Arch Linux에서 piding을 사용하여 내부 XMPP 서버에 연결하려고 하는데 SSL Handshake FailedPidgin에서 계속 오류가 발생합니다.
실행할 때 나타나는 오류 줄은 다음과 같습니다 pidgin -d.
(10:52:25) jabber: Sending (user@host): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
(10:52:25) jabber: Recv (50): <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
(10:52:25) nss: Handshake failed (-12173)
(10:52:25) connection: Connection error on 0x16385f0 (reason: 5 description: SSL Handshake Failed)
(10:52:25) account: Disconnecting account user@host/ (0x1820c60)
해당 nss 오류를 검색하여 발견했습니다.여기이 오류는 서버가 일종의 안전하지 않은 키 교환을 사용하고 있음을 의미합니다.
어쨌든, 나는 핸드셰이크 로그를 얻기 ssltap -s -p 5222 host:5222위해 Pidgin을 가리키려고 시도했는데 localhost:5222다음과 같습니다.
Connected to HOST:5222
--> [
<?xml version='1.0' ?><stream:stream to='HOST' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>]
<-- [
<?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="HOST" id="7d2b1460" xml:lang="en" version="1.0">]
<-- [
<stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism></mechanisms></stream:features>]
--> [
<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>]
<-- [
<proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>]
--> [
(151 bytes of 146)
SSLRecord { [Wed Feb 24 10:44:10 2016]
type = 22 (handshake)
version = { 3,1 }
length = 146 (0x92)
handshake {
type = 1 (client_hello)
length = 142 (0x00008e)
ClientHelloV3 {
client_version = {3, 3}
random = {...}
session ID = {
length = 0
contents = {...}
}
cipher_suites[17] = {
(0xc02b) TLS/ECDHE-ECDSA/AES128-GCM/SHA256
(0xc02f) TLS/ECDHE-RSA/AES128-GCM/SHA256
(0xc00a) TLS/ECDHE-ECDSA/AES256-CBC/SHA
(0xc009) TLS/ECDHE-ECDSA/AES128-CBC/SHA
(0xc013) TLS/ECDHE-RSA/AES128-CBC/SHA
(0xc027) TLS/ECDHE-RSA/AES128-CBC/SHA256
(0xc014) TLS/ECDHE-RSA/AES256-CBC/SHA
(0xc007) TLS/ECDHE-ECDSA/RC4-128/SHA
(0xc011) TLS/ECDHE-RSA/RC4-128/SHA
(0x009e) TLS/DHE-RSA/AES128-GCM/SHA256
(0x0033) TLS/DHE-RSA/AES128-CBC/SHA
(0x0032) TLS/DHE-DSS/AES128-CBC/SHA
(0x0067) TLS/DHE-RSA/AES128-CBC/SHA256
(0x0039) TLS/DHE-RSA/AES256-CBC/SHA
(0x006b) TLS/DHE-RSA/AES256-CBC/SHA256
(0x002f) TLS/RSA/AES128-CBC/SHA
(0x0035) TLS/RSA/AES256-CBC/SHA
}
compression[1] = {
(00) NULL
}
extensions[67] = {
extension type server_name, length [14] = {
0: 00 0c 00 00 09 6c 6f 63 61 6c 68 6f 73 74 | .....localhost
}
extension type renegotiation_info, length [1] = {
0: 00 | .
}
extension type elliptic_curves, length [8] = {
0: 00 06 00 17 00 18 00 19 | ........
}
extension type ec_point_formats, length [2] = {
0: 01 00 | ..
}
extension type signature_algorithms, length [22] = {
0: 00 14 04 01 05 01 06 01 02 01 04 03 05 03 06 03 | ................
10: 02 03 04 02 02 02 | ......
}
}
}
}
}
]
<-- [
(2778 bytes of 2773)
SSLRecord { [Wed Feb 24 10:44:10 2016]
type = 22 (handshake)
version = { 3,1 }
length = 2773 (0xad5)
handshake {
type = 2 (server_hello)
length = 70 (0x000046)
ServerHello {
server_version = {3, 1}
random = {...}
session ID = {
length = 32
contents = {...}
}
cipher_suite = (0x0033) TLS/DHE-RSA/AES128-CBC/SHA
compression method = (00) NULL
}
type = 11 (certificate)
length = 2135 (0x000857)
CertificateChain {
chainlength = 2132 (0x0854)
Certificate {
size = 925 (0x039d)
data = { saved in file 'cert.001' }
}
Certificate {
size = 1201 (0x04b1)
data = { saved in file 'cert.002' }
}
}
type = 12 (server_key_exchange)
length = 552 (0x000228)
type = 14 (server_hello_done)
length = 0 (0x000000)
}
}
]
--> [
(7 bytes of 2)
SSLRecord { [Wed Feb 24 10:44:10 2016]
type = 21 (alert)
version = { 3,1 }
length = 2 (0x2)
fatal: illegal_parameter
}
]
Read EOF on Client socket. [Wed Feb 24 10:44:10 2016]
Read EOF on Server socket. [Wed Feb 24 10:44:10 2016]
서버와 클라이언트가 동의한 것처럼 보이지만 TLS/DHE-RSA/AES128-CBC/SHA클라이언트가 실패합니다. 그렇습니까? Pidgin 인증서에 cert.001및를 추가 했지만 cert.002도움이 되지 않습니다.
내부 서버이기 때문에 보안도 필요 없고 신경쓰지도 않습니다. Pidgin의 계정 설정을 으로 수정했지만 Use encryption if available작동 Allow plaintext auth over unencrypted streams하지 않습니다.
Pidgin(또는 NSS)이 내 서버를 수락하도록 하는 방법에 대한 도움을 주시면 대단히 감사하겠습니다.
산출pidgin --version
Pidgin 2.10.12 (libpurple 2.10.12)
산출pacman -Qi nss
Name : nss
Version : 3.22-1
Description : Mozilla Network Security Services
Architecture : x86_64
URL : http://www.mozilla.org/projects/security/pki/nss/
Licenses : MPL GPL
Groups : None
Provides : None
Depends On : nspr>=4.10.10 sqlite zlib sh p11-kit
Optional Deps : None
Required By : atom-editor firefox jre8-openjdk-headless libnm-glib libpurple qca-qt4 qca-qt5
Optional For : None
Conflicts With : None
Replaces : None
Installed Size : 5.80 MiB
Packager : Jan Alexander Steffens (heftig) <[email protected]>
Build Date : Fri Feb 5 15:09:40 2016
Install Date : Mon Feb 22 17:13:39 2016
Install Reason : Installed as a dependency for another package
Install Script : Yes
Validated By : Signature
편집하다:
서버에 액세스할 수 없으므로 서버에서 아무것도 변경할 수 없다는 점을 언급하는 것을 잊어버렸습니다.