在与www.howsmyssl.com/a/check进行安全连接时遇到了一些麻烦。我正在使用wolfSSL连接,但是,握手总是失败(致命错误警报40)。我试图嗅探网络以查看数据包以查看究竟发送了什么以及支持哪些密码组,我发现根据ssllabs的测试,howsmyssl.com和我的客户端都有密码套件。所以我不知道错误发生在哪里。 这是客户的跟踪:尽管密码套件共同失败,但握手失败
这是一个link到www.howsmyssl.com的ssllabs analysation。在这里你可以看到他们有共同的密码组(例如0xc02f),所以我认为连接应该成功,或者我错过了什么?
编辑: 这里有wolfssl
[0;32mI (6565) openssl_example: OpenSSL demo thread start OK[0m
[0;33mW (6565) openssl_example: Size of long = 4, Size of longlong = 8
[0m
[0;32mI (6565) openssl_example: get target IP address[0m
[0;32mI (6595) openssl_example: OK[0m
[0;32mI (6595) openssl_example: 104.196.190.195[0m
wolfSSL Entering wolfSSL_Init
wolfSSL Entering wolfCrypt_Init
[0;32mI (6595) openssl_example: create SSL context ......[0m
wolfSSL Entering WOLFSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
[0;32mI (6615) openssl_example: OK[0m
wolfSSL Entering wolfSSL_CTX_set_verify
wolfSSL Entering wolfSSL_CTX_load_verify_buffer
Getting into SSL_FILETYPE_PEM if
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Parsed new CA
Freeing Parsed CA
Freeing der CA
OK Freeing der CA
wolfSSL Leaving AddCA, return 0
1
Processed a CA
wolfSSL Entering PemToDer
Couldn't find PEM header
-372
CA Parse failed, no progress in file.
Do not continue search for other certs in file
Processed at least one valid CA. Other stuff OK
[0;32mI (6715) openssl_example: create socket ......[0m
[0;32mI (6725) openssl_example: OK[0m
[0;32mI (6725) openssl_example: bind socket ......[0m
[0;32mI (6735) openssl_example: OK[0m
[0;32mI (6735) openssl_example: socket connect to remote www.howsmyssl.com ......[0m
[0;32mI (6865) openssl_example: OK[0m
[0;32mI (6865) openssl_example: create SSL ......[0m
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
[0;32mI (6865) openssl_example: OK[0m
wolfSSL Entering SSL_set_fd
wolfSSL Entering SSL_set_read_fd
wolfSSL Leaving SSL_set_read_fd, return 1
wolfSSL Entering SSL_set_write_fd
wolfSSL Leaving SSL_set_write_fd, return 1
[0;32mI (6885) openssl_example: SSL connected to www.howsmyssl.com port 443 ......[0m
wolfSSL Entering SSL_connect()
growing output buffer
Shrinking output buffer
connect state: CLIENT_HELLO_SENT
received record layer msg
got ALERT!
Got alert
wolfSSL error occurred, error = 40
wolfSSL error occurred, error = -313
[0;32mI (7065) openssl_example: OK[0m
wolfSSL Entering wolfSSL_get_cipher
wolfSSL Entering SSL_get_current_cipher
wolfSSL Entering SSL_CIPHER_get_name
wolfSSL Entering wolfSSL_get_cipher_name_from_suite
READ USED CIPHERSUITE: NONE
[0;32mI (7085) openssl_example: send https request to www.howsmyssl.com port 443 ......[0m
wolfSSL Entering SSL_write()
handshake not complete, trying to finish
wolfSSL Entering wolfSSL_negotiate
wolfSSL Entering SSL_connect()
ProcessReply retry in error state, not allowed
wolfSSL error occurred, error = -313
wolfSSL Leaving wolfSSL_negotiate, return -1
wolfSSL Leaving SSL_write(), return -1
[0;32mI (7115) openssl_example: failed[0m
wolfSSL Entering SSL_shutdown()
wolfSSL Leaving SSL_shutdown(), return -1
wolfSSL Entering SSL_free
CTX ref count not 0 yet, no free
wolfSSL Leaving SSL_free, return 0
wolfSSL Entering SSL_CTX_free
CTX ref count down to 0, doing full free
wolfSSL Entering wolfSSL_CertManagerFree
wolfSSL Leaving SSL_CTX_free, return 0
I (14055) wifi: pm start, type:0
UPDATE的调试日志 我试图连接到www.google.com,这成功。我的代码没有改变,所以我认为这将是一个服务器问题。但是,当我使用mbedtls连接到www.howsmyssl.com时,请求也会成功,并且在通过嗅探网络比较数据包之后,我看不到任何重大差异。
警报40并不意味着没有密码套件的共同点。 – EJP
是的,我知道。这意味着握手过程中出现问题(在这种情况下,客户端问候消息)。所以我检查了我的全部痕迹,看看是否有遗漏,但我不这么认为。服务器还支持至少一个密码套件。我认为这是客户问好消息可能出错的事情。 – user3371198
否。它意味着[RFC 2246#7.2.2](https://www.ietf.org/rfc/rfc2246):'接收到handshake_failure警报消息表明发件人无法协商一组可接受的安全 给出了可用选项的参数。这是一个致命的错误。' – EJP