Openssl

OpenSSL s_client 未檢測到 STARTTLS

  • April 28, 2017

我正在嘗試獲取我的郵件伺服器的證書s_client

$ /opt/local/bin/openssl s_client   -starttls smtp -connect corti.li:25
CONNECTED(00000003)
didn't found starttls in server response, try anyway...
140735895012360:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 307 bytes and written 343 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE No ALPN negotiated
SSL-Session:
   Protocol  : TLSv1.2
   Cipher    : 0000
   Session-ID: 
   Session-ID-ctx: 
   Master-Key: 
   Key-Arg   : None
   PSK identity: None
   PSK identity hint: None
   SRP username: None
   Start Time: 1493391452
   Timeout   : 300 (sec)
   Verify return code: 0 (ok)
---

我得到didn't found starttls in server response, try anyway...

但是在埠 25 上執行 telnet 會在支持的選項中為我提供 STARTTLS

$ telnet corti.li 25
Trying 2a01:4f8:c17:3bac::2...
Connected to corti.li.
Escape character is '^]'.
220 corti.li ESMTP
EHLO casa.corti.li
250-corti.li
250-PIPELINING
250-SIZE 20480000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN


STARTTLS
220 2.0.0 Ready to start TLS

在埠 587 上一切正常。

我正在使用後綴,並且兩個埠的配置方式相同:

smtp      inet  n       -       n       -       -       smtpd -o content_filter=spamassassin -o tls_preempt_cipherlist=yes
submission inet n      -       n       -       -       smtpd -o content_filter=spamassassin -o tls_preempt_cipherlist=yes

在日誌中,我在嘗試連接時看不到任何內容。

我可以OpenSSL 1.0.2k-fips 26 Jan 2017在 Linux 上連接,但不能OpenSSL 1.0.2k 26 Jan 2017在 macOS 上使用相同的版本 ( )。

有什麼可能出錯的提示嗎?

編輯

我剛剛發現我的提供商正在劫持連接:

