SSL证书和elinks

Question

我有时使用elinks进行网页浏览，并且由于SSL error发生某些https网站无法加载的情况。

一个例子是https://www.rust-lang.org，它不会在elinks中加载，但可以很好地工作，如铬和Firefox等其他浏览器。

检查https://www.rust-lang.org证书使用命令行给出一个很短的输出：

$ echo | openssl s_client -connect www.rust-lang.org:443 2>/dev/null 
CONNECTED(00000003) 
--- 
no peer certificate available 
--- 
No client certificate CA names sent 
--- 
SSL handshake has read 7 bytes and written 297 bytes 
--- 
New, (NONE), Cipher is (NONE) 
Secure Renegotiation IS NOT supported 
Compression: NONE 
Expansion: NONE 
SSL-Session: 
    Protocol : TLSv1.2 
    Cipher : 0000 
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg : None 
    PSK identity: None 
    PSK identity hint: None 
    SRP username: None 
    Start Time: 1459658221 
    Timeout : 300 (sec) 
    Verify return code: 0 (ok) 
--- 

作为对比谷歌的输出是：

$ echo | openssl s_client -connect www.google.com:443 2>/dev/null 
CONNECTED(00000003) 
--- 
Certificate chain 
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com 
    i:/C=US/O=Google Inc/CN=Google Internet Authority G2 
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 
    i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 
    i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority 
--- 
Server certificate 
-----BEGIN CERTIFICATE----- 
MIIEgDCCA2igAwIBAgIIF8zP738syB4wDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE 
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl 
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYwMzIzMTk0MTQ0WhcNMTYwNjE1MTkyMDAw 
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN 
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3 
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoxzls 
wT/PC9gErDAme+LX9PAdv8270+BHCaNe/YxZE093ryPQq5PPKHsBNSzNvHwNfWuv 
H3z/CBvaIiFgBimSm3cWOvjXipqTL5sHGkLr/RNAxmwo2dUKZ0LBUCXB4YvXkMb0 
lI3XpgZk1CUzE7jj3HDgA+IOpT8JgbmKH19Z7+lwBzaunztBk8YM/LKrb9XtDzYW 
diPkBwm0xx2dj2jCrj49Hvug9qAGQ5Zx8YuNrwR5qYXW/8aVB6MJ8r/ZLKzU39k3 
nvp5ZylyGklJAuGneCblChzpR18ab8k2B/26qgCv7T4MLoAGRTbvTrZ0HxTj8aie 
yI0+jZjRQjBeYwGPAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI 
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE 
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0 
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G 
A1UdDgQWBBQKfpRDWX9xAx1/4SBXfKJdHrqPHjAMBgNVHRMBAf8EAjAAMB8GA1Ud 
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW 
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n 
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAiwUNf4uVHi1f8u1m 
nd2vEHlOIQkNFLeuj9RPQfsFPL7fX/UzE5HbLzp1y4ICnRuCONKhz08YZ56pQ09A 
+MfzIm0/e3yytHRf5f+YWATKkGtEh3pJdkOJM2UYIFFDs382a+bau7dTVyZFgMyS 
m2Wlhw/zCLBgIebkSwsrrJAftwKu2AjvG6XJCUd08MSEe6UVF15COudEdVkKoDWR 
ZmITWRFSFAeeJ5dKAzRojKVgGYV8tw6ByVKSizl5WS+hrXdD4IHkProKEFbSQgIv 
Eyv87d8W8yscamZDU6Da+Djjxf07LkE3qDtd/RQY+IMm4V17ko6WfaV7ibionAA5 
uAnzkw== 
-----END CERTIFICATE----- 
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com 
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2 
--- 
No client certificate CA names sent 
--- 
SSL handshake has read 3727 bytes and written 423 bytes 
--- 
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 
Server public key is 2048 bit 
Secure Renegotiation IS supported 
Compression: NONE 
Expansion: NONE 
SSL-Session: 
    Protocol : TLSv1.2 
    Cipher : ECDHE-RSA-AES128-GCM-SHA256 
    Session-ID: BBBB89FD38DF58981900A70A2F92A01E57888CF80B71AE19DE5F92EDE389D7FE 
    Session-ID-ctx: 
    Master-Key: 80B4C5C3F81C7AFDAA226BB0285E9F9088737151CCB4EA742328C727363F9663997E68D757CB73B79EF8E3C90B622E12 
    Key-Arg : None 
    PSK identity: None 
    PSK identity hint: None 
    SRP username: None 
    TLS session ticket lifetime hint: 100800 (seconds) 
    TLS session ticket: 
    0000 - ee 03 90 3e 12 a6 14 ba-f9 db 39 f7 6f 3c bf 58 ...>......9.o<.X 
    0010 - 32 5d 0a 6f 08 cf 17 f9-16 49 91 c3 4f 99 50 01 2].o.....I..O.P. 
    0020 - 6a 90 47 0a 7d 62 5e b8-26 ef 21 9f f3 df a9 35 j.G.}b^.&.!....5 
    0030 - 17 90 53 cf 6a 1e d8 e7-ef d9 7a fc ea 80 c0 74 ..S.j.....z....t 
    0040 - c2 ee ba e4 5c ef 04 38-45 58 75 f6 7f f4 cd 78 ....\..8EXu....x 
    0050 - eb 31 5d be c2 c9 bb cd-dc c1 13 cc 81 84 48 39 .1]...........H9 
    0060 - 12 52 43 ae c6 24 1b 6e-85 7f 23 90 ff 80 9c 11 .RC..$.n..#..... 
    0070 - 49 e2 b4 c1 bf 32 08 e5-c4 55 84 de 46 77 d0 a1 I....2...U..Fw.. 
    0080 - 92 7b 7c 1b 54 a1 49 c2-b0 d7 b9 f8 65 d2 1d 19 .{|.T.I.....e... 
    0090 - 2d 8e 5a 66 72 6c c8 50-7c d7 aa b8 58 28 7c 7d -.Zfrl.P|...X(|} 
    00a0 - 4c 64 1a 85          Ld.. 

    Start Time: 1459659110 
    Timeout : 300 (sec) 
    Verify return code: 20 (unable to get local issuer certificate) 
--- 

为什么铬和Firefox得到正确的证书和未加elinks ， ，有没有办法在elinks中阅读这些网站？

Answer 1

您需要使用Server Name Indication (SNI)才能成功访问www.rust-lang.org。随着openssl s_client这可以通过添加-servername参数来完成：

$ openssl s_client -connect www.rust-lang.org:443 \ 
    -servername www.rust-lang.org 
... 
subject=/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.rust-lang.org 
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 
... 
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 

所有现代浏览器的支持SNI，它是沉重的互联网使用。例如，所有的Cloudflare Free SSL都需要SNI。我的猜测是你使用的elinks版本不支持SNI。我从09/2015发现related bug report与elinks 0.12pre6对比。鉴于这个版本仍然是最新的版本，它看起来像development of elinks stopped in 2012我的猜测是这个问题仍然没有解决。

Answer 2

来自elinks的最新git版本似乎解决了所有这些问题。