问题
I got those commands on irb
require 'mechanize'
agent = Mechanize.new
agent.get('https://monabo.lemonde.fr/customer/account/forgotpassword/')
I got this error:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert handshake failure
I tried on mac, and it works I don't have this error. However, it doesn't work on my computer (running Linux Mint 17).
What I tried:
Exporting this variable:
export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crtSetting this variable:
agent.agent.http.ca_file = '/etc/ssl/certs/ca-certificates.crt'Setting this:
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONEChanging ruby version (I'm currently using ruby 2.1.5p275)
None of those solutions changed the issue. I suspect that the server is requiring a specific verson of OpenSSL.
Please notice that I can request https://google.com with mechanize and that it works, but not https://monabo.lemonde.fr/customer/account/forgotpassword/.
The fact that it works on mac may suppose that I got a wrong config.
EDIT: Here is the output of this command:
➜ swiff git:(master) ✗ openssl s_client -connect monabo.lemonde.fr/customer/account/forgotpassword:443 -tls1 -servername monabo.lemonde.fr/customer/account/forgotpassword | openssl x509 -text -noout
gethostbyname failure
connect:errno=0
unable to load certificate
140045809014432:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
Some other data:
- http://pastebin.com/raw.php?i=AYDbwqqD
- http://pastebin.com/raw.php?i=vC07aTyY
- http://pastebin.com/raw.php?i=VLtLvuEG
回答1:
The server supports only SSLv3 and TLSv1 and only with the cipher DES-CBC3-SHA. This cipher is not included in the default cipher set used by your version of ruby, as you can see in https://github.com/ruby/ruby/blob/ruby_2_1/ext/openssl/lib/openssl/ssl.rb. This setting is strange because from what I know DES-CBC3-SHA (i.e. DES3) is considered more secure then RC4-SHA which they have in their cipher set.
I've tried to find a way to set the ciphers for the mechanize object but I don't know much about writing ruby and also only have an older version of ruby on the system. You might try something like agent.agent.http.ciphers = [ 'des-cbc3-sha' ] or ask some ruby experts.
回答2:
openssl s_client -connect monabo.lemonde.fr/customer/account/forgotpassword:443 -tls1 -servername monabo.lemonde.fr/customer/account/forgotpassword | openssl x509 -text -noout
From the outside world, I am able to connect. I can resolve the "unable to get local issuer certificate" error below by using -CApath with the OpenSSL command (exercise left to the reader since its not the problem).
This may help you with trouble shooting....
Get the certificate dump
$ openssl s_client -connect monabo.lemonde.fr:443 -tls1 -servername monabo.lemonde.fr | openssl x509 -text -noout
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Domain Validation CA - G2
verify error:num=20:unable to get local issuer certificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
11:21:56:eb:c5:b1:54:fb:88:02:47:ec:cd:51:d9:38:89:d2
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Domain Validation CA - G2
Validity
Not Before: Dec 18 17:19:34 2013 GMT
Not After : Jan 19 18:10:24 2017 GMT
Subject: OU=Domain Control Validated, CN=*.lemonde.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d3:59:62:60:4e:18:52:3d:f5:f9:e2:54:5a:dd:
54:09:05:27:ae:f9:42:20:d6:ff:0a:5f:97:64:33:
64:5c:9a:80:67:de:6a:be:f9:6a:cb:1c:14:14:df:
