V2EX 16小时前
[问与答] 请教一下关于 Redhat 8.5 系统上 tls 握手失败的问题,非常感谢!
index_new5.html
../../../zaker_core/zaker_tpl_static/wap/tpl_guoji1.html

 

文章探讨了在RedHat 8.5服务器上部署Zabbix服务时遇到的SSL连接失败问题。通过在不同环境下(Macbook Pro和服务器)的测试,包括使用curl、wget和openssl等工具,作者逐步排查了DNS解析、防火墙、TLS版本等因素,最终定位问题可能出在SSL握手阶段。文章详细记录了测试过程和结果,并对比了正常和失败的SSL握手日志,为解决该问题提供了深入的技术分析。

🕵️‍♂️ 环境复现与问题确认: 在RedHat 8.5服务器上部署Zabbix服务时,所有SSL连接均失败,包括wget、curl等,初步确认SSL握手过程出现问题。

🌐 网络连通性测试: 通过telnet测试确认DNS解析正常,服务器的网络层可达,问题不在基础网络层面,而是应用层SSL握手失败。

🛠️ 排除常见因素: 作者排除了TLS版本问题、防火墙设置和代理的影响,尝试了多种curl参数,但SSL连接仍无法建立,问题持续。

🔍 日志分析与对比: 通过详细的curl和openssl日志,对比了服务器端和Macbook Pro上的SSL握手过程,发现服务器在发送Client Hello后立即失败,未收到Server Hello响应,尝试分析差异。

请教各位大佬一个关于 linux ,建立 ssl 连接失败,应该如何分析问题?

今天在一个 RedHat 8.5 机器上部署 Zabbix 服务,发现从这台服务器上建立于任何位置的 ssl 连接都会失败。

下面是完整的分析记录,非常感谢任何评论!!!

环境 1 ,自己电脑 Macbook pro

MacOS 14.5 (23F79)openssl versionOpenSSL 1.1.1u  30 May 2023

环境 2 ,服务器

$ cat /proc/version Linux version 4.18.0-553.22.1.el8_10.x86_64 (mockbuild@iad1-prod-build001.bld.equ.rockylinux.org) (gcc version 8.5.0 20210514 (Red Hat 8.5.0-22) (GCC)) #1 SMP Wed Sep 25 09:20:43 UTC 2024$ openssl versionOpenSSL 1.1.1k  FIPS 25 Mar 2021

今天想在服务器上部署一下 Zabbix 的,

wget https://cdn.zabbix.com/zabbix/sources/oldstable/6.4/zabbix-6.4.21.tar.gz--2025-07-11 11:42:31--  https://cdn.zabbix.com/zabbix/sources/oldstable/6.4/zabbix-6.4.21.tar.gzResolving cdn.zabbix.com (cdn.zabbix.com)... 104.26.6.148, 172.67.69.4, 104.26.7.148, ...Connecting to cdn.zabbix.com (cdn.zabbix.com)|104.26.6.148|:443... connected.GnuTLS: Error in the pull function.Unable to establish SSL connection.

尝试一:

curl -vI https://cdn.zabbix.com* Rebuilt URL to: https://cdn.zabbix.com/*   Trying 104.26.6.148...* TCP_NODELAY set* Connected to cdn.zabbix.com (104.26.6.148) port 443 (#0)* ALPN, offering h2* ALPN, offering http/1.1* successfully set certificate verify locations:*   CAfile: /etc/pki/tls/certs/ca-bundle.crt  CApath: none* TLSv1.3 (OUT), TLS handshake, Client hello (1):* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to cdn.zabbix.com:443 * Closing connection 0curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to cdn.zabbix.com:443 

尝试二:

telnet www.zabbix.com 443 Trying 172.67.69.4...Connected to www.zabbix.com.Escape character is '^]'.

