代码之家  ›  专栏  ›  技术社区  ›  tarun14110

获取TLS错误:服务器返回致命警报:握手失败

  •  1
  • tarun14110  · 技术社区  · 7 年前

    我出错了 Got TLS error: FATAL alert returned by server: HANDSHAKE_FAILURE

    #!/usr/bin/env python
    # -*- coding: utf-8 -*-
    
    from __future__ import with_statement
    from __future__ import print_function
    try:
        # This import works from the project directory
        from scapy_ssl_tls.ssl_tls import *
    except ImportError:
        # If you installed this package via pip, you just need to execute this
        from scapy.layers.ssl_tls import *
    
    tls_version = TLSVersion.TLS_1_2
    ciphers = [TLSCipherSuite.ECDHE_RSA_WITH_AES_128_GCM_SHA256]
    # ciphers = [TLSCipherSuite.ECDHE_RSA_WITH_AES_256_CBC_SHA384]
    # ciphers = [TLSCipherSuite.RSA_WITH_AES_128_CBC_SHA]
    # ciphers = [TLSCipherSuite.RSA_WITH_RC4_128_SHA]
    # ciphers = [TLSCipherSuite.DHE_RSA_WITH_AES_128_CBC_SHA]
    # ciphers = [TLSCipherSuite.DHE_DSS_WITH_AES_128_CBC_SHA]
    extensions = [TLSExtension() / TLSExtECPointsFormat(),
                  TLSExtension() / TLSExtSupportedGroups()]
    
    
    def tls_client(ip):
        with TLSSocket(client=True) as tls_socket:
            try:
                print("kooo")
                tls_socket.connect(ip)
                print("Connected to server: %s" % (ip,))
            except socket.timeout:
                print("Failed to open connection to server: %s" % (ip,), file=sys.stderr)
            else:
                try:
                    server_hello, server_kex = tls_socket.do_handshake(tls_version, ciphers, extensions)
                    server_hello.show()
                    tls_socket.setsockopt(socket.SOL_IP, socket.IP_TTL, 20)
                except TLSProtocolError as tpe:
                    print("Got TLS error: %s" % tpe, file=sys.stderr)
                    tpe.response.show()
                else:
                    resp = tls_socket.do_round_trip(TLSPlaintext(data="GET / HTTP/1.1\r\nHost: pirate.trade\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n"))
                    print("Got response from server")
                    resp.show()
                # finally:
                #     print(tls_socket.tls_ctx)
    
    
    if __name__ == "__main__":
        if len(sys.argv) > 2:
            server = (sys.argv[1], int(sys.argv[2]))
        else:
            server = ("pirate.trade", 443)
    tls_client(server)
    

    上面的代码就是这个链接。 https://github.com/tintinweb/scapy-ssl_tls/blob/master/examplesfull_rsa_connection_with_application_data.py

    1 回复  |  直到 7 年前
        1
  •  1
  •   Steffen Ullrich    7 年前

    对运行显示的代码有两个问题 pirate.trade

    第一个是,该站点仅支持ECDSA密码,因为它只有ECDSA证书。例如,从以下方面可以看出这一点: the SSLLabs report 查看报告的密码或证书时。要解决此问题,请更换仅提供RSA密码的这一行

    ciphers = [TLSCipherSuite.ECDHE_RSA_WITH_AES_128_GCM_SHA256]
    

    该行提供ECDSA密码

    ciphers = [TLSCipherSuite.ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]
    

    第二个问题是站点需要SNI TLS扩展。这也可以从SSLLabs报告中看出:

    该网站仅在支持SNI的浏览器中工作。

    extensions = [TLSExtension() / TLSExtECPointsFormat(),
                  TLSExtension() / TLSExtSupportedGroups(),
                  TLSExtension() / TLSExtServerNameIndication(server_names=TLSServerName(data="pirate.trade"))]
    

    只有两个修复都完成了,握手才会成功。