Всем привет!
Может кто подскажет... Раньше мы использовали сервис
https://www.exchangerates.org.uk/EUR-HK ... -full.html чтобы получать данные по курсам валют. Но после ноября 2017 мы не можем воспользоваться сервисом из за ошибки handshake:
[Thr 140098113574656] 0x20001040 | SAPCRYPTOLIB | SSL_read
[Thr 140098113574656] SSL API error
[Thr 140098113574656] received a fatal TLS handshake failure alert message from the peer
[Thr 140098113574656] 0xa0600266 | SSL | ssl3_read_bytes
[Thr 140098113574656] received a fatal TLS handshake failure alert message from the peer
[Thr 140098113574656] 0xa0600266 | SSL | ssl3_connect
[Thr 140098113574656] received a fatal TLS handshake failure alert message from the peer
[Thr 140098113574656] 0xa0600266 | SSL | ssl3_read_bytes
[Thr 140098113574656] received a fatal TLS handshake failure alert message from the peer
Пробовал ставить разные параметры ssl/client_ciphersuites на разных ядрах систем. Результат один и тот же:
CommonCryptoLib 8.5.16 (Sep 7 2017) [AES-NI,CLMUL,SSE3,SSSE3]
[Thr 140098116216576] Thu Mar 29 01:55:52:563 2018
[Thr 140098116216576] SSL_get_state()==0x2120 "TLS read server hello A"
[Thr 140098116216576] *** ERROR during secussl_read() from SSL_read()==SSL_ERROR_SSL
[Thr 140098116216576] cli SSL session PSE "/usr/sap/xxx/DVEBMGS50/sec/SAPSSLA.pse"
[Thr 140098116216576] session ciphersuites=982:HIGH:MEDIUM:+e3DES
[Thr 140098116216576] Client SSL_CTX 272c990 pvflags=960 (TLSv1.2,TLSv1.1,TLSv1.0,SSLv3)
[Thr 140098116216576] secussl_read: SSL_read() failed (536875072/0x20001040)
[Thr 140098116216576] => "received a fatal TLS handshake failure alert message from the peer"
[Thr 140098116216576] >> ---------- Begin of Secu-SSL Errorstack ---------- >>
[Thr 140098116216576] 0x20001040 | SAPCRYPTOLIB | SSL_read
[Thr 140098116216576] SSL API error
[Thr 140098116216576] received a fatal TLS handshake failure alert message from the peer
[Thr 140098116216576] 0xa0600266 | SSL | ssl3_read_bytes
[Thr 140098116216576] received a fatal TLS handshake failure alert message from the peer
[Thr 140098116216576] 0xa0600266 | SSL | ssl3_connect
[Thr 140098116216576] received a fatal TLS handshake failure alert message from the peer
[Thr 140098116216576] 0xa0600266 | SSL | ssl3_read_bytes
[Thr 140098116216576] received a fatal TLS handshake failure alert message from the peer
[Thr 140098116216576] << ---------- End of Secu-SSL Errorstack ----------
[Thr 140098116216576] (No certificate request received from Server)
[Thr 140098116216576] Target Hostname="www.exchangerates.org.uk"
[Thr 140098116216576] SSL NI-hdl 100: local=xxx1:65487 peer=52.84.213.71:443
[Thr 140098116216576] <<- ERROR: SapSSLSessionStartNB(sssl_hdl=27296f0)==SSSLERR_SSL_READ
[Thr 140098116216576] *** ERROR => SSL handshake with
http://www.exchangerates.org.uk:443 failed: SSSLERR_SSL_READ (-58)
[Thr 140098116216576] SAPCRYPTO:SSL_read() failed
[Thr 140098116216576]
[Thr 140098116216576] SapSSLSessionStartNB()==SSSLERR_SSL_READ
[Thr 140098116216576] SSL:SSL_read() failed (536875072/0x20001040)
[Thr 140098116216576] => "received a fatal TLS handshake failure alert message from the peer"
[Thr 140098116216576] SSL:SSL_get_state()==0x2120 "TLS read server hello A"
[Thr 140098116216576] SSL NI-hdl 100: local=xxx:65487 peer=52.84.213.71:443
[Thr 140098116216576] cli SSL session PSE "/usr/sap/xxx/DVEBMGS50/sec/SAPSSLA.pse"
[Thr 140098116216576] session ciphersuites=982:HIGH:MEDIUM:+e3DES
[Thr 140098116216576] Client SSL_CTX 272c990 pvflags=960 (TLSv1.2,TLSv1.1,TLSv1.0,SSLv3)
[Thr 140098116216576] Target Hostname="www.exchangerates.org.uk"