90:cb:77:9a:d9:22:15:45:eb:ac:9a:c3:36:1f:52:
ee:22:b5:9f:67:22:35:52:64:e0:4e:44:f8:ab:01:
3a:e8:f6:57:81:27:3b:28:3c:b1:da:e2:59:12:63:
99:89:e2:ed:bf:42:09:4c:39:f3:d7:2e:4a:5d:d1:
d7:4c:d1:cd:2c:98:f9:da:da:a0:10:85:17:92:05:
62:c1:89:f0:ff:5a:cd:f7:72:a8:e0:3d:f2:ad:c7:
44:64:88:72:40:84:53:fc:80:f9:5f:44:7b:bf:ce:
3c:93:87:05:af:d6:95:00:44:63:be:55:ac:25:8e:
25:3c:1c:2c:99:2d:d0:d0:72:da:f1:5f:a0:9b:4e:
56:20:10:4e:db:a7:cd:32:c8:32:48:cd:f9:bf:45:
8c:ca:b3:68:88:6d:61:fa:4c:80:87:0b:d6:f8:e6:
d9:73:5d:27:b7:bf:0f:35:81:89:93:ee:fa:84:15:
de:d4:99:45:d6:7a:fe:19:dc:71:56:29:00:6d:fb:
1b:1f:48:16:17:12:fe:0b:05:76:37:b7:f0:11:7a:
32:fb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
CPS: https://www.globalsign.com/repository/
X509v3 Subject Alternative Name:
DNS:*.lemonde.fr, DNS:lemonde.fr
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.globalsign.com/gs/gsdomainvalg2.crl
Authority Information Access:
CA Issuers - URI:http://secure.globalsign.com/cacert/gsdomainvalg2.crt
OCSP - URI:http://ocsp2.globalsign.com/gsdomainvalg2
X509v3 Subject Key Identifier:
49:7C:AB:DD:45:95:AB:8C:15:8E:9A:E2:0E:FE:79:39:FF:5C:A6:3C
X509v3 Authority Key Identifier:
keyid:96:AD:FA:B0:5B:B9:83:64:2A:76:C2:1C:8A:69:DA:42:DC:FE:FD:28
Signature Algorithm: sha1WithRSAEncryption
33:65:d5:4d:39:4d:c9:86:52:bf:0f:d0:85:28:50:36:21:ac:
1d:f4:b4:69:22:48:5b:6b:99:64:19:51:71:0e:fc:c9:ca:5e:
05:e2:fc:ff:b8:e1:50:b8:4d:1c:82:a6:06:3e:3b:85:d2:ab:
fe:1e:18:02:d3:c1:e6:54:f4:26:ce:20:af:a3:52:90:5c:a8:
bb:ad:a0:a9:29:30:50:bd:64:f3:1e:26:76:d7:5d:05:2e:9e:
57:f2:3a:2a:fe:49:30:74:76:9f:b2:95:07:47:de:9e:8f:74:
5d:97:62:45:2b:16:d3:ae:80:66:22:b7:3a:b4:34:f0:33:e2:
40:bf:3d:39:3d:64:3f:94:b4:d7:a9:c6:e3:ca:76:76:86:67:
58:82:e9:95:4a:c4:70:93:6f:bc:34:5e:a6:6d:93:05:ae:41:
ae:8a:ac:ef:c2:65:6c:8f:af:46:31:c1:98:ca:11:6c:56:87:
98:44:9d:8b:8a:29:03:a3:cf:c7:6c:d5:3c:29:9f:ba:ff:db:
2f:38:a6:be:29:3d:be:ec:01:dc:1f:6c:55:1d:7d:74:7e:f4:
74:18:5a:f3:ca:64:2b:1e:d7:82:36:2c:ee:08:a5:35:c2:54:
0b:b5:cc:8b:28:03:6e:1e:ad:b6:05:c3:01:67:34:59:db:8b:
d4:20:b8:cb
Perform an HTML GET (notice the -ign_eof):
riemann::cryptopp$ echo -e "GET /customer/account/forgotpassword HTTP/1.1\r\nHost:monabo.lemonde.fr\r\n\r\n" | openssl s_client -connect monabo.lemonde.fr:443 -tls1 -ign_eof -servername monabo.lemonde.fr
CONNECTED(00000003)
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Domain Validation CA - G2
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.lemonde.fr
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE2TCCA8GgAwIBAgISESFW68WxVPuIAkfszVHZOInSMA0GCSqGSIb3DQEBBQUA
MFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS0wKwYD
VQQDEyRHbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0aW9uIENBIC0gRzIwHhcNMTMx
MjE4MTcxOTM0WhcNMTcwMTE5MTgxMDI0WjA6MSEwHwYDVQQLExhEb21haW4gQ29u
dHJvbCBWYWxpZGF0ZWQxFTATBgNVBAMMDCoubGVtb25kZS5mcjCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANNZYmBOGFI99fniVFrdVAkFJ675QiDW/wpf
l2QzZFyagGfear75asscFBTfkMt3mtkiFUXrrJrDNh9S7iK1n2ciNVJk4E5E+KsB
Ouj2V4EnOyg8sdriWRJjmYni7b9CCUw589cuSl3R10zRzSyY+draoBCFF5IFYsGJ
8P9azfdyqOA98q3HRGSIckCEU/yA+V9Ee7/OPJOHBa/WlQBEY75VrCWOJTwcLJkt
0NBy2vFfoJtOViAQTtunzTLIMkjN+b9FjMqzaIhtYfpMgIcL1vjm2XNdJ7e/DzWB
iZPu+oQV3tSZRdZ6/hnccVYpAG37Gx9IFhcS/gsFdje38BF6MvsCAwEAAaOCAbow
ggG2MA4GA1UdDwEB/wQEAwIFoDBJBgNVHSAEQjBAMD4GBmeBDAECATA0MDIGCCsG
AQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAj
