openssl s_client -connect mydtac.dtac.co.th:443
3074164412:错误:140770FC:SSL例程:SSL23_GET_SERVER_HELLO:未知
协议:s23_clnt.c:787:
您需要使用 SSLv3 或 TLS 1.0。您无法发送ClientHello
使用 TLS 1.1 或 1.2。
首先,TLS 1.0(不用担心自签名证书警告 - 我没有使用CAfile
选项):
$ /usr/local/ssl/darwin/bin/openssl s_client -tls1 -connect mydtac.dtac.co.th:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=TH/ST=Bangkok/L=Pathumwan/O=DTAC Internet Service Co., Ltd./OU=Enterprise Service Support/CN=*.dtac.co.th
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
...
接下来是 TLS 1.2:
$ /usr/local/ssl/darwin/bin/openssl s_client -tls1_2 -connect mydtac.dtac.co.th:443
CONNECTED(00000003)
140735152734684:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
...
相关的是,该服务器处于较低级别且配置不当。如果可能的话,你应该避免它:
$ openssl s_client -ssl3 -connect mydtac.dtac.co.th:443
CONNECTED(00000003)
...
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : RC4-MD5
Session-ID: 1C04C221FDD0501832FFD8904790A34
从 SSL 扫描来看,我推测它是一个较旧的 IIS 服务器:
$ sslscan --no-failed mydtac.dtac.co.th
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|
Version 1.8.2
http://www.titania.co.uk
Copyright Ian Ventura-Whiting 2009
Testing SSL server mydtac.dtac.co.th on port 443
Supported Server Cipher(s):
Accepted SSLv3 128 bits ADH-RC4-MD5
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Accepted SSLv3 40 bits EXP-ADH-RC4-MD5
Accepted SSLv3 40 bits EXP-RC4-MD5
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits ADH-RC4-MD5
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Accepted TLSv1 112 bits EDH-RSA-DES-CBC3-SHA
Accepted TLSv1 112 bits ADH-DES-CBC3-SHA
Accepted TLSv1 112 bits DES-CBC3-SHA
Accepted TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Accepted TLSv1 56 bits ADH-DES-CBC-SHA
Accepted TLSv1 56 bits DES-CBC-SHA
Accepted TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Accepted TLSv1 40 bits EXP-ADH-DES-CBC-SHA
Accepted TLSv1 40 bits EXP-DES-CBC-SHA
Accepted TLSv1 40 bits EXP-ADH-RC4-MD5
Accepted TLSv1 40 bits EXP-RC4-MD5
Prefered Server Cipher(s):
SSLv3 128 bits RC4-MD5
TLSv1 128 bits RC4-MD5