务器)尝试访问我的服务器时,才会显示以上错误消息。当我尝试使用我的一台计算机访问我的服务器时,该页面确实显示,但在内容显示后,Chrome 将页面显示为“正在加载”大约 30 秒,最后显示stunnel以下消息:

transfer: s_poll_wait: TIMEOUTclose exceeded: closing

更新:

这是 wireshark 捕获:https ://gist.github.com/cool-RR/4963477

上限文件:https ://dl.dropbox.com/u/1927707/wireshark.cap

请注意,服务器在端口 8088 上运行。

更新:

这是来自服务器的日志(debug=7):

2013.02.17 17:06:52 LOG7[7636:2092]: No limit detected for the number of clients
2013.02.17 17:06:52 LOG5[7636:2092]: stunnel 4.54 on x86-pc-msvc-1500 platform
2013.02.17 17:06:52 LOG5[7636:2092]: Compiled/running with OpenSSL 1.0.1c-fips 10 May 2012
2013.02.17 17:06:52 LOG5[7636:2092]: Threading:WIN32 SSL:+ENGINE+OCSP+FIPS Auth:none Sockets:SELECT+IPv6
2013.02.17 17:06:52 LOG5[7636:2092]: Reading configuration from file stunnel.conf
2013.02.17 17:06:52 LOG5[7636:2092]: FIPS mode is enabled
2013.02.17 17:06:52 LOG7[7636:2092]: Compression not enabled
2013.02.17 17:06:52 LOG7[7636:2092]: Snagged 64 random bytes from C:\Documents and Settings\User/.rnd
2013.02.17 17:06:52 LOG7[7636:2092]: Wrote 1024 new random bytes to C:\Documents and Settings\User/.rnd
2013.02.17 17:06:52 LOG7[7636:2092]: PRNG seeded successfully
2013.02.17 17:06:52 LOG6[7636:2092]: Initializing service [https]
2013.02.17 17:06:52 LOG7[7636:2092]: Certificate: G:\Dropbox\StartSSL\SSL Cert.pem
2013.02.17 17:06:52 LOG7[7636:2092]: Certificate loaded
2013.02.17 17:06:52 LOG7[7636:2092]: Key file: G:\Dropbox\StartSSL\SSL Cert.pem
2013.02.17 17:06:52 LOG7[7636:2092]: Private key loaded
2013.02.17 17:06:52 LOG7[7636:2092]: Could not load DH parameters from G:\Dropbox\StartSSL\SSL Cert.pem
2013.02.17 17:06:52 LOG7[7636:2092]: Using hardcoded DH parameters
2013.02.17 17:06:52 LOG7[7636:2092]: DH initialized with 2048-bit key
2013.02.17 17:06:52 LOG7[7636:2092]: ECDH initialized with curve prime256v1
2013.02.17 17:06:52 LOG7[7636:2092]: SSL options set: 0x03000004
2013.02.17 17:06:52 LOG5[7636:2092]: Configuration successful
2013.02.17 17:06:52 LOG7[7636:2092]: Service [https] (FD=268) bound to 0.0.0.0:8088
2013.02.17 17:07:08 LOG7[7636:2092]: Service [https] accepted (FD=320) from 54.242.25.199:45922
2013.02.17 17:07:08 LOG7[7636:2092]: Creating a new thread
2013.02.17 17:07:08 LOG7[7636:2092]: New thread created
2013.02.17 17:07:08 LOG7[7636:8004]: Service [https] started
2013.02.17 17:07:08 LOG5[7636:8004]: Service [https] accepted connection from 54.242.25.199:45922
2013.02.17 17:07:08 LOG7[7636:8004]: SSL state (accept): before/accept initialization
2013.02.17 17:07:08 LOG7[7636:8004]: SSL alert (write): fatal: handshake failure
2013.02.17 17:07:08 LOG3[7636:8004]: SSL_accept: 1408A10B: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number
2013.02.17 17:07:08 LOG5[7636:8004]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2013.02.17 17:07:08 LOG7[7636:8004]: Local socket (FD=320) closed
2013.02.17 17:07:08 LOG7[7636:8004]: Service [https] finished (0 left)

更新:

这是我的stunnel.conf文件。

windows

2 个回答

  1. Best Answer

    您应该进行网络捕获并查看它被拒绝的原因。还要检查两端的日志。增加debugstunnel conf 中的级别。

    您需要进行网络跟踪以确定客户端支持哪个版本的 SSL 协议。然后确保您的服务器也支持该版本。

    客户端发送一条 ClientHello 消息,指定它支持的最高 TLS 协议版本、一个随机数、建议的 CipherSuites 列表和建议的压缩方法。

    资源

    请注意,由于重新协商中的安全漏洞,SSL 协议在几年前已更改。请参阅CVE-2009-3555和有关 SSL 重新协商的页面

    服务器响应:

    Secure Sockets Layer
    SSLv3 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
        Content Type: Alert (21)
        Version: SSL 3.0 (0x0300)
        Length: 2
        Alert Message
            Level: Fatal (2)
            Description: Handshake Failure (40)

    您必须检查 SSL 服务器上的日志以了解它拒绝连接的原因。尝试在 stunnel 上启用 SSL 调试debug=7

    stunnel服务器有,但客户端正在options = NO_SSLv3尝试使用 SSLv3 进行连接。您需要升级客户端以支持更新版本的 SSL,或者您需要更改stunnel配置以接受 SSLv3。

    • 3

  2. 可能是客户端和服务器之间的 SSL 版本不匹配。通过在客户端上禁用较旧的 SSL 版本,确保客户端仅配置为 SSL3。

    • 0

相关问题