Mechanize的SSL错误
我在irb上得到了这些命令
require 'mechanize' agent = Mechanize.new agent.get('https://monabo.lemonde.fr/customer/account/forgotpassword/')
我收到了这个错误:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert handshake failure
我试过Mac,它的工作原理我没有这个错误。 但是,它在我的计算机上不起作用(运行Linux Mint 17)。
我尝试了什么:
-
导出此变量:
export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt -
设置此变量:
agent.agent.http.ca_file = '/etc/ssl/certs/ca-certificates.crt' -
设置这个:
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE -
更改ruby版本(我目前正在使用ruby 2.1.5p275)
这些解决方案都没有改变这个问题。 我怀疑服务器需要一个特定的OpenSSL版本。
请注意,我可以通过mechanize请求https://google.com并确保其有效,但不是https://monabo.lemonde.fr/customer/account/forgotpassword/ 。 它在mac上工作的事实可能会假设我的配置错误。
编辑:这是此命令的输出:
➜ swiff git:(master) ✗ openssl s_client -connect monabo.lemonde.fr/customer/account/forgotpassword:443 -tls1 -servername monabo.lemonde.fr/customer/account/forgotpassword | openssl x509 -text -noout gethostbyname failure connect:errno=0 unable to load certificate 140045809014432:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
其他一些数据:
- http://pastebin.com/raw.php?i=AYDbwqqD
- http://pastebin.com/raw.php?i=vC07aTyY
- http://pastebin.com/raw.php?i=VLtLvuEG
服务器仅支持SSLv3和TLSv1,并且仅支持密码DES-CBC3-SHA。 此密码不包含在您的ruby版本使用的默认密码集中,您可以在https://github.com/ruby/ruby/blob/ruby_2_1/ext/openssl/lib/openssl/ssl.rb中看到。 这个设置很奇怪,因为据我所知,DES-CBC3-SHA(即DES3)被认为比它们的密码集中的RC4-SHA更安全。
我试图找到一种方法来设置机械化对象的密码,但我对编写ruby知之甚少,而且系统上只有旧版本的ruby。 你可以试试像agent.agent.http.ciphers = [ 'des-cbc3-sha' ]或者问一些ruby专家。
openssl s_client -connect monabo.lemonde.fr/customer/account/forgotpassword:443 -tls1 -servername monabo.lemonde.fr/customer/account/forgotpassword | openssl x509 -text -noout
从外面的世界,我能够连接。 我可以通过使用带有OpenSSL命令的-CApath解决下面的“无法获取本地颁发者证书”错误(由于不是问题,因此练习留给读者)。
这可能会帮助您解决问题….
获取证书转储
$ openssl s_client -connect monabo.lemonde.fr:443 -tls1 -servername monabo.lemonde.fr | openssl x509 -text -noout depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Domain Validation CA - G2 verify error:num=20:unable to get local issuer certificate Certificate: Data: Version: 3 (0x2) Serial Number: 11:21:56:eb:c5:b1:54:fb:88:02:47:ec:cd:51:d9:38:89:d2 Signature Algorithm: sha1WithRSAEncryption Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Domain Validation CA - G2 Validity Not Before: Dec 18 17:19:34 2013 GMT Not After : Jan 19 18:10:24 2017 GMT Subject: OU=Domain Control Validated, CN=*.lemonde.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d3:59:62:60:4e:18:52:3d:f5:f9:e2:54:5a:dd: 54:09:05:27:ae:f9:42:20:d6:ff:0a:5f:97:64:33: 64:5c:9a:80:67:de:6a:be:f9:6a:cb:1c:14:14:df: 90:cb:77:9a:d9:22:15:45:eb:ac:9a:c3:36:1f:52: ee:22:b5:9f:67:22:35:52:64:e0:4e:44:f8:ab:01: 3a:e8:f6:57:81:27:3b:28:3c:b1:da:e2:59:12:63: 99:89:e2:ed:bf:42:09:4c:39:f3:d7:2e:4a:5d:d1: d7:4c:d1:cd:2c:98:f9:da:da:a0:10:85:17:92:05: 62:c1:89:f0:ff:5a:cd:f7:72:a8:e0:3d:f2:ad:c7: 