尝试三:

排除 TLS 版本,关闭本地防火墙和确保没走其他代理都还是 ssl 握手失败。

curl --tlsv1.2 --tls-max 1.2 -k -o abc.png \"https://pica.zhimg.com/v2-9f0c86ebbec2f298401a22d272d3d066_r.jpg"
curl -k -v --noproxy "*" "https://ts3.tc.mm.bing.net/th/id/OIP-C.q2noN_8X9FnzTGtqe_ZNbwHaDH?w=474&h=199&c=7&bgcl=fffffe&r=0&o=6&pid=23.1" -o aaaa.png 解释:   - `--noproxy "*"`:告诉 curl 忽略任何代理设置,直接连接。   - `-k`:忽略 SSL 证书错误。   - `-v`:详细输出,方便调试。 [5 bytes data]* TLSv1.3 (OUT), TLS handshake, Client hello (1):  } [512 bytes data]* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to ts3.tc.mm.bing.net:443   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0

尝试四:详细检查 SSL 握手日志

$ curl -vvv -k -o /dev/null https://pica.zhimg.com/v2-9f0c86ebbec2f298401a22d272d3d066_r.jpg  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                 Dload  Upload   Total   Spent    Left  Speed  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 115.238.220.41...* TCP_NODELAY set* Connected to pica.zhimg.com (115.238.220.41) port 443 (#0)* ALPN, offering h2* ALPN, offering http/1.1* successfully set certificate verify locations:*   CAfile: /etc/pki/tls/certs/ca-bundle.crt  CApath: none} [5 bytes data]* TLSv1.3 (OUT), TLS handshake, Client hello (1):} [512 bytes data]* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to pica.zhimg.com:443   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Closing connection 0curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to pica.zhimg.com:443 
正确建立连接大概是下面这个样:* TLSv1.3 (OUT), TLS handshake, Client hello (1):* TLSv1.3 (IN), TLS handshake, Server hello (2):* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):* TLSv1.3 (IN), TLS handshake, Certificate (11):* TLSv1.3 (IN), TLS handshake, CERT verify (15):* TLSv1.3 (IN), TLS handshake, Finished (20):

尝试五:使用 OpenSSL 直接测试 TLS 握手

服务器握手失败:值得注意的是失败输出是非常快的,回车结束后马上输出如下结果。

$ openssl s_client -connect pica.zhimg.com:443 -servername pica.zhimg.com -showcerts --debugCONNECTED(00000003)write to 0x559b289f6af0 [0x559b28a0d210] (312 bytes => 312 (0x138))0000 - 16 03 01 01 33 01 00 01-2f 03 03 bd 80 dc f1 e5   ....3.../.......0010 - 38 4d 73 73 d0 dd f9 48-7f 39 06 e6 5a 53 78 2c   8Mss...H.9..ZSx,0020 - 31 e2 97 8d f3 ed 2b 57-c4 95 15 20 15 25 ef 66   1.....+W... .%.f0030 - 2d 2b 91 a9 02 4e 04 d5-24 54 e8 78 99 ad 16 73   -+...N..$T.x...s0040 - 87 b7 a0 c5 d7 a4 a1 4a-40 fb 21 31 00 48 13 02   .......J@.!1.H..0050 - 13 03 13 01 13 04 c0 2c-c0 30 cc a9 cc a8 c0 ad   .......,.0......0060 - c0 2b c0 2f c0 ac c0 23-c0 27 c0 0a c0 14 c0 09   .+./...#.'......0070 - c0 13 00 9d c0 9d 00 9c-c0 9c 00 3d 00 3c 00 35   ...........=.<.50080 - 00 2f 00 9f cc aa c0 9f-00 9e c0 9e 00 6b 00 67   ./...........k.g0090 - 00 39 00 33 00 ff 01 00-00 9e 00 00 00 13 00 11   .9.3............00a0 - 00 00 0e 70 69 63 61 2e-7a 68 69 6d 67 2e 63 6f   ...pica.zhimg.co00b0 - 6d 00 0b 00 04 03 00 01-02 00 0a 00 0c 00 0a 00   m...............00c0 - 1d 00 17 00 1e 00 19 00-18 00 23 00 00 00 16 00   ..........#.....00d0 - 00 00 17 00 00 00 0d 00-26 00 24 04 03 05 03 06   ........&.$.....00e0 - 03 08 07 08 08 08 09 08-04 08 0a 08 05 08 0b 08   ................00f0 - 06 04 01 05 01 06 01 03-03 03 01 02 03 02 01 00   ................0100 - 2b 00 05 04 03 04 03 03-00 2d 00 02 01 01 00 33   +........-.....30110 - 00 26 00 24 00 1d 00 20-98 66 ba cf 81 51 e1 af   .&.$... .f...Q..0120 - ee 4e 72 76 c0 f6 29 8e-47 d9 2a d6 79 8c 4d df   .Nrv..).G.*.y.M.0130 - 9c c4 57 2c 57 48 06 22-                          ..W,WH."read from 0x559b289f6af0 [0x559b28a03ff3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))write:errno=104---no peer certificate available---No client certificate CA names sent---SSL handshake has read 0 bytes and written 312 bytesVerification: OK---New, (NONE), Cipher is (NONE)Secure Renegotiation IS NOT supportedCompression: NONEExpansion: NONENo ALPN negotiatedEarly data was not sentVerify return code: 0 (ok)---read from 0x559b289f6af0 [0x559b2891ce00] (8192 bytes => 0 (0x0))

