当我在Debian中使用ruby的open-uri模块时,我注意到了一个ssl握手错误:Squeeze,但它在Debian上工作正常:Wheezy和Debian:Jessie
这是我注意到的:
Debian挤压
root@0fdf024c8c42:/# cat /etc/issue Debian GNU/Linux 6.0 \n \l root@0fdf024c8c42:/# irb irb(main):001:0> require 'open-uri' => true irb(main):002:0> open("https://www.openssl.org") OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A from /usr/lib/ruby/1.9.1/net/http.rb:799:in `connect' from /usr/lib/ruby/1.9.1/net/http.rb:799:in `block in connect' from /usr/lib/ruby/1.9.1/timeout.rb:54:in `timeout' from /usr/lib/ruby/1.9.1/timeout.rb:99:in `timeout' from /usr/lib/ruby/1.9.1/net/http.rb:799:in `connect' from /usr/lib/ruby/1.9.1/net/http.rb:755:in `do_start' from /usr/lib/ruby/1.9.1/net/http.rb:744:in `start' from /usr/lib/ruby/1.9.1/open-uri.rb:306:in `open_http' from /usr/lib/ruby/1.9.1/open-uri.rb:775:in `buffer_open' from /usr/lib/ruby/1.9.1/open-uri.rb:203:in `block in open_loop' from /usr/lib/ruby/1.9.1/open-uri.rb:201:in `catch' from /usr/lib/ruby/1.9.1/open-uri.rb:201:in `open_loop' from /usr/lib/ruby/1.9.1/open-uri.rb:146:in `open_uri' from /usr/lib/ruby/1.9.1/open-uri.rb:677:in `open' from /usr/lib/ruby/1.9.1/open-uri.rb:33:in `open' from (irb):2 from /usr/bin/irb:12:in `<main>'irb(main):003:0>
Debian Wheezy
root@d6d7e1af56d0:/# cat /etc/issue Debian GNU/Linux 7 \n \l root@d6d7e1af56d0:/# irb irb(main):001:0> require 'open-uri' => true irb(main):002:0> open("https://www.openssl.org") => #<StringIO:0x000000022aaec0>
Debian Jessie
root@405c251f32df:/# cat /etc/issue Debian GNU/Linux 8 \n \l root@405c251f32df:/# irb2.1 irb(main):001:0> require 'open-uri' => true irb(main):002:0> open("https://www.openssl.org") => #<StringIO:0x00000001e45b78 @base_uri=#<URI::HTTPS:0x00000001e45ec0 URL:https://www.openssl.org>, @meta={"date"=>"Wed, 26 Aug 2015 11:56:57 GMT", "server"=>"Apache/2.4.7 (Ubuntu)", "strict-transport-security"=>"max-age=31536000; includeSubDomains", "accept-ranges"=>"bytes", "vary"=>"Accept-Encoding", "content-length"=>"2456", "content-type"=>"text/html; charset=UTF-8"}, @metas={"date"=>["Wed, 26 Aug 2015 11:56:57 GMT"], "server"=>["Apache/2.4.7 (Ubuntu)"], "strict-transport-security"=>["max-age=31536000; includeSubDomains"], "accept-ranges"=>["bytes"], "vary"=>["Accept-Encoding"], "content-length"=>["2456"], "content-type"=>["text/html; charset=UTF-8"]}, @status=["200", "OK"]>
我知道这与ruby版本无关,因为我试图更新ruby版本,但没有帮助。
Squeeze机器是否安装了ca-certificates包? 没有这一点,就没有可信赖的一组根证书可用于validation所提供的证书是有效的。
假设ca-certificates安装正确,您可能会遇到与TLS协议兼容性问题。 挤压,相当老,有一个OpenSSL的版本,是不完全符合现代标准。 有些网站(如您testing的www.openssl.org可能会configuration其TLS堆栈,从而限制了与较旧的TLS堆栈(例如挤出的堆栈)的兼容性。
在testing系统上,当您尝试open("https://www.openssl.org") ,获得的结果与您的结果相同,但连接到其他某些网站时效果很好。 这个ssllabs报告指出, www.openssl.org不支持TLS 1.0,这是Squeeze连接报告的最高版本。 因此,在这种特殊情况下,这就是您遇到的问题 – 简单的TLS版本不兼容。