在 Ubuntu 20.04 中,通过 VPN,我无法再访问使用 TLSv1 协议的服务器。
在 Ubuntu 18.04 中,它工作正常。
首先,我通过 SNX 连接到 VPN,然后使用访问服务器的程序。
我用 openssl 做了一些测试来突出这个问题。有没有可能解决这个问题?我相信我的问题可能与https://github.com/curl/curl/issues/4097 上报告的相同。
我认为OpenSSL v1.1.1 ssl_choose_client_version 不受支持的协议与我的问题有关,但它不同,因为它没有“没有可用的协议”问题。
当我用 openssl 测试时,我得到错误“不受支持的协议”,但是当我用 openssl强制 TLSv1测试时,我得到错误“没有可用的协议”。
测试详情:
Ubuntu 18.04:
Package: openssl
-> Version: 1.1.1-1ubuntu2.1 ~ 18.04.5
openssl s_client -connect host: port
-> works - TLSv1 ("SSL-Session: Protocol: TLSv1.").
openssl s_client -connect host: port -tls1
-> works - TLSv1 ("SSL-Session: Protocol: TLSv1.").
openssl s_client -connect host: port -tls1_1
-> 139786161414592: error: 1425F102: SSL routines: ssl_choose_client_version: unsupported protocol: ../ ssl / statem / statem_lib.c: 1907:
openssl s_client -connect host: port -tls1_2
-> 139786161414592: error: 1425F102: SSL routines: ssl_choose_client_version: unsupported protocol: ../ ssl / statem / statem_lib.c: 1907:
Ubuntu 20.04:
Package: openssl
-> Version: 1.1.1f-1ubuntu2
openssl s_client -connect host: port
-> 140253162648896: error: 1425F102: SSL routines: ssl_choose_client_version: unsupported protocol: ../ ssl / statem / statem_lib.c: 1941:
openssl s_client -connect host: port -tls1
-> 139722831217984: error: 141E70BF: SSL routines: tls_construct_client_hello: no protocols available: ../ ssl / statem / statem_clnt.c: 1112:
openssl s_client -connect host: port -tls1_1
-> 139923839911232: error: 141E70BF: SSL routines: tls_construct_client_hello: no protocols available: ../ ssl / statem / statem_clnt.c: 1112:
openssl s_client -connect host: port -tls1_2
-> 139862992581952: error: 1425F102: SSL routines: ssl_choose_client_version: unsupported protocol: ../ ssl / statem / statem_lib.c: 1941:
Ubuntu 18.04 - 成功详细连接
my@machine: ~ $ openssl s_client -connect my.domain: 9023 -tls1
CONNECTED (00000005)
depth = 2 C = XX, O = XXXXXX, OU = ICP-XX, CN = AC XXXXX vX
verify error: num = 19: self signed certificate in certificate chain
---
Certificate chain
0 s: C = XX, ST = XX, L = XXXXXX, O = XXXXXXXX, OU = XXXXXXXXXXX XXXXX, CN = xxx.com
i: C = XX, O = XXXXXXXX., OU = ICP-XX, CN = AC XXXXX vX
1 s: C = XX, O = XXXXXXXX., OU = ICP-XX, CN = AC XXXXX vX
i: C = XX, O = XXXXXXXX., OU = ICP-XX, CN = AC XXXXX vX
2 s: C = XX, O = XXXXXXXX., OU = ICP-XX, CN = AC XXXXX vX
i: C = XX, O = XXXXXXXX., OU = ICP-XX, CN = AC XXXXX vX
---
Server certificate
----- BEGIN CERTIFICATE -----
(...)
-----END CERTIFICATE-----
subject=X = XX, ST = XX, L = XXXXXX, O = XXXXXXX, OU = XXXXXXXX, CN = mydomain.com
issuer=C = XX, O = XXXXXXXXXX, OU = ICP-XX, CN = AC XXXXXXXXXXXXXXXXXXXXX
---
No client certificate CA names sent
---
SSL handshake has read 4604 bytes and written 449 bytes
Verification error: self signed certificate in certificate chain
---
New, SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol: TLSv1
Cipher: AES256-SHA
Session-ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Session-ID-ctx:
Master-Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1588445847
Timeout: 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
Extended master secret: no
---
Ubuntu 20.04 - 详细连接失败:
my@machine: ~ / Documents / $ openssl s_client -connect my.domain: 9023
CONNECTED (00000003)
139912319178048: error: 1425F102: SSL routines: ssl_choose_client_version: unsupported protocol: ../ ssl / statem / statem_lib.c: 1941:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 4545 bytes and written 309 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
my@machine: ~ / Documents / study $ openssl s_client -connect my.domain: 9023 -tls1
CONNECTED (00000003)
140581447836992: error: 141E70BF: SSL routines: tls_construct_client_hello: no protocols available: ../ ssl / statem / statem_clnt.c: 1112:
-
Fel*_*ler 33
我刚刚解决了我的问题 - https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level
只是引用这个链接:
您需要将其添加到配置文件的开头:
openssl_conf = default_conf
然后到最后:
[ default_conf ]
ssl_conf = ssl_sect
[ssl_sect]
system_default = ssl_default_sect
[ssl_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=1
上面链接的评论说:
Note that if you prefer you can make changes to a local copy of the config file, and then ensure your process is started with the environment variable OPENSSL_CONF defined to point at the location of your config file:
export OPENSSL_CONF=/path/to/my/openssl.cnf
This way you can make changes without having to impact your entire system.
我使用了第二个选项“export OPENSSL_CONF=/path/to/my/openssl.cnf”并且完美运行!
对我有用的解决方案是创建一个openssl_tls1.cnf包含:
openssl_conf = default_conf
[ default_conf ]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=1
然后设置OPENSSL_CONF=/path/to/openssl_tls1.cnf允许与较低协议连接,如下所示
OPENSSL_CONF=openssl_tls1.cnf wget https://foo.bar
服务器支持 TLSv1,但不支持 TLSv1.1 及更高版本
Ubuntu 20.x openssl 版本不支持 TLSv1 及以下版本。
可能是 openssl.cnf 文件已更新以添加更安全的连接默认值。这取决于操作系统和风格。
确定配置文件的位置(对于适合您 Linux 风格的 openssl),并确定降低 TLS 版本是否有任何限制或默认设置。
请尝试以下操作来查看服务器是否支持 TLSv1.1 及更高版本:
nmap --script ssl-enum-ciphers -p 443 your_host_name
检查输出以查看密码和相应的版本。
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| 归档时间: |
|
| 查看次数: |
15959 次 |
| 最近记录: |