git OpenSSL errno 10054,连接被拒绝,同时尝试连接到我们的服务器
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/25485816/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
OpenSSL errno 10054,connection refused, whilst trying to connect to our server
提问by Feanaro
We are running a git server over https and didn't have any trouble connecting because we all used visual studio to do so. Now someone wants to use the standard git bash and it fails to connect with the following error output.
我们正在通过 https 运行 git 服务器,并且连接没有任何问题,因为我们都使用了 Visual Studio。现在有人想使用标准的 git bash 并且它无法连接到以下错误输出。
fatal: unable to access 'https://server/Repo.git/': Unknown SSL protocol error in connection to server:443
I tried some different ciphersuites, nothing worked. Then it came to me that it might be that git doesn't support ECDSA certificates yet. So I exchanged the ECDSA certificate for one with RSA. That also didn't work.
我尝试了一些不同的密码套件,但没有任何效果。然后我想到可能是 git 还不支持 ECDSA 证书。所以我用 RSA 交换了 ECDSA 证书。那也没有用。
Then I tried connecting with OpenSSL s_client with the following command:
然后我尝试使用以下命令与 OpenSSL s_client 连接:
OpenSSL> s_client -connect server:443
This is the output from running the command:
这是运行命令的输出:
CONNECTED(0000018C)
write:errno=10054
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 307 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
I searched google for the error number 10054and found it means connection refused. We use IIS 8.5 to supply the https endpoint for the git server. I can connect to the web environment through all webbrowsers and we can use the git server through the visual studio git interface. So I don't think it's a firewall issue.
I'd like to know if anyone has experienced this problem before and if they could help us out here?
我在谷歌上搜索错误号10054,发现这意味着连接被拒绝。我们使用 IIS 8.5 为 git 服务器提供 https 端点。我可以通过所有的webbrowsers 连接到web 环境,我们可以通过visual studio git 接口使用git 服务器。所以我认为这不是防火墙问题。我想知道是否有人以前遇到过这个问题,他们是否可以帮助我们?
回答by Steffen Ullrich
10054 is not connection refused, but connection reset by peer. This means, that a TCP connection was successfully established (s_client indicates CONNECTED) but when sending more data from the client to the server the server closed the connection without reading all the data (and send TCP RST back).
10054 不是连接被拒绝,而是连接被对方重置。这意味着,TCP 连接已成功建立(s_client 表示已连接),但是当从客户端向服务器发送更多数据时,服务器关闭了连接而不读取所有数据(并将 TCP RST 发回)。
While this could be a firewall issue it could also indicate a problem at the server configuration, that is the server accepts the client but then cannot continue because of an invalid configuration. Such invalid configurations might be a missing permissions for the requested data, certificate without usable private key or others. I would suggest that you have a look at the server logs for more information.
虽然这可能是防火墙问题,但也可能表明服务器配置存在问题,即服务器接受客户端但由于配置无效而无法继续。这种无效的配置可能是缺少对所请求数据的权限、没有可用私钥的证书或其他。我建议您查看服务器日志以获取更多信息。
I've also seen TCP RST with servers, load balancers or firewalls which do not understand current TLS versions and simply close the connection. Browsers work around this issue by transparently retrying with a lower TLS version. You might try if openssl s_client -ssl3works against this server and you receive a certificate.
我还看到了带有服务器、负载平衡器或防火墙的 TCP RST,它们不了解当前的 TLS 版本并简单地关闭连接。浏览器通过使用较低的 TLS 版本透明地重试来解决此问题。您可以尝试是否openssl s_client -ssl3在此服务器上工作并收到证书。
回答by Feanaro
Verify that you are using TLS 1.0 or above. Some servers require TLS 1.2. If you are not sure that your server supports up to TLS 1.2 look at Steffen Ulrich's answer above and try that first.
验证您使用的是 TLS 1.0 或更高版本。某些服务器需要 TLS 1.2。如果您不确定您的服务器是否支持 TLS 1.2,请查看上面 Steffen Ulrich 的回答并先尝试。
If that does not help, then check if SNIis required for the endpoint. If that is the case this might be the problem. If you call the s_clientcommand with the servernameparameter set to the servername which you'd like to contact that should work.
如果这没有帮助,则检查端点是否需要SNI。如果是这种情况,这可能是问题所在。如果您s_client将servername参数设置为您想要联系的服务器名称来调用该命令,则该命令应该可以工作。
Example basic command:
示例基本命令:
s_client -connect example.com:443 -tls1 -servername example.com
You can find the options for s_clientat s_clientman page.
您可以s_client在s_client手册页中找到 的选项。
