我有时使用 elinks 进行网页浏览,但碰巧一些 https 站点由于 SSL error 无法加载。
一个例子是 https://www.rust-lang.org,它不会在 elinks 中加载,但可以在其他浏览器(如 Chromium 和 firefox)中正常工作。
使用命令行检查 https://www.rust-lang.org 证书会给出一个非常短的输出:
$ echo | openssl s_client -connect www.rust-lang.org:443 2>/dev/null
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 297 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1459658221
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
作为比较,谷歌输出是:
$ echo | openssl s_client -connect www.google.com:443 2>/dev/null
CONNECTED(00000003)
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIF8zP738syB4wDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYwMzIzMTk0MTQ0WhcNMTYwNjE1MTkyMDAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoxzls
wT/PC9gErDAme+LX9PAdv8270+BHCaNe/YxZE093ryPQq5PPKHsBNSzNvHwNfWuv
H3z/CBvaIiFgBimSm3cWOvjXipqTL5sHGkLr/RNAxmwo2dUKZ0LBUCXB4YvXkMb0
lI3XpgZk1CUzE7jj3HDgA+IOpT8JgbmKH19Z7+lwBzaunztBk8YM/LKrb9XtDzYW
diPkBwm0xx2dj2jCrj49Hvug9qAGQ5Zx8YuNrwR5qYXW/8aVB6MJ8r/ZLKzU39k3
nvp5ZylyGklJAuGneCblChzpR18ab8k2B/26qgCv7T4MLoAGRTbvTrZ0HxTj8aie
yI0+jZjRQjBeYwGPAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBQKfpRDWX9xAx1/4SBXfKJdHrqPHjAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAiwUNf4uVHi1f8u1m
nd2vEHlOIQkNFLeuj9RPQfsFPL7fX/UzE5HbLzp1y4ICnRuCONKhz08YZ56pQ09A
+MfzIm0/e3yytHRf5f+YWATKkGtEh3pJdkOJM2UYIFFDs382a+bau7dTVyZFgMyS
m2Wlhw/zCLBgIebkSwsrrJAftwKu2AjvG6XJCUd08MSEe6UVF15COudEdVkKoDWR
ZmITWRFSFAeeJ5dKAzRojKVgGYV8tw6ByVKSizl5WS+hrXdD4IHkProKEFbSQgIv
Eyv87d8W8yscamZDU6Da+Djjxf07LkE3qDtd/RQY+IMm4V17ko6WfaV7ibionAA5
uAnzkw==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 3727 bytes and written 423 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: BBBB89FD38DF58981900A70A2F92A01E57888CF80B71AE19DE5F92EDE389D7FE
Session-ID-ctx:
Master-Key: 80B4C5C3F81C7AFDAA226BB0285E9F9088737151CCB4EA742328C727363F9663997E68D757CB73B79EF8E3C90B622E12
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - ee 03 90 3e 12 a6 14 ba-f9 db 39 f7 6f 3c bf 58 ...>......9.o<.X
0010 - 32 5d 0a 6f 08 cf 17 f9-16 49 91 c3 4f 99 50 01 2].o.....I..O.P.
0020 - 6a 90 47 0a 7d 62 5e b8-26 ef 21 9f f3 df a9 35 j.G.}b^.&.!....5
0030 - 17 90 53 cf 6a 1e d8 e7-ef d9 7a fc ea 80 c0 74 ..S.j.....z....t
0040 - c2 ee ba e4 5c ef 04 38-45 58 75 f6 7f f4 cd 78 ....\..8EXu....x
0050 - eb 31 5d be c2 c9 bb cd-dc c1 13 cc 81 84 48 39 .1]...........H9
0060 - 12 52 43 ae c6 24 1b 6e-85 7f 23 90 ff 80 9c 11 .RC..$.n..#.....
0070 - 49 e2 b4 c1 bf 32 08 e5-c4 55 84 de 46 77 d0 a1 I....2...U..Fw..
0080 - 92 7b 7c 1b 54 a1 49 c2-b0 d7 b9 f8 65 d2 1d 19 .{|.T.I.....e...
0090 - 2d 8e 5a 66 72 6c c8 50-7c d7 aa b8 58 28 7c 7d -.Zfrl.P|...X(|}
00a0 - 4c 64 1a 85 Ld..
Start Time: 1459659110
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
为什么 Chromium 和 firefox 得到正确的证书而不是 elinks,
有没有办法在 elinks 中阅读这些网站?
最佳答案
您需要使用 Server Name Indication (SNI) 才能成功访问 www.rust-lang.org。使用 openssl s_client 这可以通过添加 -servername 参数来完成:
$ openssl s_client -connect www.rust-lang.org:443 \
-servername www.rust-lang.org
...
subject=/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.rust-lang.org
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
所有现代浏览器都支持 SNI,它在互联网中被大量使用。例如,所有 Cloudflare Free SSL 都需要 SNI。我的猜测是您使用的 elinks 版本尚不支持 SNI。我从 09/2015 找到了一个针对 elinks 0.12pre6 的 related bug report。鉴于此版本仍然是最新版本,并且看起来像 development of elinks stopped in 2012,我的猜测是该问题仍未解决。
关于SSL 证书和 elink,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/36381767/