SSL连接失败,没有来自服务器的证书请求,从AWS上运行的本地Websphere AS连接到AWS上的Nginx

前端之家收集整理的这篇文章主要介绍了SSL连接失败,没有来自服务器的证书请求,从AWS上运行的本地Websphere AS连接到AWS上的Nginx前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

我很难通过客户端身份验证连接到服务.该服务(“SecureService”)在AWS上.客户端位于Mac上的Linux VM上. SecureService上的Nginx对我在端口443上访问的资源强制执行客户端身份验证.我可以使用概念验证Java独立应用程序(openjdk 1.8.0_60)或其他客户端,从同一个VM连接到同一个SecureService,获得成功的响应(wget,openssl),但不是来自Websphere AS上托管的相同Java代码(无可否认地依赖于旧库和IBM J9 VM,构建2.6,JRE 1.6.0).但是,在/ etc / hosts中将SecureService主机名重新映射到127.0.0.1时,Websphere AS上的相同Java代码会成功连接到需要来自同一证书颁发机构的客户端身份验证的本地openSSL服务器. SecureServer在失败连接中的响应报告“400没有发送所需的SSL证书”…“400 Bad Request”,但tcpdump数据包捕获显示它不发送证书请求,而在所有其他情况下.这令人费解并且让我认为ClientHello消息中有一些服务器不喜欢的东西,尽管成功和失败连接中的ClientHello消息非常相似.

一个非常奇怪的细节也是tcpdump从未在失败的通信中捕获从我的客户端到服务器的第一个TCP SYN数据包,而它捕获其余的(来自服务器的SYN ACK,然后来自客户端的ACK)和所有数据包(SYN)所有其他通信上的,SYN ACK,ACK).

所有通信都在其所有部分中使用TLSv1.2.

连接失败:

  1.  
  2. (client <--> server)
  3. <-- SYN,ACK
  4. --> ACK
  5. --> Client Hello
  6. <-- ACK
  7. <-- Server Hello,Certificate,Server Hello Done
  8. --> ACK
  9. --> Client Key Exchange
  10. <-- ACK
  11. --> Change Cypher Spec
  12. <-- ACK
  13. --> Encrypted Handshake Message
  14. <-- ACK
  15. <-- Change Cypher Spec,Encrypted Handshake Message
  16. --> Application Data
  17. ...
  18.  

从概念证明Java app成功连接:
(客户端< - >服务器)

  1.  
  2. --> SYN
  3. <-- SYN,ACK
  4. --> ACK
  5. --> Client Hello
  6. <-- ACK
  7. <-- Server Hello
  8. <-- Certificate
  9. <-- Certificate Request,Server Hello Done
  10. --> ACK
  11. --> ACK
  12. --> [TCP segment of a reassembled PDU]
  13. --> Certificate,Client Key Exchange
  14. <-- ACK
  15. --> Certificate Verify
  16. --> Change Cypher Spec
  17. --> Hello Request,Hello Request
  18. <-- ACK
  19. <-- Change Cypher Spec,Encrypted Handshake Message
  20. --> Application Data
  21. ...
  22.  

从Websphere AS到本地openSSL的成功连接:
(客户端< - >服务器)

  1.  
  2. --> SYN
  3. <-- SYN,Certificate Request,Server Hello Done
  4. --> ACK
  5. --> Certificate,Client Key Exchange
  6. <-- ACK
  7. --> Certificate Verify
  8. --> Change Cypher Spec
  9. --> Encrypted Handshake Message
  10. <-- ACK
  11. <-- Change Cypher Spec,Encrypted Handshake Message
  12. --> Application Data
  13. ...
  14.  

