SSL23_GET_SERVER_HELLO：使用TLSv1警告內部錯誤

Question

在類似的問題當前正在運行，但沒有解決方案的幫助

• OpenSSL connection error SSL23_GET_SERVER_HELLO, but browser and curl works
• https://askubuntu.com/questions/649000/openssl-curl-error-ssl23-get-server-hellotlsv1-alert-internal-error

我沒有訪問服務器CONFIGS，因爲這是隻是一個普通的Cloudfront + S3設置。

root@xxx:~# openssl s_client -connect tracking.kairion.de:443 -servername tracking.kairion.de 
CONNECTED(00000003) 
140336648943272:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:757: 
--- 
no peer certificate available 
--- 
No client certificate CA names sent 
--- 
SSL handshake has read 7 bytes and written 318 bytes 
--- 
New, (NONE), Cipher is (NONE) 
Secure Renegotiation IS NOT supported 
Compression: NONE 
Expansion: NONE 
SSL-Session: 
    Protocol : TLSv1.2 
    Cipher : 0000 
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg : None 
    PSK identity: None 
    PSK identity hint: None 
    SRP username: None 
    Start Time: 1480860654 
    Timeout : 300 (sec) 
    Verify return code: 0 (ok) 
--- 

捲曲返回類似的錯誤

root@xxx:~# curl 'https://tracking.kairion.de/kairion.gif' -v 
* Hostname was NOT found in DNS cache 
* Trying 2400:cb00:2048:1::6818:72f8... 
* Connected to tracking.kairion.de (2400:cb00:2048:1::6818:72f8) port 443 (#0) 
* successfully set certificate verify locations: 
* CAfile: none 
    CApath: /etc/ssl/certs 
* SSLv3, TLS handshake, Client hello (1): 
* SSLv3, TLS alert, Server hello (2): 
* error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error 
* Closing connection 0 
curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error 

錯誤是可重複使用至少兩個服務器上：

openssl 1.0.1t-1+deb8u5 (jessie) 
openssl 1.0.1t-1+deb7u1 (wheezy) 

但適用於

openssl 1.0.2j-1 (stretch) 

有趣的是，有時它適用於也許一個小時，然後失敗一個小時。

Answer 1

今天發現這個問題，涉及到cloudflare。

由於我禁用了該子域的cloudflare，所以它沒有任何問題。

似乎cloudflare有時會從cloudfront返回正確的CNAME，有時會返回一個cloudflare IP。只要它直接返回了cloudfront SSL的工作，當它返回cloudflare IP SSL失敗。