44:64:88:72:40:84:53:fc:80:f9:5f:44:7b:bf:ce: 3c:93:87:05:af:d6:95:00:44:63:be:55:ac:25:8e: 25:3c:1c:2c:99:2d:d0:d0:72:da:f1:5f:a0:9b:4e: 56:20:10:4e:db:a7:cd:32:c8:32:48:cd:f9:bf:45: 8c:ca:b3:68:88:6d:61:fa:4c:80:87:0b:d6:f8:e6: d9:73:5d:27:b7:bf:0f:35:81:89:93:ee:fa:84:15: de:d4:99:45:d6:7a:fe:19:dc:71:56:29:00:6d:fb: 1b:1f:48:16:17:12:fe:0b:05:76:37:b7:f0:11:7a: 32:fb Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 CPS: https://www.globalsign.com/repository/ X509v3 Subject Alternative Name: DNS:*.lemonde.fr, DNS:lemonde.fr X509v3 Basic Constraints: CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: Full Name: URI:http://crl.globalsign.com/gs/gsdomainvalg2.crl Authority Information Access: CA Issuers - URI:http://secure.globalsign.com/cacert/gsdomainvalg2.crt OCSP - URI:http://ocsp2.globalsign.com/gsdomainvalg2 X509v3 Subject Key Identifier: 49:7C:AB:DD:45:95:AB:8C:15:8E:9A:E2:0E:FE:79:39:FF:5C:A6:3C X509v3 Authority Key Identifier: keyid:96:AD:FA:B0:5B:B9:83:64:2A:76:C2:1C:8A:69:DA:42:DC:FE:FD:28 Signature Algorithm: sha1WithRSAEncryption 33:65:d5:4d:39:4d:c9:86:52:bf:0f:d0:85:28:50:36:21:ac: 1d:f4:b4:69:22:48:5b:6b:99:64:19:51:71:0e:fc:c9:ca:5e: 05:e2:fc:ff:b8:e1:50:b8:4d:1c:82:a6:06:3e:3b:85:d2:ab: fe:1e:18:02:d3:c1:e6:54:f4:26:ce:20:af:a3:52:90:5c:a8: bb:ad:a0:a9:29:30:50:bd:64:f3:1e:26:76:d7:5d:05:2e:9e: 57:f2:3a:2a:fe:49:30:74:76:9f:b2:95:07:47:de:9e:8f:74: 5d:97:62:45:2b:16:d3:ae:80:66:22:b7:3a:b4:34:f0:33:e2: 40:bf:3d:39:3d:64:3f:94:b4:d7:a9:c6:e3:ca:76:76:86:67: 58:82:e9:95:4a:c4:70:93:6f:bc:34:5e:a6:6d:93:05:ae:41: ae:8a:ac:ef:c2:65:6c:8f:af:46:31:c1:98:ca:11:6c:56:87: 98:44:9d:8b:8a:29:03:a3:cf:c7:6c:d5:3c:29:9f:ba:ff:db: 2f:38:a6:be:29:3d:be:ec:01:dc:1f:6c:55:1d:7d:74:7e:f4: 74:18:5a:f3:ca:64:2b:1e:d7:82:36:2c:ee:08:a5:35:c2:54: 0b:b5:cc:8b:28:03:6e:1e:ad:b6:05:c3:01:67:34:59:db:8b: d4:20:b8:cb
执行HTML GET (注意-ign_eof ):
riemann::cryptopp$ echo -e "GET /customer/account/forgotpassword HTTP/1.1\r\nHost:monabo.lemonde.fr\r\n\r\n" | openssl s_client -connect monabo.lemonde.fr:443 -tls1 -ign_eof -servername monabo.lemonde.fr CONNECTED(00000003) depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Domain Validation CA - G2 verify error:num=20:unable to get local issuer certificate --- Certificate chain 0 s:/OU=Domain Control Validated/CN=*.lemonde.fr i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2 i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA --- Server certificate -----BEGIN CERTIFICATE----- MIIE2TCCA8GgAwIBAgISESFW68WxVPuIAkfszVHZOInSMA0GCSqGSIb3DQEBBQUA MFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS0wKwYD VQQDEyRHbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0aW9uIENBIC0gRzIwHhcNMTMx MjE4MTcxOTM0WhcNMTcwMTE5MTgxMDI0WjA6MSEwHwYDVQQLExhEb21haW4gQ29u dHJvbCBWYWxpZGF0ZWQxFTATBgNVBAMMDCoubGVtb25kZS5mcjCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBANNZYmBOGFI99fniVFrdVAkFJ675QiDW/wpf