失败的客户你好:

  1. Frame 3: 332 bytes on wire (2656 bits),332 bytes captured (2656 bits)
  2. Encapsulation type: Linux cooked-mode capture (25)
  3. Arrival Time: Feb 25,2016 13:29:15.353437000 GMT
  4. [Time shift for this packet: 0.000000000 seconds]
  5. Epoch Time: 1456406955.353437000 seconds
  6. [Time delta from prevIoUs captured frame: 0.004839000 seconds]
  7. [Time delta from prevIoUs displayed frame: 0.004839000 seconds]
  8. [Time since reference or first frame: 0.004868000 seconds]
  9. Frame Number: 3
  10. Frame Length: 332 bytes (2656 bits)
  11. Capture Length: 332 bytes (2656 bits)
  12. [Frame is marked: False]
  13. [Frame is ignored: False]
  14. [Protocols in frame: sll:ethertype:ip:tcp:ssl]
  15. [Coloring Rule Name: TCP]
  16. [Coloring Rule String: tcp]
  17. Linux cooked capture
  18. Packet type: Sent by us (4)
  19. Link-layer address type: 1
  20. Link-layer address length: 6
  21. Source: CadmusCo_67:0a:c1 (08:00:27:67:0a:c1)
  22. Protocol: IPv4 (0x0800)
  23. Internet Protocol Version 4,Src: (OMITTED FOR SECURITY REASONS),Dst: (OMITTED FOR SECURITY REASONS)
  24. 0100 .... = Version: 4
  25. .... 0101 = Header Length: 20 bytes
  26. Differentiated Services Field: 0x00 (DSCP: CS0,ECN: Not-ECT)
  27. 0000 00.. = Differentiated Services Codepoint: Default (0)
  28. .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
  29. Total Length: 316
  30. Identification: 0xf29d (62109)
  31. Flags: 0x02 (Don't Fragment)
  32. 0... .... = Reserved bit: Not set
  33. .1.. .... = Don't fragment: Set
  34. ..0. .... = More fragments: Not set
  35. Fragment offset: 0
  36. Time to live: 64
  37. Protocol: TCP (6)
  38. Header checksum: 0xc7f8 [validation disabled]
  39. [Good: False]
  40. [Bad: False]
  41. Source: (OMITTED FOR SECURITY REASONS)
  42. Destination: (OMITTED FOR SECURITY REASONS)
  43. [Source GeoIP: Unknown]
  44. [Destination GeoIP: Unknown]
  45. Transmission Control Protocol,Src Port: 51512 (51512),Dst Port: 443 (443),Seq: 1,Ack: 1,Len: 276
  46. Source Port: 51512
  47. Destination Port: 443
  48. [Stream index: 0]
  49. [TCP Segment Len: 276]
  50. Sequence number: 1 (relative sequence number)
  51. [Next sequence number: 277 (relative sequence number)]
  52. Acknowledgment number: 1 (relative ack number)
  53. Header Length: 20 bytes
  54. Flags: 0x018 (PSH,ACK)
  55. 000. .... .... = Reserved: Not set
  56. ...0 .... .... = Nonce: Not set
  57. .... 0... .... = Congestion Window Reduced (CWR): Not set
  58. .... .0.. .... = ECN-Echo: Not set
  59. .... ..0. .... = Urgent: Not set
  60. .... ...1 .... = Acknowledgment: Set
  61. .... .... 1... = Push: Set
  62. .... .... .0.. = Reset: Not set
  63. .... .... ..0. = Syn: Not set
  64. .... .... ...0 = Fin: Not set
  65. [TCP Flags: *******AP***]
  66. Window size value: 14600
  67. [Calculated window size: 14600]
  68. [Window size scaling factor: -2 (no window scaling used)]
  69. Checksum: 0x8054 [validation disabled]
  70. [Good Checksum: False]
  71. [Bad Checksum: False]
  72. Urgent pointer: 0
  73. [SEQ/ACK analysis]
  74. [Bytes in flight: 276]
  75. Secure Sockets Layer
  76. TLSv1.2 Record Layer: Handshake Protocol: Client Hello
  77. Content Type: Handshake (22)
  78. Version: TLS 1.2 (0x0303)
  79. Length: 271
  80. Handshake Protocol: Client Hello
  81. Handshake Type: Client Hello (1)
  82. Length: 267
  83. Version: TLS 1.2 (0x0303)
  84. Random
  85. GMT Unix Time: Feb 25,2016 13:29:15.000000000 GMT
  86. Random Bytes: 2ca99e72b66289fcd3f11bf2dc3ef464709b197e6dd6cdd5...
  87. Session ID Length: 32
  88. Session ID: 28eef056a41440e760eaa9e3358a9cd56d8823fa130e9100...
  89. Cipher Suites Length: 128
  90. Cipher Suites (64 suites)
  91. Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
  92. Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
  93. Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
  94. Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
  95. Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
  96. Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
  97. Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff)
  98. Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
  99. Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
  100. Cipher Suite: TLS_DHE_DSS_WITH_RC4_128_SHA (0x0066)
  101. Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
  102. Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
  103. Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
  104. Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
  105. Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
  106. Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
  107. Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
  108. Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011)
  109. Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
  110. Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
  111. Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
  112. Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
  113. Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
  114. Cipher Suite: TLS_DHE_DSS_WITH_RC4_128_SHA (0x0066)
  115. Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014)
  116. Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
