1. 首頁
  2. 問答
  3. 得到TLS錯誤:由服務器返回致命警報:HANDSHAKE_FAILURE

得到TLS錯誤:由服務器返回致命警報:HANDSHAKE_FAILURE

2017-09-07 89 views
2

我在下面的代碼握手時收到錯誤Got TLS error: FATAL alert returned by server: HANDSHAKE_FAILURE。可能是什麼問題?得到TLS錯誤:由服務器返回致命警報:HANDSHAKE_FAILURE

#!/usr/bin/env python 
# -*- coding: utf-8 -*- 

from __future__ import with_statement 
from __future__ import print_function 
try: 
    # This import works from the project directory 
    from scapy_ssl_tls.ssl_tls import * 
except ImportError: 
    # If you installed this package via pip, you just need to execute this 
    from scapy.layers.ssl_tls import * 

tls_version = TLSVersion.TLS_1_2 
ciphers = [TLSCipherSuite.ECDHE_RSA_WITH_AES_128_GCM_SHA256] 
# ciphers = [TLSCipherSuite.ECDHE_RSA_WITH_AES_256_CBC_SHA384] 
# ciphers = [TLSCipherSuite.RSA_WITH_AES_128_CBC_SHA] 
# ciphers = [TLSCipherSuite.RSA_WITH_RC4_128_SHA] 
# ciphers = [TLSCipherSuite.DHE_RSA_WITH_AES_128_CBC_SHA] 
# ciphers = [TLSCipherSuite.DHE_DSS_WITH_AES_128_CBC_SHA] 
extensions = [TLSExtension()/TLSExtECPointsFormat(), 
       TLSExtension()/TLSExtSupportedGroups()] 


def tls_client(ip): 
    with TLSSocket(client=True) as tls_socket: 
     try: 
      print("kooo") 
      tls_socket.connect(ip) 
      print("Connected to server: %s" % (ip,)) 
     except socket.timeout: 
      print("Failed to open connection to server: %s" % (ip,), file=sys.stderr) 
     else: 
      try: 
       server_hello, server_kex = tls_socket.do_handshake(tls_version, ciphers, extensions) 
       server_hello.show() 
       tls_socket.setsockopt(socket.SOL_IP, socket.IP_TTL, 20) 
      except TLSProtocolError as tpe: 
       print("Got TLS error: %s" % tpe, file=sys.stderr) 
       tpe.response.show() 
      else: 
       resp = tls_socket.do_round_trip(TLSPlaintext(data="GET/HTTP/1.1\r\nHost: pirate.trade\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n")) 
       print("Got response from server") 
       resp.show() 
      # finally: 
      #  print(tls_socket.tls_ctx) 


if __name__ == "__main__": 
    if len(sys.argv) > 2: 
     server = (sys.argv[1], int(sys.argv[2])) 
    else: 
     server = ("pirate.trade", 443) 
tls_client(server)

上述代碼是取自此鏈接。 https://github.com/tintinweb/scapy-ssl_tls/blob/master/examplesfull_rsa_connection_with_application_data.py

來源

2017-09-07 tarun14110

+0

我的猜測是,這是由於服務器pirate.trade需要它與缺少SNI擴展相關。 –

+0

@SteffenUllrich你能告訴我,我怎麼在這裏添加SNI擴展名? – tarun14110

回答

1

pirate.trade運行顯示的代碼有兩個問題。

第一個是該網站僅支持ECDSA密碼,因爲它只有ECDSA證書。例如,在查看報告的密碼或證書時,可以看到the SSLLabs report。要解決這個替換符合該行提供的密碼

ciphers = [TLSCipherSuite.ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]

的ECDSA的第二個問題是,該網站需要SNI TLS擴展只提供一個RSA密碼

ciphers = [TLSCipherSuite.ECDHE_RSA_WITH_AES_128_GCM_SHA256]

。這也可以從SSLLabs看到報告:

This site works only in browsers with SNI support.

這個擴展可以通過修改已有的擴展來添加:

extensions = [TLSExtension()/TLSExtECPointsFormat(), 
       TLSExtension()/TLSExtSupportedGroups(), 
       TLSExtension()/TLSExtServerNameIndication(server_names=TLSServerName(data="pirate.trade"))]

只有兩個修復完成後握手成功。

來源

2017-09-09 18:17:38

相關問題

 相關問題