Perl LWP:为什么 IO::Socket::SSL 使用 TLS 1.0,而 Net::SSL 使用 TLS 1.2?
Mat*_*cob 5 perl ssl lwp io-socket-ssl
当我运行以下代码时:
use strict;
use warnings;
use IO::Socket::SSL;
use LWP::UserAgent;
my $ua = LWP::UserAgent->new(ssl_opts => {
verify_hostname => 0,
});
my $res = $ua->get('https://internal.foo.bar.baz:20002');
print $res->as_string;
我从 LWP 收到内部错误:
500 Can't connect to internal.foo.bar.baz:20002 (Bad file descriptor)
Content-Type: text/plain
Client-Date: Fri, 29 Jun 2018 21:23:13 GMT
Client-Warning: Internal response
Can't connect to internal.foo.bar.baz:20002 (Bad file descriptor)
Bad file descriptor at D:/strawberry/perl/site/lib/LWP/Protocol/http.pm line 50.
网络流量显示这是一个“客户端问候”,随后服务器立即重置,并且协议是 TLSv1。服务器仅允许 TLS 1.2 连接,因此这是有道理的。
当我更改代码以指定客户端仅应使用 TLS 1.2 时,我得到了相同的响应。
my $ua = LWP::UserAgent->new(ssl_opts => {
verify_hostname => 0,
SSL_version => 'TLSv1_2',
});
事实上,网络流量看起来是相同的:
当我明确使用 Net::SSL 而不是 IO::Socket::SSL 时:
use strict;
use warnings;
use Net::SSL;
use LWP::UserAgent;
my $ua = LWP::UserAgent->new(ssl_opts => {
verify_hostname => 0,
});
my $res = $ua->get('https://internal.foo.bar.baz:20002');
print $res->as_string;
有用:
HTTP/1.1 401 Unauthorized
Date: Fri, 29 Jun 2018 21:33:35 GMT
Server: Kestrel
Client-Date: Fri, 29 Jun 2018 21:33:37 GMT
Client-Peer: ***.**.**.209:20002
Client-Response-Num: 1
Client-SSL-Cert-Issuer: *******************************************************
Client-SSL-Cert-Subject: **************************************************************************
Client-SSL-Cipher: ECDHE-RSA-AES256-SHA384
Client-SSL-Socket-Class: Net::SSL
Client-SSL-Warning: Peer certificate not verified
Client-Transfer-Encoding: chunked
Client-Warning: Missing Authenticate header
Strict-Transport-Security: max-age=2592000
X-Powered-By: ASP.NET
并且协议已正确设置为 TLSv1.2:
奇怪的是,analyze-ssl.pl与 IO::Socket::SSL 协商 TLS 1.2:
-- internal.foo.bar.baz port 20002
! using certificate verification (default) -> SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
* maximum SSL version : TLSv1_2 (SSLv23)
* supported SSL versions with handshake used and preferred cipher(s):
* handshake protocols ciphers
* SSLv23 TLSv1_2 ECDHE-RSA-AES256-SHA384
* TLSv1_2 TLSv1_2 ECDHE-RSA-AES256-SHA384
* TLSv1_1 FAILED: SSL connect attempt failed
* TLSv1 FAILED: SSL connect attempt failed
* cipher order by : unknown
* SNI supported : certificate verify fails without SNI
* certificate verified : FAIL: SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
* chain on ***.**.**.209
* [0/0] bits=2048, ocsp_uri=, *******************************************************************************************************
* [1/1] bits=2048, ocsp_uri=, *******************************************************
* [2/2] bits=2048, ocsp_uri=, ****************************************************************
如何防止 IO::Socket::SSL 尝试从 LWP 建立 TLS 1.0 连接?
- Perl 5.26.2 MSWin32-x64-多线程(草莓)
- OpenSSL 1.1.0h 2018 年 3 月 27 日
- 轻量级WP 6.34
- 网络::HTTPS 6.18
- IO::套接字::SSL 2.056
- 网络::SSL 2.86
Steffen Ullrich 脚本的输出:
openssl version compiled=0x1010008f linked=0x1010008f -- OpenSSL 1.1.0h 27 Mar 2018
IO::Socket::SSL version=2.056
LWP::UserAgent version=6.34
LWP::Protocol::https version=6.07
Net::HTTPS version=6.18
由于analyze-ssl.pl可以工作,而我的测试脚本在指向同一服务器时却不能工作,因此我开始比较它们以找出差异。主要区别之一是analyze-ssl.pl 尝试与 建立连接SSL_cipher_list => '',事实证明这实际上就是问题所在。
更改我的 LWP::UserAgent 实例化解决了问题:
my $ua = LWP::UserAgent->new(ssl_opts => {
verify_hostname => 0,
SSL_cipher_list => '',
});
| 归档时间: |
|
| 查看次数: |
9352 次 |
| 最近记录: |