  117. Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
  118. Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
  119. Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
  120. Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
  121. Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
  122. Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
  123. Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
  124. Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
  125. Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
  126. Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
  127. Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
  128. Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
  129. Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
  130. Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
  131. Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
  132. Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)
  133. Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)
  134. Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)
  135. Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
  136. Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
  137. Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
  138. Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)
  139. Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)
  140. Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
  141. Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
  142. Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff)
  143. Cipher Suite: SSL_RSA_FIPS_WITH_DES_CBC_SHA (0xfefe)
  144. Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
  145. Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
  146. Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
  147. Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
  148. Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
  149. Cipher Suite: TLS_RSA_WITH_NULL_MD5 (0x0001)
  150. Cipher Suite: TLS_RSA_WITH_NULL_SHA (0x0002)
  151. Cipher Suite: TLS_RSA_WITH_NULL_SHA256 (0x003b)
  152. Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
  153. Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
  154. Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
  155. Compression Methods Length: 1
  156. Compression Methods (1 method)
  157. Compression Method: null (0)
  158. Extensions Length: 66
  159. Extension: elliptic_curves
  160. Type: elliptic_curves (0x000a)
  161. Length: 24
  162. Elliptic Curves Length: 22
  163. Elliptic curves (11 curves)
  164. Elliptic curve: secp256r1 (0x0017)
  165. Elliptic curve: secp192r1 (0x0013)
  166. Elliptic curve: secp224r1 (0x0015)
  167. Elliptic curve: secp384r1 (0x0018)
  168. Elliptic curve: secp521r1 (0x0019)
  169. Elliptic curve: secp160k1 (0x000f)
  170. Elliptic curve: secp160r1 (0x0010)
  171. Elliptic curve: secp160r2 (0x0011)
  172. Elliptic curve: secp192k1 (0x0012)
  173. Elliptic curve: secp224k1 (0x0014)
  174. Elliptic curve: secp256k1 (0x0016)
  175. Extension: ec_point_formats
  176. Type: ec_point_formats (0x000b)
  177. Length: 2
  178. EC point formats Length: 1
  179. Elliptic curves point formats (1)
  180. EC point format: uncompressed (0)
  181. Extension: signature_algorithms
  182. Type: signature_algorithms (0x000d)
  183. Length: 28
  184. Signature Hash Algorithms Length: 26
  185. Signature Hash Algorithms (13 algorithms)
  186. Signature Hash Algorithm: 0x0603
  187. Signature Hash Algorithm Hash: SHA512 (6)
  188. Signature Hash Algorithm Signature: ECDSA (3)
  189. Signature Hash Algorithm: 0x0601
  190. Signature Hash Algorithm Hash: SHA512 (6)
  191. Signature Hash Algorithm Signature: RSA (1)
  192. Signature Hash Algorithm: 0x0503
  193. Signature Hash Algorithm Hash: SHA384 (5)
  194. Signature Hash Algorithm Signature: ECDSA (3)
  195. Signature Hash Algorithm: 0x0501
  196. Signature Hash Algorithm Hash: SHA384 (5)
  197. Signature Hash Algorithm Signature: RSA (1)
  198. Signature Hash Algorithm: 0x0403
  199. Signature Hash Algorithm Hash: SHA256 (4)
  200. Signature Hash Algorithm Signature: ECDSA (3)
  201. Signature Hash Algorithm: 0x0401
  202. Signature Hash Algorithm Hash: SHA256 (4)
  203. Signature Hash Algorithm Signature: RSA (1)
  204. Signature Hash Algorithm: 0x0303
  205. Signature Hash Algorithm Hash: SHA224 (3)
  206. Signature Hash Algorithm Signature: ECDSA (3)
  207. Signature Hash Algorithm: 0x0301
  208. Signature Hash Algorithm Hash: SHA224 (3)
  209. Signature Hash Algorithm Signature: RSA (1)
  210. Signature Hash Algorithm: 0x0203
  211. Signature Hash Algorithm Hash: SHA1 (2)
  212. Signature Hash Algorithm Signature: ECDSA (3)
  213. Signature Hash Algorithm: 0x0201
  214. Signature Hash Algorithm Hash: SHA1 (2)
  215. Signature Hash Algorithm Signature: RSA (1)
  216. Signature Hash Algorithm: 0x0402
  217. Signature Hash Algorithm Hash: SHA256 (4)
  218. Signature Hash Algorithm Signature: DSA (2)
  219. Signature Hash Algorithm: 0x0202
  220. Signature Hash Algorithm Hash: SHA1 (2)
  221. Signature Hash Algorithm Signature: DSA (2)
  222. Signature Hash Algorithm: 0x0101
  223. Signature Hash Algorithm Hash: MD5 (1)
  224. Signature Hash Algorithm Signature: RSA (1)