[Thr 140098116216576] >> ---- SecuSSL ErrStack: ----
[Thr 140098116216576] 0x20001040 | SAPCRYPTOLIB | SSL_read
[Thr 140098116216576] SSL API error
[Thr 140098116216576] received a fatal TLS handshake failure alert message from the peer
[Thr 140098116216576] 0xa0600266 | SSL | ssl3_read_bytes
[Thr 140098116216576] received a fatal TLS handshake failure alert message from the peer
[Thr 140098116216576] 0xa0600266 | SSL | ssl3_connect
[Thr 140098116216576] received a fatal TLS handshake failure alert message from the peer
[Thr 140098116216576] 0xa0600266 | SSL | ssl3_read_bytes
[Thr 140098116216576] received a fatal TLS handshake failure alert message from the peer
[Thr 140098116216576] << ---------------------------
CommonCryptoLib 8.5.13 (May 17 2017) [AES-NI,CLMUL,SSE3,SSSE3]
[Thr 140488041907968] Thu Mar 29 03:21:19:922 2018
[Thr 140488041907968] SSL_get_state()==0x2120 "TLS read server hello A"
[Thr 140488041907968] *** ERROR during secussl_read() from SSL_read()==SSL_ERROR_SSL
[Thr 140488041907968] cli SSL session PSE "/usr/sap/xxx/DVEBMGS30/sec/SAPSSLC.pse"
[Thr 140488041907968] session ciphersuites=918:PFS:HIGH
[Thr 140488041907968] Client SSL_CTX 7fc5d4070b50 pvflags = 896 (TLSv1.2,TLSv1.1,TLSv1.0)
[Thr 140488041907968] secussl_read: SSL_read() failed (536875072/0x20001040)
[Thr 140488041907968] => "received a fatal TLS handshake failure alert message from the peer"
[Thr 140488041907968] >> ---------- Begin of Secu-SSL Errorstack ---------- >>
[Thr 140488041907968] 0x20001040 | SAPCRYPTOLIB | SSL_read
[Thr 140488041907968] SSL API error
[Thr 140488041907968] received a fatal TLS handshake failure alert message from the peer
[Thr 140488041907968] 0xa0600266 | SSL | ssl3_read_bytes
[Thr 140488041907968] received a fatal TLS handshake failure alert message from the peer
[Thr 140488041907968] 0xa0600266 | SSL | ssl3_connect
[Thr 140488041907968] received a fatal TLS handshake failure alert message from the peer
[Thr 140488041907968] 0xa0600266 | SSL | ssl3_read_bytes
[Thr 140488041907968] received a fatal TLS handshake failure alert message from the peer
[Thr 140488041907968] << ---------- End of Secu-SSL Errorstack ----------
[Thr 140488041907968] No certificate request received from Server
[Thr 140488041907968] Target Hostname="www.exchangerates.org.uk"
[Thr 140488041907968] SSL NI-hdl 161: local=xxx:22465 peer=52.84.213.239:443
[Thr 140488041907968] <<- ERROR: SapSSLSessionStartNB(sssl_hdl=7fc5b4016ce0)==SSSLERR_SSL_READ
[Thr 140488041907968] *** ERROR => SSL handshake with
http://www.exchangerates.org.uk:443 failed: SSSLERR_SSL_READ (-58)
[Thr 140488041907968] SAPCRYPTO:SSL_read() failed
[Thr 140488041907968]
[Thr 140488041907968] SapSSLSessionStartNB()==SSSLERR_SSL_READ
[Thr 140488041907968] SSL:SSL_read() failed (536875072/0x20001040)
[Thr 140488041907968] => "received a fatal TLS handshake failure alert message from the peer"
[Thr 140488041907968] SSL:SSL_get_state()==0x2120 "TLS read server hello A"
[Thr 140488041907968] SSL NI-hdl 161: local=xxx:22465 peer=52.84.213.239:443
[Thr 140488041907968] cli SSL session PSE "/usr/sap/xxx/DVEBMGS30/sec/SAPSSLC.pse"
[Thr 140488041907968] Target Hostname="www.exchangerates.org.uk"
[Thr 140488041907968] >> ---- SecuSSL ErrStack: ----
[Thr 140488041907968] 0x20001040 | SAPCRYPTOLIB | SSL_read
[Thr 140488041907968] SSL API error
[Thr 140488041907968] received a fatal TLS handshake failure alert message from the peer
[Thr 140488041907968] 0xa0600266 | SSL | ssl3_read_bytes
[Thr 140488041907968] received a fatal TLS handshake failure alert message from the peer
[Thr 140488041907968] 0xa0600266 | SSL | ssl3_connect