l2QzZFyagGfear75asscFBTfkMt3mtkiFUXrrJrDNh9S7iK1n2ciNVJk4E5E+KsB Ouj2V4EnOyg8sdriWRJjmYni7b9CCUw589cuSl3R10zRzSyY+draoBCFF5IFYsGJ 8P9azfdyqOA98q3HRGSIckCEU/yA+V9Ee7/OPJOHBa/WlQBEY75VrCWOJTwcLJkt 0NBy2vFfoJtOViAQTtunzTLIMkjN+b9FjMqzaIhtYfpMgIcL1vjm2XNdJ7e/DzWB iZPu+oQV3tSZRdZ6/hnccVYpAG37Gx9IFhcS/gsFdje38BF6MvsCAwEAAaOCAbow ggG2MA4GA1UdDwEB/wQEAwIFoDBJBgNVHSAEQjBAMD4GBmeBDAECATA0MDIGCCsG AQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAj BgNVHREEHDAaggwqLmxlbW9uZGUuZnKCCmxlbW9uZGUuZnIwCQYDVR0TBAIwADAd BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwPwYDVR0fBDgwNjA0oDKgMIYu aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9ncy9nc2RvbWFpbnZhbGcyLmNybDCB iAYIKwYBBQUHAQEEfDB6MEEGCCsGAQUFBzAChjVodHRwOi8vc2VjdXJlLmdsb2Jh bHNpZ24uY29tL2NhY2VydC9nc2RvbWFpbnZhbGcyLmNydDA1BggrBgEFBQcwAYYp aHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL2dzZG9tYWludmFsZzIwHQYDVR0O BBYEFEl8q91FlauMFY6a4g7+eTn/XKY8MB8GA1UdIwQYMBaAFJat+rBbuYNkKnbC HIpp2kLc/v0oMA0GCSqGSIb3DQEBBQUAA4IBAQAzZdVNOU3JhlK/D9CFKFA2Iawd 9LRpIkhba5lkGVFxDvzJyl4F4vz/uOFQuE0cgqYGPjuF0qv+HhgC08HmVPQmziCv o1KQXKi7raCpKTBQvWTzHiZ2110FLp5X8joq/kkwdHafspUHR96ej3Rdl2JFKxbT roBmIrc6tDTwM+JAvz05PWQ/lLTXqcbjynZ2hmdYgumVSsRwk2+8NF6mbZMFrkGu iqzvwmVsj69GMcGYyhFsVoeYRJ2LiikDo8/HbNU8KZ+6/9svOKa+KT2+7AHcH2xV HX10fvR0GFrzymQrHteCNizuCKU1wlQLtcyLKANuHq22BcMBZzRZ24vUILjL -----END CERTIFICATE----- subject=/OU=Domain Control Validated/CN=*.lemonde.fr issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2 --- No client certificate CA names sent --- SSL handshake has read 2528 bytes and written 584 bytes --- New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : DES-CBC3-SHA Session-ID: Session-ID-ctx: Master-Key: 5CB47D92BE13BC28113D333A7B3BEECBF90B78EB4751BC1285F4EB1EA129914D8E61629E1EE84E9B6177ADC1E2CA9AE9 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1428944574 Timeout : 7200 (sec) Verify return code: 20 (unable to get local issuer certificate) --- HTTP/1.0 200 OK Set-Cookie: ARVATO=R212127208; path=/ Set-Cookie: ARVATO=R1228432574; path=/ Date: Mon, 13 Apr 2015 16:56:33 GMT Server: Apache Set-Cookie: frontend=8b5a9c59bc8c3e36259d9bb9c5d786b6; expires=Thu, 03-Mar-2332 10:43:14 GMT; path=/; domain=monabo.lemonde.fr; HttpOnly Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, public Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 X-Cache: MISS from cache-02 X-Cache-Lookup: MISS from cache-02:80 Connection: close Magento Commerce ... closed
尝试强制SSLv3失败 (注意使用-ssl3 ,缺少-servername ):