BgNVHREEHDAaggwqLmxlbW9uZGUuZnKCCmxlbW9uZGUuZnIwCQYDVR0TBAIwADAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwPwYDVR0fBDgwNjA0oDKgMIYu
aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9ncy9nc2RvbWFpbnZhbGcyLmNybDCB
iAYIKwYBBQUHAQEEfDB6MEEGCCsGAQUFBzAChjVodHRwOi8vc2VjdXJlLmdsb2Jh
bHNpZ24uY29tL2NhY2VydC9nc2RvbWFpbnZhbGcyLmNydDA1BggrBgEFBQcwAYYp
aHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL2dzZG9tYWludmFsZzIwHQYDVR0O
BBYEFEl8q91FlauMFY6a4g7+eTn/XKY8MB8GA1UdIwQYMBaAFJat+rBbuYNkKnbC
HIpp2kLc/v0oMA0GCSqGSIb3DQEBBQUAA4IBAQAzZdVNOU3JhlK/D9CFKFA2Iawd
9LRpIkhba5lkGVFxDvzJyl4F4vz/uOFQuE0cgqYGPjuF0qv+HhgC08HmVPQmziCv
o1KQXKi7raCpKTBQvWTzHiZ2110FLp5X8joq/kkwdHafspUHR96ej3Rdl2JFKxbT
roBmIrc6tDTwM+JAvz05PWQ/lLTXqcbjynZ2hmdYgumVSsRwk2+8NF6mbZMFrkGu
iqzvwmVsj69GMcGYyhFsVoeYRJ2LiikDo8/HbNU8KZ+6/9svOKa+KT2+7AHcH2xV
HX10fvR0GFrzymQrHteCNizuCKU1wlQLtcyLKANuHq22BcMBZzRZ24vUILjL
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.lemonde.fr
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2
---
No client certificate CA names sent
---
SSL handshake has read 2528 bytes and written 584 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID:
Session-ID-ctx:
Master-Key: 5CB47D92BE13BC28113D333A7B3BEECBF90B78EB4751BC1285F4EB1EA129914D8E61629E1EE84E9B6177ADC1E2CA9AE9
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1428944574
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
HTTP/1.0 200 OK
Set-Cookie: ARVATO=R212127208; path=/
Set-Cookie: ARVATO=R1228432574; path=/
Date: Mon, 13 Apr 2015 16:56:33 GMT
Server: Apache
Set-Cookie: frontend=8b5a9c59bc8c3e36259d9bb9c5d786b6; expires=Thu, 03-Mar-2332 10:43:14 GMT; path=/; domain=monabo.lemonde.fr; HttpOnly
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, public
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Cache: MISS from cache-02
X-Cache-Lookup: MISS from cache-02:80
Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr" lang="fr">
<head>
<title>Magento Commerce</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="description" content="Default Description" />
<meta name="keywords" content="Magento, Varien, E-commerce" />
<meta name="robots" content="INDEX,FOLLOW" />
...
</body>
</html>
closed
Try to force a SSLv3 failure (notice the use of -ssl3, and lack of -servername):
$ openssl s_client -connect monabo.lemonde.fr:443 -ssl3 | openssl x509 -text -noout
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Domain Validation CA - G2
verify error:num=20:unable to get local issuer certificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
11:21:56:eb:c5:b1:54:fb:88:02:47:ec:cd:51:d9:38:89:d2
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Domain Validation CA - G2
Validity
Not Before: Dec 18 17:19:34 2013 GMT
Not After : Jan 19 18:10:24 2017 GMT
Subject: OU=Domain Control Validated, CN=*.lemonde.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d3:59:62:60:4e:18:52:3d:f5:f9:e2:54:5a:dd:
54:09:05:27:ae:f9:42:20:d6:ff:0a:5f:97:64:33:
64:5c:9a:80:67:de:6a:be:f9:6a:cb:1c:14:14:df:
90:cb:77:9a:d9:22:15:45:eb:ac:9a:c3:36:1f:52:
ee:22:b5:9f:67:22:35:52:64:e0:4e:44:f8:ab:01:
3a:e8:f6:57:81:27:3b:28:3c:b1:da:e2:59:12:63:
99:89:e2:ed:bf:42:09:4c:39:f3:d7:2e:4a:5d:d1:
d7:4c:d1:cd:2c:98:f9:da:da:a0:10:85:17:92:05:
62:c1:89:f0:ff:5a:cd:f7:72:a8:e0:3d:f2:ad:c7:
44:64:88:72:40:84:53:fc:80:f9:5f:44:7b:bf:ce:
3c:93:87:05:af:d6:95:00:44:63:be:55:ac:25:8e:
25:3c:1c:2c:99:2d:d0:d0:72:da:f1:5f:a0:9b:4e:
56:20:10:4e:db:a7:cd:32:c8:32:48:cd:f9:bf:45:
8c:ca:b3:68:88:6d:61:fa:4c:80:87:0b:d6:f8:e6:
