0%

记 - curl请求raw.githubusercontent.com提示sslv3 alert handshake failure

1
2
jun@192 ~ % curl https://raw.githubusercontent.com                             
curl: (35) SSL peer handshake failed, the server most likely requires a client certificate to connect

找原因

首先用openssl连接试一下,发现报错了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
jun@192 ~ % /usr/local/Cellar/openssl@1.1/1.1.1f/bin/openssl s_client -tls1_2 -connect raw.githubusercontent.com:443
CONNECTED(00000003)
4624272896:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1544:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 228 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1596684480
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---

然后通过 https://myssl.com/ 网站检测 https://raw.githubusercontent.com 支持的加密协议等信息。
结果支持TLS1.0、1.1、1.2

但是这个域名有很多IP,有很多IP的安全证书评级都为T!

解决问题

选了一个香港的评级为A+的IP,改了host文件。
ping之后对应的IP正常。

使用openssl连接也正常了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
jun@192 ~ % /usr/local/Cellar/openssl@1.1/1.1.1f/bin/openssl s_client -tls1_2 -connect raw.githubusercontent.com:443 -servername raw.githubusercontent.com

CONNECTED(00000005)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = www.github.com
verify return:1
---
Certificate chain
0 s:C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = www.github.com
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA