╰─>$ curl -k -vvv --sslv3 https://192.168.7.9:8080
* Trying 192.168.7.9:8080...
* TCP_NODELAY set
* Connected to 192.168.7.9 (192.168.7.9) port 8080 (#0)
* OpenSSL was built without SSLv3 support
* Closing connection 0
curl: (4) OpenSSL was built without SSLv3 support
根据提示,是openssl不支持。用openssl自身提供的工具进行验证,果然是不支持的,连这个参数也没有。
╰─>$ openssl s_client -ssl3 -connect t9:5000 -CAfile ~/Keys/https/root/root.cer -servername test3.www.local
s_client: Option unknown option -ssl3
s_client: Use -help for summary.
man openssl s_client可以看到,这个选项是依赖编译时的。
-ssl3, -tls1, -tls1_1, -tls1_2, -tls1_3, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3
These options require or disable the use of the specified SSL or TLS protocols. By default s_client will negotiate the highest mutually supported protocol version.
When a specific TLS version is required, only that version will be offered to and accepted from the server. Note that not all protocols and flags may be available,
depending on how OpenSSL was built.
[class_tong @ 20191031]
重编openssl
openssl在默认的编译选项里关闭了SSLv3,只需要增加如下的编译选项,即可完成支持SSLv3的重新编译:
enable-ssl3. (enable-ssl3-method 是干嘛的???)
./Configure enable-ssl3 enable-ssl3-method linux-x86_64
二 archlinux 打包
我的openssl是包管理的,为了方便版本管理,我需要打个包。
a
, 首先去下载源包的打包脚本,
https://git.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/openssl
-rw-r--r-- PKGBUILD
-rw-r--r-- ca-dir.patch
修改PKGBUILD
╰─>$ diff PKGBUILD.org PKGBUILD
< pkgrel=1
> pkgrel=2
15c15
< source=("https://www.openssl.org/source/${pkgname}-${_ver}.tar.gz"{,.asc}
> source=("${pkgname}-${_ver}.tar.gz"
35c34
< shared no-ssl3-method enable-ec_nistp_64_gcc_128 linux-x86_64 \
> shared enable-ssl3 enable-ssl3-method enable-ec_nistp_64_gcc_128 linux-x86_64 \
改了,版本号,文件路径,编译选项。
b
把一份源码带包到当前目录 openssl-1.1.1d.tar.gz, 然后运行makepkg命令生效安装包 openssl-1.1.1.d-2-x86_64.pkg.tar.xz
c
安装新的包,替换官方包
sudo pacman -U openssl-1.1.1.d-2-x86_64.pkg.tar.xz
更新之后,使用前文的curl和openssl命令分别测试,openssl s_client已经支持了sslv3,但是curl仍然不支持。
╰─>$ openssl s_client -ssl3 -connect t9:5000 -CAfile ~/Keys/https/root/root.cer -servername test3.www.local
CONNECTED(00000003)
140060394198272:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
SSL-Session:
Protocol : SSLv3
握手虽然失败,但那是server的问题。
重新编译 curl
在github下载最新的curl代码。使用如下命令重新编译,
这里需要注意的是:一,编译选项已经默认使用ssl。二,在archlinux下openssl不区分开发包和运行包,所以编译过程中curl
会默认的使用系统路径下的openssl进行链接,也就是上文中我们刚刚修改过的。
bash-5.0$ ./buildconf
bash-5.0$ ./configure
bash-5.0$ make
另外, 提一点关于autoconf的迷思,如果没有buildconf命令的话,需要先后执行如下的命令,以替代之:
bash-5.0$ aclocal
bash-5.0$ autoheader
bash-5.0$ autoconf
bash-5.0$ automake
最后生出来的curl是静态链接的,与计划有点差距。(当然变成动态的也不难,不过那不是我们所关心的。)
╰─>$ ldd src/curl
not a dynamic executable
总之,现在可以sslv3了
─>$ ./src/curl -k -vvv --sslv3 https://192.168.7.9:8080
* Trying 192.168.7.9:8080...
* TCP_NODELAY set
* Connected to 192.168.7.9 (192.168.7.9) port 8080 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* SSLv3 (OUT), TLS handshake, Client hello (1):
* SSLv3 (IN), TLS alert, handshake failure (552):
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
[class_tong @ 20191031]