我在处理向远程服务器执行 GET 请求的应用程序升级时遇到问题。
首先要做的事情:由旧版本完成的 GET 功能示例,正如预期的那样,它可以工作
curl -k -vvvvv https://mywebsite.com/mywonderfulwebsite/mypage.php
* Trying 192.168.0.70...
* TCP_NODELAY set
* Connected to mywebsite.com (192.168.0.70) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.0 (IN), TLS handshake, Certificate (11):
* TLSv1.0 (IN), TLS handshake, Server finished (14):
* TLSv1.0 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.0 (OUT), TLS change cipher, Client hello (1):
* TLSv1.0 (OUT), TLS handshake, Finished (20):
* TLSv1.0 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.0 / AES128-SHA
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=MYWEBSITE.COM
* start date: Mar 24 10:20:51 2020 GMT
* expire date: Mar 24 00:00:00 2021 GMT
* issuer: CN=MYWEBSITE.COM
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET /mywonderfulwebsite/mypage.php HTTP/1.1
> Host: mywebsite.com
> User-Agent: curl/7.58.0
> Accept: */*
....... and here the content of the page.....
现在从新版本开始就不行了
curl -vvvvv https://mywebsite.com/mywonderfulwebsite/mypage.php
* Trying 192.168.0.70:443...
* TCP_NODELAY set
* Connected to mywebsite.com (192.168.0.70) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS alert, protocol version (582):
* error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
* Closing connection 0
curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
所以我认为它来自 TLS 版本,没问题,让我们强制它:
curl --tlsv1.0 -vvvvv https://mywebsite.com/mywonderfulwebsite/mypage.php
* Trying 192.168.0.70:443...
* TCP_NODELAY set
* Connected to mywebsite.com (192.168.0.70) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS alert, protocol version (582):
* error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
* Closing connection 0
curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
这是一个失败。
我尝试从远程网站添加证书,并且得到相同的答案。
我使用 openssl 客户端查看了一个请求:
# openssl s_client -connect mywebsite.com:443 -tls1
CONNECTED(00000003)
139820362433856:error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available:../ssl/statem/statem_clnt.c:1112:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 7 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
现在我正在处理版本和请求,但我不知道应该在哪里检查。 你知道我该如何解决我的问题吗?
这是解决方案:https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level
最新的 openssl 软件包被配置为禁止使用 TLS < 1.2 however, the first curl request shows a communication using TLS 1.0
所以在 debian Buster openssl 软件包太新了
dpkg -l | grep openssl
ii openssl 1.1.1d-0+deb10u7
我不必降级 Openssl
编辑/etc/ssl/openssl.cnf
添加到文件开头
openssl_conf = default_conf
这到文件末尾
[ default_conf ]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=1
更改配置允许使用从 TSL 1.0 及更高版本开始的最小版本的 TSL,因此从现在开始我可以请求我的旧合作伙伴。
适用于centOS用户。
我的解决方案是将要使用的协议降低到最低级别。
/etc/crypto-policies/back-ends/opensslcnf.config
MinProtocol = TLSv1.0
成功了,希望对你有帮助。 问候。
对于 Docker 用户
Matthew 我的解决方案是通过 docker para hacer esto al contenedor hice lo siguiente les dejo mi DockerFile por si a alguien le Sirve:
Matthew 的解决方案帮助我在 Docker 容器中在容器构建过程中实现这一目标。下面,我详细介绍了我遵循的步骤:
我分享我的 Dockerfile,以防它对任何人有用:
# Utiliza la imagen base php:8.2.17-apache
FROM php:8.2.17-apache
# Instalar los controladores de SQL Server para PHP
ENV ACCEPT_EULA=Y
RUN apt-get update && apt-get install -y gnupg2
RUN curl https://packages.microsoft.com/keys/microsoft.asc | apt-key add
-
RUN curl https://packages.microsoft.com/config/ubuntu/20.04/prod.list >
/etc/apt/sources.list.d/mssql-release.list
RUN apt-get update
RUN ACCEPT_EULA=Y apt-get -y --no-install-recommends install msodbcsql17
unixodbc-dev
RUN pecl install sqlsrv
RUN pecl install pdo_sqlsrv
RUN echo "extension=sqlsrv.so" > /etc/php/8.3/mods-available/sqlsrv.ini
RUN echo "extension=pdo_sqlsrv.so" > /etc/php/8.3/mods-
available/pdo_sqlsrv.ini
# Crea los enlaces simbólicos en la carpeta conf.d para activar las
extensiones
RUN ln -s /etc/php/8.3/mods-available/sqlsrv.ini
/etc/php/8.3/apache2/conf.d/20-sqlsrv.ini && \
ln -s /etc/php/8.3/mods-available/pdo_sqlsrv.ini
/etc/php/8.3/apache2/conf.d/20-pdo_sqlsrv.ini && \
ln -s /etc/php/8.3/mods-available/sqlsrv.ini
/etc/php/8.3/cli/conf.d/20-sqlsrv.ini && \
ln -s /etc/php/8.3/mods-available/pdo_sqlsrv.ini
/etc/php/8.3/cli/conf.d/20-pdo_sqlsrv.ini
# Edita el archivo openssl.cnf para agregar las configuraciones
necesarias
RUN sed -i '1s/^/openssl_conf = default_conf\n/' /etc/ssl/openssl.cnf &&
\
echo "" >> /etc/ssl/openssl.cnf && \
echo "[ default_conf ]" >> /etc/ssl/openssl.cnf && \
echo "ssl_conf = ssl_sect" >> /etc/ssl/openssl.cnf && \
echo "" >> /etc/ssl/openssl.cnf && \
echo "[ssl_sect]" >> /etc/ssl/openssl.cnf && \
echo "system_default = system_default_sect" >> /etc/ssl/openssl.cnf
&& \
echo "" >> /etc/ssl/openssl.cnf && \
echo "[system_default_sect]" >> /etc/ssl/openssl.cnf && \
echo "MinProtocol = TLSv1" >> /etc/ssl/openssl.cnf && \
echo "CipherString = DEFAULT:@SECLEVEL=1" >> /etc/ssl/openssl.cnf
# Iniciar servicios
ENTRYPOINT ["/bin/sh", "-c", "service supervisor start && service
apache2 restart && bash"]