我正在 AlmaLinux 8.8 (Centos) 和 Apache 2.4.56 上运行一个站点。该网站有一个自签名证书。
当我访问该网站时,由于自签名证书,我收到了常见的警告。接受我要继续后,我SSL_ERROR_HANDSHAKE_FAILURE_ALERT
在 Firefox 和ERR_BAD_SSL_CLIENT_AUTH_CERT
Chrome 中收到错误消息。
在同一服务器上,其他站点可以使用 Cloudflare + Let'Encrypt 正常工作。
我对 Apache 虚拟主机文件上的 SSL 配置没有任何疑问。我也仔细检查了证书。
我运行了这个调试工具,openssl s_client -state -debug -showcerts -verify 1 -connect example.com:443
您可以在下面找到输出的摘要。
我提请大家注意提及 Cloudflare 的行SSL3 alert read:fatal:handshake failure
和另一行,即使该网站当前未使用 Cloudflare。
请帮忙。
调试工具的输出:
verify depth is 1
CONNECTED(00000005)
SSL_connect:before SSL initialization
...
SSL_connect:SSLv3/TLS write client hello
...
SSL_connect:SSLv3/TLS write client hello
...
SSL_connect:SSLv3/TLS read server hello
depth=0 C = XX, L = Default City, O = Default Company Ltd, CN = (...)
verify error:num=18:self-signed certificate
...
SSL_connect:SSLv3/TLS read server certificate
... ...
SSL_connect:SSLv3/TLS read server key exchange
SSL_connect:SSLv3/TLS read server certificate request
SSL_connect:SSLv3/TLS read server done
SSL_connect:SSLv3/TLS write client certificate
SSL_connect:SSLv3/TLS write client key exchange
SSL_connect:SSLv3/TLS write change cipher spec
...
SSL_connect:SSLv3/TLS write finished
...
SSL3 alert read:fatal:handshake failure
SSL_connect:error in error
0036800901000000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1586:SSL alert number 40
---
Certificate chain
0 s:C = XX, L = Default City, O = Default Company Ltd, CN = (...)
i:C = XX, L = Default City, O = Default Company Ltd, CN = (...)
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jul 14 11:41:36 2023 GMT; NotAfter: Jul 11 11:41:36 2033 GMT
-----BEGIN CERTIFICATE-----
...
Acceptable client certificate CA names
C = US, O = "CloudFlare, Inc.", OU = Origin Pull, L = San Francisco, ST = California, CN = origin-pull.cloudflare.net
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms:
...
---
SSL handshake has read 1553 bytes and written 456 bytes
Verification error: self-signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID:
Session-ID-ctx:
Master-Key: 940A6E481407D70D9F5DCFF3DD0760DC10A3A6B4B6F37D602EE8CDB83A736B049DE24DF0C8D4DE57A9E3A403553EC6D6
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1689342131
Timeout : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: no