齊藤さん
ありがとうございます。
SSL_connectエラーを確認しました。なぜだろう・・・
エラー情報をテキストでログに出すようにしてみたところ、こんなメッセージが取れました。
---
8960:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl\record\rec_layer_s3.c:1544:SSL alert number 40
---
このメッセージをググってみたところ、いくつか情報は出てきたのですが、イマイチよくわかりません。。
OpenSSLが1.1系になって3DES_EDE_CBCなど古い暗号スイーツが無効になったらしい?ですが、問題のサイトが古いわけでもなさそうですし。。
試しに、JCBookmarkの使っている1.1.1nをビルドした時にできたopenssl.exeのs_clientで問題のサイトに接続してみたところ、接続できました。
---
openssl-1.1.1n\apps>openssl.exe s_client -connect www.palemoon.org:443
CONNECTED(00000208)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust ECC Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo ECC Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.palemoon.org
verify return:1
---
Certificate chain
0 s:CN = *.palemoon.org
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo ECC Domain Validation Secure Server CA
1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo ECC Domain Validation Secure Server CA
i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust ECC Certification Authority
2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust ECC Certification Authority
i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIExjCCBGugAwIBAgIRAJRq87k7mF9vj9DqIIHzo80wCgYIKoZIzj0EAwIwgY8x
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNV
:
SQAwRgIhAPWKmEQL9MFyZufJdJx9MtKHQjMUZuQiTr2tvPaOw268AiEAmnt+8A4L
wb5jWDAhjtE33qLh+ZowBhgoGJzoICnPSkY=
-----END CERTIFICATE-----
subject=CN = *.palemoon.org
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo ECC Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: ECDSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3514 bytes and written 444 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 384 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES256-GCM-SHA384
Session-ID: D7B406876DBB21E1AE45DFE1B68F04EE17F90BDAA725D0B2AEEDC374B5842FAD
Session-ID-ctx:
Master-Key: 56B0998C4BA115B0131296D8869C92C4547FF0A58B0F808DBF802B718607650625394EE28A7FC7B33A573A8E05C59601
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1651592175
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
---
ですので、JCBookmarkも接続できるはず・・。
s_clientの処理と何かが違っているかもしれません。s_clientのソースコードを調べてみようと思います。
- ZTMS(管理人)
- 2022/05/04 (Wed) 00:51:28