从SecureServer的概念证明成功的客户Hello:

  1. Frame 62: 306 bytes on wire (2448 bits),306 bytes captured (2448 bits) on interface 0
  2. Interface id: 0 (en0)
  3. Encapsulation type: Ethernet (1)
  4. Arrival Time: Feb 24,2016 17:20:21.803009000 GMT
  5. [Time shift for this packet: 0.000000000 seconds]
  6. Epoch Time: 1456334421.803009000 seconds
  7. [Time delta from prevIoUs captured frame: 0.119948000 seconds]
  8. [Time delta from prevIoUs displayed frame: 0.119948000 seconds]
  9. [Time since reference or first frame: 17.897514000 seconds]
  10. Frame Number: 62
  11. Frame Length: 306 bytes (2448 bits)
  12. Capture Length: 306 bytes (2448 bits)
  13. [Frame is marked: False]
  14. [Frame is ignored: False]
  15. [Protocols in frame: eth:ethertype:ip:tcp:ssl]
  16. [Coloring Rule Name: TCP]
  17. [Coloring Rule String: tcp]
  18. Ethernet II,Src: Apple_bc:c7:11 (a4:5e:60:bc:c7:11),Dst: CiscoInc_76:28:80 (a4:4c:11:76:28:80)
  19. Destination: CiscoInc_76:28:80 (a4:4c:11:76:28:80)
  20. Address: CiscoInc_76:28:80 (a4:4c:11:76:28:80)
  21. .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
  22. .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
  23. Source: Apple_bc:c7:11 (a4:5e:60:bc:c7:11)
  24. Address: Apple_bc:c7:11 (a4:5e:60:bc:c7:11)
  25. .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
  26. .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
  27. Type: IPv4 (0x0800)
  28. Internet Protocol Version 4,ECN: Not-ECT)
  29. 0000 00.. = Differentiated Services Codepoint: Default (0)
  30. .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
  31. Total Length: 292
  32. Identification: 0xa8b7 (43191)
  33. Flags: 0x02 (Don't Fragment)
  34. 0... .... = Reserved bit: Not set
  35. .1.. .... = Don't fragment: Set
  36. ..0. .... = More fragments: Not set
  37. Fragment offset: 0
  38. Time to live: 64
  39. Protocol: TCP (6)
  40. Header checksum: 0x279c [validation disabled]
  41. [Good: False]
  42. [Bad: False]
  43. Source: (OMITTED FOR SECURITY REASONS)
  44. Destination: (OMITTED FOR SECURITY REASONS)
  45. [Source GeoIP: Unknown]
  46. [Destination GeoIP: Unknown]
  47. Transmission Control Protocol,Src Port: 62197 (62197),Len: 240
  48. Source Port: 62197
  49. Destination Port: 443
  50. [Stream index: 9]
  51. [TCP Segment Len: 240]
  52. Sequence number: 1 (relative sequence number)
  53. [Next sequence number: 241 (relative sequence number)]
  54. Acknowledgment number: 1 (relative ack number)
  55. Header Length: 32 bytes
  56. Flags: 0x018 (PSH,ACK)
  57. 000. .... .... = Reserved: Not set
  58. ...0 .... .... = Nonce: Not set
  59. .... 0... .... = Congestion Window Reduced (CWR): Not set
  60. .... .0.. .... = ECN-Echo: Not set
  61. .... ..0. .... = Urgent: Not set
  62. .... ...1 .... = Acknowledgment: Set
  63. .... .... 1... = Push: Set
  64. .... .... .0.. = Reset: Not set
  65. .... .... ..0. = Syn: Not set
  66. .... .... ...0 = Fin: Not set
  67. [TCP Flags: *******AP***]
  68. Window size value: 4122
  69. [Calculated window size: 131904]
  70. [Window size scaling factor: 32]
  71. Checksum: 0xc3c5 [validation disabled]
  72. [Good Checksum: False]
  73. [Bad Checksum: False]
  74. Urgent pointer: 0
  75. Options: (12 bytes),No-Operation (NOP),Timestamps
  76. No-Operation (NOP)
  77. Type: 1
  78. 0... .... = Copy on fragmentation: No
  79. .00. .... = Class: Control (0)
  80. ...0 0001 = Number: No-Operation (NOP) (1)
  81. No-Operation (NOP)
  82. Type: 1