[Thr 140488041907968] received a fatal TLS handshake failure alert message from the peer
[Thr 140488041907968] 0xa0600266 | SSL | ssl3_read_bytes
[Thr 140488041907968] received a fatal TLS handshake failure alert message from the peer
[Thr 140488041907968] << ---------------------------
[Thr 140488041907968]
Из ноты 2110020 попытался проверить какой же TSL или SSL использует сайт:
perl ssl-hellotest.pl exchangerates.org.uk 443
SSLv3: record=(3,0), ClientHello=(3,0) no TLS extensions
exchangerates.org.uk:443... sending ClientHello (len=58)
FAIL: Alert response: level=FATAL(2), desc=handshake_failure(40)
TLSv1.0: record=(3,0), ClientHello=(3,1) no TLS extensions
exchangerates.org.uk:443... sending ClientHello (len=58)
FAIL: Alert response: level=FATAL(2), desc=handshake_failure(40)
TLSv1.1: record=(3,0), ClientHello=(3,2) no TLS extensions
exchangerates.org.uk:443... sending ClientHello (len=58)
FAIL: Alert response: level=FATAL(2), desc=handshake_failure(40)
TLSv1.2: record=(3,0), ClientHello=(3,3) no TLS extensions
exchangerates.org.uk:443... sending ClientHello (len=58)
FAIL: Alert response: level=FATAL(2), desc=handshake_failure(40)
И получил везде ошибки на рукопожатиях. Хотя тот же cbr отрабатывает нормально на TSL всех версий:
perl ssl-hellotest.pl cbr.ru 443
SSLv3: record=(3,0), ClientHello=(3,0) no TLS extensions
cbr.ru:443... sending ClientHello (len=58)
FAIL: Alert response: level=FATAL(2), desc=handshake_failure(40)
TLSv1.0: record=(3,0), ClientHello=(3,1) no TLS extensions
cbr.ru:443... sending ClientHello (len=58)
OK: ServerHello.server_version=(3,1) = (TLSv1.0)
ServerHello.cs={ 0x00,0x35 } TLS_RSA_WITH_AES256_CBC_SHA
TLSv1.1: record=(3,0), ClientHello=(3,2) no TLS extensions
cbr.ru:443... sending ClientHello (len=58)
OK: ServerHello.server_version=(3,2) = (TLSv1.1)
ServerHello.cs={ 0x00,0x35 } TLS_RSA_WITH_AES256_CBC_SHA
TLSv1.2: record=(3,0), ClientHello=(3,3) no TLS extensions
cbr.ru:443... sending ClientHello (len=58)
OK: ServerHello.server_version=(3,3) = (TLSv1.2)
ServerHello.cs={ 0x00,0x35 } TLS_RSA_WITH_AES256_CBC_SHA
Не могу понять, чтоже надо использовать для
http://www.exchangerates.org.uk чтобы rfc заработало.
Примечательно, что wget и curl не отрабатывают на SLES 11 sp3. Там openssl 0.9
curl
https://www.exchangerates.org.uk/EUR-HK ... -full.htmlcurl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
wget
https://www.exchangerates.org.uk/EUR-HK ... -full.html--2018-03-29 03:24:45--
https://www.exchangerates.org.uk/EUR-HK ... -full.htmlResolving
http://www.exchangerates.org.uk... 52.84.213.47, 52.84.213.239, 52.84.213.169, ...
Connecting to
http://www.exchangerates.org.uk|52.84.213.47|:443... connected.
OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Unable to establish SSL connection.
А на SLES 12 отрабатывают, там стоит openssl 1.0:
wget
http://www.exchangerates.org.uk--2018-03-29 03:27:55--
http://www.exchangerates.org.uk/Resolving
http://www.exchangerates.org.uk (
http://www.exchangerates.org.uk)... 52.84.213.169, 52.84.213.254, 52.84.213.168, ...
Connecting to
http://www.exchangerates.org.uk (
http://www.exchangerates.org.uk)|52.84.213.169|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location:
https://www.exchangerates.org.uk/ [following]
--2018-03-29 03:27:55--
https://www.exchangerates.org.uk/Connecting to
http://www.exchangerates.org.uk (
http://www.exchangerates.org.uk)|52.84.213.169|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’
[ <=> ] 116,598 --.-K/s in 0.1s
2018-03-29 03:27:55 (821 KB/s) - ‘index.html’ saved [116598]
Спасибо всем заранее за помощь.