windows – 错误设置stunnel服务器:`SSL3_GET_CLIENT_HELLO:错
我正在 Windows XP上设置一个stunnel服务器,当客户端尝试访问时我得到了这个错误: 2013.02.14 00:02:16 LOG7[8848:7664]: Service [https] accepted (FD=320) from 107.20.36.147:56160 2013.02.14 00:02:16 LOG7[8848:7664]: Creating a new thread 2013.02.14 00:02:16 LOG7[8848:7664]: New thread created 2013.02.14 00:02:16 LOG7[8848:9792]: Service [https] started 2013.02.14 00:02:16 LOG5[8848:9792]: Service [https] accepted connection from 107.20.36.147:56160 2013.02.14 00:02:16 LOG7[8848:9792]: SSL state (accept): before/accept initialization 2013.02.14 00:02:16 LOG7[8848:9792]: SSL alert (write): fatal: handshake failure 2013.02.14 00:02:16 LOG3[8848:9792]: SSL_accept: 1408A10B: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number 2013.02.14 00:02:16 LOG5[8848:9792]: Connection reset: 0 byte(s) sent to SSL,0 byte(s) sent to socket 2013.02.14 00:02:16 LOG7[8848:9792]: Local socket (FD=320) closed 2013.02.14 00:02:16 LOG7[8848:9792]: Service [https] finished (0 left) 知道该怎么办吗?我在网上看到,这可能意味着我的服务器正在宣传它可以在SSL3中进行通信,但事实上它不能.如果这是真的,我想知道如何解决这个问题.我正在编辑stunnel.conf文件,但我不知道要修改它以解决这个问题. 更新: 仅当Twilio客户端(即Twilio的服务器)尝试访问我的服务器时,才会显示上述错误消息.当我尝试使用我的某台计算机访问我的服务器时,该页面确实显示,但在显示内容后,Chrome会将该页面显示为“加载”大约30秒,在此结束时,stunnel会显示以下消息: transfer: s_poll_wait: TIMEOUTclose exceeded: closing 更新: 这是wireshark捕获:https://gist.github.com/cool-RR/4963477 上限文件:https://dl.dropbox.com/u/1927707/wireshark.cap 请注意,服务器在端口8088上运行. 更新: 这是服务器的日志(debug = 7): 2013.02.17 17:06:52 LOG7[7636:2092]: No limit detected for the number of clients 2013.02.17 17:06:52 LOG5[7636:2092]: stunnel 4.54 on x86-pc-msvc-1500 platform 2013.02.17 17:06:52 LOG5[7636:2092]: Compiled/running with OpenSSL 1.0.1c-fips 10 May 2012 2013.02.17 17:06:52 LOG5[7636:2092]: Threading:WIN32 SSL:+ENGINE+OCSP+FIPS Auth:none Sockets:SELECT+IPv6 2013.02.17 17:06:52 LOG5[7636:2092]: Reading configuration from file stunnel.conf 2013.02.17 17:06:52 LOG5[7636:2092]: FIPS mode is enabled 2013.02.17 17:06:52 LOG7[7636:2092]: Compression not enabled 2013.02.17 17:06:52 LOG7[7636:2092]: Snagged 64 random bytes from C:\Documents and Settings\User/.rnd 2013.02.17 17:06:52 LOG7[7636:2092]: Wrote 1024 new random bytes to C:\Documents and Settings\User/.rnd 2013.02.17 17:06:52 LOG7[7636:2092]: PRNG seeded successfully 2013.02.17 17:06:52 LOG6[7636:2092]: Initializing service [https] 2013.02.17 17:06:52 LOG7[7636:2092]: Certificate: G:\Dropbox\StartSSL\SSL Cert.pem 2013.02.17 17:06:52 LOG7[7636:2092]: Certificate loaded 2013.02.17 17:06:52 LOG7[7636:2092]: Key file: G:\Dropbox\StartSSL\SSL Cert.pem 2013.02.17 17:06:52 LOG7[7636:2092]: Private key loaded 2013.02.17 17:06:52 LOG7[7636:2092]: Could not load DH parameters from G:\Dropbox\StartSSL\SSL Cert.pem 2013.02.17 17:06:52 LOG7[7636:2092]: Using hardcoded DH parameters 2013.02.17 17:06:52 LOG7[7636:2092]: DH initialized with 2048-bit key 2013.02.17 17:06:52 LOG7[7636:2092]: ECDH initialized with curve prime256v1 2013.02.17 17:06:52 LOG7[7636:2092]: SSL options set: 0x03000004 2013.02.17 17:06:52 LOG5[7636:2092]: Configuration successful 2013.02.17 17:06:52 LOG7[7636:2092]: Service [https] (FD=268) bound to 0.0.0.0:8088 2013.02.17 17:07:08 LOG7[7636:2092]: Service [https] accepted (FD=320) from 54.242.25.199:45922 2013.02.17 17:07:08 LOG7[7636:2092]: Creating a new thread 2013.02.17 17:07:08 LOG7[7636:2092]: New thread created 2013.02.17 17:07:08 LOG7[7636:8004]: Service [https] started 2013.02.17 17:07:08 LOG5[7636:8004]: Service [https] accepted connection from 54.242.25.199:45922 2013.02.17 17:07:08 LOG7[7636:8004]: SSL state (accept): before/accept initialization 2013.02.17 17:07:08 LOG7[7636:8004]: SSL alert (write): fatal: handshake failure 2013.02.17 17:07:08 LOG3[7636:8004]: SSL_accept: 1408A10B: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number 2013.02.17 17:07:08 LOG5[7636:8004]: Connection reset: 0 byte(s) sent to SSL,0 byte(s) sent to socket 2013.02.17 17:07:08 LOG7[7636:8004]: Local socket (FD=320) closed 2013.02.17 17:07:08 LOG7[7636:8004]: Service [https] finished (0 left) 更新: Here’s my 您需要进行网络跟踪以确定客户端支持的SSL协议版本.然后确保您的服务器也支持该版本.
Source 请注意,由于重新协商中存在安全漏洞,几年前SSL协议已更改.有关SSL重新协商的信息,请参阅CVE-2009-3555和this page 服务器响应: Secure Sockets Layer SSLv3 Record Layer: Alert (Level: Fatal,Description: Handshake Failure) Content Type: Alert (21) Version: SSL 3.0 (0x0300) Length: 2 Alert Message Level: Fatal (2) Description: Handshake Failure (40) 您必须检查SSL服务器上的日志,以查看它拒绝连接的原因.尝试在stunnel上启用SSL调试:debug = 7. stunnel服务器有options = NO_SSLv3,但客户端正在尝试使用SSLv3进行连接.您需要升级客户端以支持更新版本的SSL,或者您需要更改stunnel配置以接受SSLv3. (编辑:ASP站长网) |