  83. 0... .... = Copy on fragmentation: No
  84. .00. .... = Class: Control (0)
  85. ...0 0001 = Number: No-Operation (NOP) (1)
  86. Timestamps: TSval 928661973,TSecr 546145009
  87. Kind: Time Stamp Option (8)
  88. Length: 10
  89. Timestamp value: 928661973
  90. Timestamp echo reply: 546145009
  91. [SEQ/ACK analysis]
  92. [iRTT: 0.016102000 seconds]
  93. [Bytes in flight: 240]
  94. Secure Sockets Layer
  95. TLSv1.2 Record Layer: Handshake Protocol: Client Hello
  96. Content Type: Handshake (22)
  97. Version: TLS 1.2 (0x0303)
  98. Length: 235
  99. Handshake Protocol: Client Hello
  100. Handshake Type: Client Hello (1)
  101. Length: 231
  102. Version: TLS 1.2 (0x0303)
  103. Random
  104. GMT Unix Time: Feb 24,2016 17:20:21.000000000 GMT
  105. Random Bytes: fbb67137e8cde6609cb570685f6c9b5a62eefbc12973b545...
  106. Session ID Length: 0
  107. Cipher Suites Length: 58
  108. Cipher Suites (29 suites)
  109. Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
  110. Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
  111. Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
  112. Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)
  113. Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
  114. Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
  115. Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
  116. Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
  117. Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
  118. Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
  119. Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
  120. Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
  121. Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
  122. Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
  123. Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
  124. Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
  125. Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
  126. Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)
  127. Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)
  128. Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
  129. Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
  130. Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
  131. Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
  132. Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
  133. Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
  134. Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
  135. Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
  136. Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
  137. Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
  138. Compression Methods Length: 1
  139. Compression Methods (1 method)
  140. Compression Method: null (0)
  141. Extensions Length: 132
  142. Extension: elliptic_curves
  143. Type: elliptic_curves (0x000a)
  144. Length: 52
  145. Elliptic Curves Length: 50
  146. Elliptic curves (25 curves)
  147. Elliptic curve: secp256r1 (0x0017)
  148. Elliptic curve: sect163k1 (0x0001)
  149. Elliptic curve: sect163r2 (0x0003)
  150. Elliptic curve: secp192r1 (0x0013)
  151. Elliptic curve: secp224r1 (0x0015)
  152. Elliptic curve: sect233k1 (0x0006)
  153. Elliptic curve: sect233r1 (0x0007)
  154. Elliptic curve: sect283k1 (0x0009)
  155. Elliptic curve: sect283r1 (0x000a)
  156. Elliptic curve: secp384r1 (0x0018)
  157. Elliptic curve: sect409k1 (0x000b)
  158. Elliptic curve: sect409r1 (0x000c)
  159. Elliptic curve: secp521r1 (0x0019)