$ openssl s_client -connect monabo.lemonde.fr:443 -ssl3 | openssl x509 -text -noout depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Domain Validation CA - G2 verify error:num=20:unable to get local issuer certificate Certificate: Data: Version: 3 (0x2) Serial Number: 11:21:56:eb:c5:b1:54:fb:88:02:47:ec:cd:51:d9:38:89:d2 Signature Algorithm: sha1WithRSAEncryption Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Domain Validation CA - G2 Validity Not Before: Dec 18 17:19:34 2013 GMT Not After : Jan 19 18:10:24 2017 GMT Subject: OU=Domain Control Validated, CN=*.lemonde.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d3:59:62:60:4e:18:52:3d:f5:f9:e2:54:5a:dd: 54:09:05:27:ae:f9:42:20:d6:ff:0a:5f:97:64:33: 64:5c:9a:80:67:de:6a:be:f9:6a:cb:1c:14:14:df: 90:cb:77:9a:d9:22:15:45:eb:ac:9a:c3:36:1f:52: ee:22:b5:9f:67:22:35:52:64:e0:4e:44:f8:ab:01: 3a:e8:f6:57:81:27:3b:28:3c:b1:da:e2:59:12:63: 99:89:e2:ed:bf:42:09:4c:39:f3:d7:2e:4a:5d:d1: d7:4c:d1:cd:2c:98:f9:da:da:a0:10:85:17:92:05: 62:c1:89:f0:ff:5a:cd:f7:72:a8:e0:3d:f2:ad:c7: 44:64:88:72:40:84:53:fc:80:f9:5f:44:7b:bf:ce: 3c:93:87:05:af:d6:95:00:44:63:be:55:ac:25:8e: 25:3c:1c:2c:99:2d:d0:d0:72:da:f1:5f:a0:9b:4e: 56:20:10:4e:db:a7:cd:32:c8:32:48:cd:f9:bf:45: 8c:ca:b3:68:88:6d:61:fa:4c:80:87:0b:d6:f8:e6: d9:73:5d:27:b7:bf:0f:35:81:89:93:ee:fa:84:15: de:d4:99:45:d6:7a:fe:19:dc:71:56:29:00:6d:fb: 1b:1f:48:16:17:12:fe:0b:05:76:37:b7:f0:11:7a: 32:fb Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 CPS: https://www.globalsign.com/repository/ X509v3 Subject Alternative Name: DNS:*.lemonde.fr, DNS:lemonde.fr X509v3 Basic Constraints: CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: Full Name: URI:http://crl.globalsign.com/gs/gsdomainvalg2.crl Authority Information Access: CA Issuers - URI:http://secure.globalsign.com/cacert/gsdomainvalg2.crt OCSP - URI:http://ocsp2.globalsign.com/gsdomainvalg2 X509v3 Subject Key Identifier: 49:7C:AB:DD:45:95:AB:8C:15:8E:9A:E2:0E:FE:79:39:FF:5C:A6:3C X509v3 Authority Key Identifier: keyid:96:AD:FA:B0:5B:B9:83:64:2A:76:C2:1C:8A:69:DA:42:DC:FE:FD:28 Signature Algorithm: sha1WithRSAEncryption 33:65:d5:4d:39:4d:c9:86:52:bf:0f:d0:85:28:50:36:21:ac: 1d:f4:b4:69:22:48:5b:6b:99:64:19:51:71:0e:fc:c9:ca:5e: 05:e2:fc:ff:b8:e1:50:b8:4d:1c:82:a6:06:3e:3b:85:d2:ab: fe:1e:18:02:d3:c1:e6:54:f4:26:ce:20:af:a3:52:90:5c:a8: bb:ad:a0:a9:29:30:50:bd:64:f3:1e:26:76:d7:5d:05:2e:9e: 57:f2:3a:2a:fe:49:30:74:76:9f:b2:95:07:47:de:9e:8f:74: 5d:97:62:45:2b:16:d3:ae:80:66:22:b7:3a:b4:34:f0:33:e2: 40:bf:3d:39:3d:64:3f:94:b4:d7:a9:c6:e3:ca:76:76:86:67: 58:82:e9:95:4a:c4:70:93:6f:bc:34:5e:a6:6d:93:05:ae:41: ae:8a:ac:ef:c2:65:6c:8f:af:46:31:c1:98:ca:11:6c:56:87: 98:44:9d:8b:8a:29:03:a3:cf:c7:6c:d5:3c:29:9f:ba:ff:db: 2f:38:a6:be:29:3d:be:ec:01:dc:1f:6c:55:1d:7d:74:7e:f4: 74:18:5a:f3:ca:64:2b:1e:d7:82:36:2c:ee:08:a5:35:c2:54: 0b:b5:cc:8b:28:03:6e:1e:ad:b6:05:c3:01:67:34:59:db:8b: d4:20:b8:cb
您可以将密码添加到默认密码列表中:
OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers] += ':DES-CBC3-SHA'
然后:
require 'mechanize' agent = Mechanize.new agent.get 'https://monabo.lemonde.fr/customer/account/forgotpassword/'
安装认证的gem为我解决了这个问题,在Windows 7上使用以下版本的ruby / rubygems。
> ruby -v ruby 2.2.3p173 (2015-08-18 revision 51636) [i386-mingw32] > gem -v 2.6.6