自己电脑正确 TLS 握手:为了和上面对比此处输出只截取 client hello 包

~ openssl s_client -connect pica.zhimg.com:443 -servername pica.zhimg.com -showcerts --debugCONNECTED(00000005)write to 0x600003c9c100 [0x7f8042018a00] (316 bytes => 316 (0x13C))0000 - 16 03 01 01 37 01 00 01-33 03 03 7e f2 c8 f2 fc   ....7...3..~....0010 - 41 b7 63 fc 52 d6 66 6d-34 63 60 73 1c 86 ee ac   A.c.R.fm4c`s....0020 - b3 01 b4 7a 04 11 17 c4-18 46 0d 20 e7 af 8c 4d   ...z.....F. ...M0030 - 8d 25 6a 04 ed c8 51 22-27 1b 3a 67 d6 43 4c b8   .%j...Q"'.:g.CL.0040 - 59 a5 60 69 7f ab a1 15-09 75 ac 42 00 3e 13 02   Y.`i.....u.B.>..0050 - 13 03 13 01 c0 2c c0 30-00 9f cc a9 cc a8 cc aa   .....,.0........0060 - c0 2b c0 2f 00 9e c0 24-c0 28 00 6b c0 23 c0 27   .+./...$.(.k.#.'0070 - 00 67 c0 0a c0 14 00 39-c0 09 c0 13 00 33 00 9d   .g.....9.....3..0080 - 00 9c 00 3d 00 3c 00 35-00 2f 00 ff 01 00 00 ac   ...=.<.5./......0090 - 00 00 00 13 00 11 00 00-0e 70 69 63 61 2e 7a 68   .........pica.zh00a0 - 69 6d 67 2e 63 6f 6d 00-0b 00 04 03 00 01 02 00   img.com.........00b0 - 0a 00 0c 00 0a 00 1d 00-17 00 1e 00 19 00 18 00   ................00c0 - 23 00 00 00 16 00 00 00-17 00 00 00 0d 00 30 00   #.............0.00d0 - 2e 04 03 05 03 06 03 08-07 08 08 08 09 08 0a 08   ................00e0 - 0b 08 04 08 05 08 06 04-01 05 01 06 01 03 03 02   ................00f0 - 03 03 01 02 01 03 02 02-02 04 02 05 02 06 02 00   ................0100 - 2b 00 09 08 03 04 03 03-03 02 03 01 00 2d 00 02   +............-..0110 - 01 01 00 33 00 26 00 24-00 1d 00 20 d9 f7 d0 45   ...3.&.$... ...E0120 - 47 da f2 7e 5b f7 70 25-62 ff 10 71 7a 3e 0a ee   G..~[.p%b..qz>..0130 - 3f e2 0a d0 32 11 ec 60-82 53 75 12               ?...2..`.Su.read from 0x600003c9c100 [0x7f804200f603] (5 bytes => 5 (0x5))

对上输出的报文分析,client hello 包两个看上去都并没有什么问题,请教,还可以从哪些角度分析。

Fish AI Reader

Fish AI Reader

AI辅助创作,多种专业模板,深度分析,高质量内容生成。从观点提取到深度思考,FishAI为您提供全方位的创作支持。新版本引入自定义参数,让您的创作更加个性化和精准。

FishAI

FishAI

鱼阅,AI 时代的下一个智能信息助手,助你摆脱信息焦虑

联系邮箱 441953276@qq.com

相关标签

SSL连接失败 Linux OpenSSL Zabbix 网络排查
相关文章