  160. Elliptic curve: sect571k1 (0x000d)
  161. Elliptic curve: sect571r1 (0x000e)
  162. Elliptic curve: secp160k1 (0x000f)
  163. Elliptic curve: secp160r1 (0x0010)
  164. Elliptic curve: secp160r2 (0x0011)
  165. Elliptic curve: sect163r1 (0x0002)
  166. Elliptic curve: secp192k1 (0x0012)
  167. Elliptic curve: sect193r1 (0x0004)
  168. Elliptic curve: sect193r2 (0x0005)
  169. Elliptic curve: secp224k1 (0x0014)
  170. Elliptic curve: sect239k1 (0x0008)
  171. Elliptic curve: secp256k1 (0x0016)
  172. Extension: ec_point_formats
  173. Type: ec_point_formats (0x000b)
  174. Length: 2
  175. EC point formats Length: 1
  176. Elliptic curves point formats (1)
  177. EC point format: uncompressed (0)
  178. Extension: signature_algorithms
  179. Type: signature_algorithms (0x000d)
  180. Length: 26
  181. Signature Hash Algorithms Length: 24
  182. Signature Hash Algorithms (12 algorithms)
  183. Signature Hash Algorithm: 0x0603
  184. Signature Hash Algorithm Hash: SHA512 (6)
  185. Signature Hash Algorithm Signature: ECDSA (3)
  186. Signature Hash Algorithm: 0x0601
  187. Signature Hash Algorithm Hash: SHA512 (6)
  188. Signature Hash Algorithm Signature: RSA (1)
  189. Signature Hash Algorithm: 0x0503
  190. Signature Hash Algorithm Hash: SHA384 (5)
  191. Signature Hash Algorithm Signature: ECDSA (3)
  192. Signature Hash Algorithm: 0x0501
  193. Signature Hash Algorithm Hash: SHA384 (5)
  194. Signature Hash Algorithm Signature: RSA (1)
  195. Signature Hash Algorithm: 0x0403
  196. Signature Hash Algorithm Hash: SHA256 (4)
  197. Signature Hash Algorithm Signature: ECDSA (3)
  198. Signature Hash Algorithm: 0x0401
  199. Signature Hash Algorithm Hash: SHA256 (4)
  200. Signature Hash Algorithm Signature: RSA (1)
  201. Signature Hash Algorithm: 0x0303
  202. Signature Hash Algorithm Hash: SHA224 (3)
  203. Signature Hash Algorithm Signature: ECDSA (3)
  204. Signature Hash Algorithm: 0x0301
  205. Signature Hash Algorithm Hash: SHA224 (3)
  206. Signature Hash Algorithm Signature: RSA (1)
  207. Signature Hash Algorithm: 0x0203
  208. Signature Hash Algorithm Hash: SHA1 (2)
  209. Signature Hash Algorithm Signature: ECDSA (3)
  210. Signature Hash Algorithm: 0x0201
  211. Signature Hash Algorithm Hash: SHA1 (2)
  212. Signature Hash Algorithm Signature: RSA (1)
  213. Signature Hash Algorithm: 0x0202
  214. Signature Hash Algorithm Hash: SHA1 (2)
  215. Signature Hash Algorithm Signature: DSA (2)
  216. Signature Hash Algorithm: 0x0101
  217. Signature Hash Algorithm Hash: MD5 (1)
  218. Signature Hash Algorithm Signature: RSA (1)
  219. Extension: server_name
  220. Type: server_name (0x0000)
  221. Length: 36
  222. Server Name Indication extension
  223. Server Name list length: 34
  224. Server Name Type: host_name (0)
  225. Server Name length: 31
  226. Server Name: (OMITTED FOR SECURITY REASONS - IT CORRESPONDS TO THE DESTINATION HOSTNAME)

Tcpdump命令行:

  1.  
  2. sudo tcpdump -s 0 -n "port 443" -w /Repo/security/capture.cap -i any
  3.  

有谁知道会出现什么问题?目前,我没有管理权限甚至帐户登录服务器.

最佳答案
求助 – 我发现Nginx服务器需要在Client Hello中指定“server_name”扩展名.实际上,以下openssl命令会提示服务器发出证书申请…

  1. /usr/local/Cellar/openssl/1.0.2e/bin/openssl s_client -cert client_identity.crt -key client_identity.key -connect SecureServerHostName:443 -debug

…而省略“-servername”选项却没有.

我将如何强制WebsphereAS添加该扩展是另一双鞋.通过更新TLS协议的实现,升级Java版本可能会有所帮助.

更新:是的,将IBM JDK从1.6升级到1.7.1工作,生成具有服务器名称指示的客户端Hello消息,如here所述(默认情况下,Java SE 7启用服务器名称指示(SNI).).

猜你在找的Nginx相关文章