/usr/bin/openssl s_client   -starttls smtp -connect corti.li:25 -debug
CONNECTED(00000003)
read from 0x7fe0d3402930 [0x7fe0d3802000] (4096 bytes => 82 (0x52))
0000 - 32 32 30 20 6e 77 61 73-2e 6c 62 2e 62 6c 75 65   220 nwas.lb.blue
0010 - 77 69 6e 2e 63 68 20 76-69 6d 64 7a 6d 73 70 2d   win.ch vimdzmsp-
0020 - 6e 77 61 73 30 32 2e 62-6c 75 65 77 69 6e 2e 63   nwas02.bluewin.c
0030 - 68 20 53 77 69 73 73 63-6f 6d 20 41 47 20 45 53   h Swisscom AG ES
0040 - 4d 54 50 20 73 65 72 76-65 72 20 72 65 61 64 79   MTP server ready
0050 - 0d 0a                                             ..
write to 0x7fe0d3402930 [0x7fe0d3803000] (25 bytes => 25 (0x19))
0000 - 45 48 4c 4f 20 6f 70 65-6e 73 73 6c 2e 63 6c 69   EHLO openssl.cli
0010 - 65 6e 74 2e 6e 65 74 0d-0a                        ent.net..
read from 0x7fe0d3402930 [0x7fe0d3802000] (4096 bytes => 192 (0xC0))
0000 - 32 35 30 2d 6e 77 61 73-2e 6c 62 2e 62 6c 75 65   250-nwas.lb.blue
0010 - 77 69 6e 2e 63 68 20 68-65 6c 6c 6f 20 5b 36 32   win.ch hello [62
0020 - 2e 32 30 33 2e 32 33 30-2e 32 33 35 5d 2c 20 70   .203.230.235], p
0030 - 6c 65 61 73 65 64 20 74-6f 20 6d 65 65 74 20 79   leased to meet y
0040 - 6f 75 0d 0a 32 35 30 2d-41 55 54 48 20 4c 4f 47   ou..250-AUTH LOG
0050 - 49 4e 20 50 4c 41 49 4e-20 43 52 41 4d 2d 4d 44   IN PLAIN CRAM-MD
0060 - 35 20 44 49 47 45 53 54-2d 4d 44 35 0d 0a 32 35   5 DIGEST-MD5..25
0070 - 30 2d 53 49 5a 45 20 32-36 32 31 34 34 30 30 0d   0-SIZE 26214400.
0080 - 0a 32 35 30 2d 45 4e 48-41 4e 43 45 44 53 54 41   .250-ENHANCEDSTA
0090 - 54 55 53 43 4f 44 45 53-0d 0a 32 35 30 2d 50 49   TUSCODES..250-PI
00a0 - 50 45 4c 49 4e 49 4e 47-0d 0a 32 35 30 2d 38 42   PELINING..250-8B
00b0 - 49 54 4d 49 4d 45 0d 0a-32 35 30 20 4f 4b 0d 0a   ITMIME..250 OK..
didn't found starttls in server response, try anyway...
write to 0x7fe0d3402930 [0x7fff5d5363b0] (10 bytes => 10 (0xA))
0000 - 53 54 41 52 54 54 4c 53-0d 0a                     STARTTLS..
read from 0x7fe0d3402930 [0x7fe0d4803000] (8192 bytes => 26 (0x1A))
0000 - 35 30 30 20 63 6f 6d 6d-61 6e 64 20 75 6e 72 65   500 command unre
0010 - 63 6f 67 6e 69 7a 65 64-0d 0a                     cognized..
write to 0x7fe0d3402930 [0x7fe0d4807000] (130 bytes => 130 (0x82))
0000 - 80 80 01 03 01 00 57 00-00 00 20 00 00 39 00 00   ......W... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
0020 - 00 00 33 00 00 32 00 00-2f 00 00 9a 00 00 99 00   ..3..2../.......
0030 - 00 96 03 00 80 00 00 05-00 00 04 01 00 80 00 00   ................
0040 - 15 00 00 12 00 00 09 06-00 40 00 00 14 00 00 11   .........@......
0050 - 00 00 08 00 00 06 04 00-80 00 00 03 02 00 80 00   ................
0060 - 00 ff b6 e6 d5 52 4c 9e-1f 29 1d 19 a4 8a 17 b3   .....RL..)......
0070 - cd 06 7e bf 6f 68 8c b2-1d 78 21 9d 05 a1 f5 9c   ..~.oh...x!.....
0080 - 72                                                r
0082 - <SPACES/NULS>
read from 0x7fe0d3402930 [0x7fe0d480c600] (7 bytes => 7 (0x7))
0000 - 35 30 30 20 35 2e 35                              500 5.5
78713:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.50.6/src/ssl/s23_clnt.c:618:

但僅在使用 OpenSSL 時。使用 telnet 我可以訪問我的機器(見上文)。

現在的問題是:為什麼 OpenSSL 不同?

0010 - 77 ...   win.ch hello [62
0020 - 2e ...   .203.230.235], p

從這裡您可以看到 openssl 正在與 IPv4 連接,而 …

$ telnet corti.li 25
Trying 2a01:4f8:c17:3bac::2...

使用 telnet,您顯然使用的是 IPv6。因此我的猜測是 ISP 正在攔截 IPv4 連接而不是 IPv6 連接。您可以通過使用 telnet 強制執行 IPv4 來檢查這一點,即telnet -4 ...

引用自:https://unix.stackexchange.com/questions/361959

相關問答

Ssl

sendmail:“TLS_Clt”是否支持 /etc/mail/access 中的 CIDR 格式的網路塊?

  • July 7, 2022
檢視問答
Openssl

未找到 keyUsage 命令(用於在非互動模式下創建證書)

  • May 8, 2022
檢視問答
Apache-Httpd

Apache SSL:伺服器證書不包含與伺服器名稱匹配的 ID

  • April 28, 2022
檢視問答
Openssl

SSL:未填充 SAN

  • April 27, 2022
檢視問答
Centos

CentOS 5.8 中的 TLSv1.2 支持

  • March 18, 2022
檢視問答
Command-Line

如何在終端中顯示伺服器的 TLS 證書詳細資訊?

  • January 25, 2022
檢視問答