d9:73:5d:27:b7:bf:0f:35:81:89:93:ee:fa:84:15:
de:d4:99:45:d6:7a:fe:19:dc:71:56:29:00:6d:fb:
1b:1f:48:16:17:12:fe:0b:05:76:37:b7:f0:11:7a:
32:fb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
CPS: https://www.globalsign.com/repository/
X509v3 Subject Alternative Name:
DNS:*.lemonde.fr, DNS:lemonde.fr
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.globalsign.com/gs/gsdomainvalg2.crl
Authority Information Access:
CA Issuers - URI:http://secure.globalsign.com/cacert/gsdomainvalg2.crt
OCSP - URI:http://ocsp2.globalsign.com/gsdomainvalg2
X509v3 Subject Key Identifier:
49:7C:AB:DD:45:95:AB:8C:15:8E:9A:E2:0E:FE:79:39:FF:5C:A6:3C
X509v3 Authority Key Identifier:
keyid:96:AD:FA:B0:5B:B9:83:64:2A:76:C2:1C:8A:69:DA:42:DC:FE:FD:28
Signature Algorithm: sha1WithRSAEncryption
33:65:d5:4d:39:4d:c9:86:52:bf:0f:d0:85:28:50:36:21:ac:
1d:f4:b4:69:22:48:5b:6b:99:64:19:51:71:0e:fc:c9:ca:5e:
05:e2:fc:ff:b8:e1:50:b8:4d:1c:82:a6:06:3e:3b:85:d2:ab:
fe:1e:18:02:d3:c1:e6:54:f4:26:ce:20:af:a3:52:90:5c:a8:
bb:ad:a0:a9:29:30:50:bd:64:f3:1e:26:76:d7:5d:05:2e:9e:
57:f2:3a:2a:fe:49:30:74:76:9f:b2:95:07:47:de:9e:8f:74:
5d:97:62:45:2b:16:d3:ae:80:66:22:b7:3a:b4:34:f0:33:e2:
40:bf:3d:39:3d:64:3f:94:b4:d7:a9:c6:e3:ca:76:76:86:67:
58:82:e9:95:4a:c4:70:93:6f:bc:34:5e:a6:6d:93:05:ae:41:
ae:8a:ac:ef:c2:65:6c:8f:af:46:31:c1:98:ca:11:6c:56:87:
98:44:9d:8b:8a:29:03:a3:cf:c7:6c:d5:3c:29:9f:ba:ff:db:
2f:38:a6:be:29:3d:be:ec:01:dc:1f:6c:55:1d:7d:74:7e:f4:
74:18:5a:f3:ca:64:2b:1e:d7:82:36:2c:ee:08:a5:35:c2:54:
0b:b5:cc:8b:28:03:6e:1e:ad:b6:05:c3:01:67:34:59:db:8b:
d4:20:b8:cb
回答3:
Installing the certified gem fixed this issue for me, with the following version of ruby/rubygems on Windows 7.
> ruby -v
ruby 2.2.3p173 (2015-08-18 revision 51636) [i386-mingw32]
> gem -v
2.6.6
回答4:
For Ruby < 2.5
You can add your cipher to the list of default ciphers:
OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers] += ':DES-CBC3-SHA'
then:
require 'mechanize'
agent = Mechanize.new
agent.get 'https://monabo.lemonde.fr/customer/account/forgotpassword/'
回答5:
I don't know anything about ruby but the problem looks to do a certificate chain verification problem.
i.e. the openssl error "verify error:num=20:unable to get local issuer certificate"
is the reason for your failure.
The reason for the failure is that full chain can't be loaded. i.e. there is one or more missing certificates.
The first point is that the certificate chain given by the server is missing the intermediate. This really is a web server setup problem in that they are missing the intermediate certificate in there web server setup.
You can work around this problem by providing this intermediate in your local CA file. This is most likely the reason it works on your other machine, in that that machine's CA file contains the intermediate and the root certificates in your CA file.
I would check that you have both those certificates are in your CA file (/etc/ssl/certs/ca-certificates.crt), if not then add them. Once the openssl commands work without the "verify error:num=20:unable to get local issuer certificate" error then that will rule out that problem with your rudy code (assuming your rude code is using the same ca file).
If you can get the web server updated to use a certificate chain file that includes the server certificate and the intermediate certificate, that should also fix that problem as well.
来源:https://stackoverflow.com/questions/29610513/ssl-errors-with-mechanize