使用Go/TLS发送电子邮件时出现“远程错误:握手失败”的响应。

huangapple go评论95阅读模式
英文:

Sending email with Go/TLS results in "remote error: handshake failure" response

问题

我们正在使用Go的smtp.SendMail()函数发送电子邮件。如果我们禁用该函数使用TLS,发送电子邮件到kaser.com没有任何问题。但是如果使用TLS,我们会收到以下错误:remote error: handshake failure

如果我运行openssl s_client -connect kaser.com:25 -starttls smtp,我会得到以下结果:

CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = COMODO SSL Wildcard, CN = *.inmotionhosting.com
verify return:1
---
证书链
 0 s:/OU=Domain Control Validated/OU=COMODO SSL Wildcard/CN=*.inmotionhosting.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
服务器证书
-----BEGIN CERTIFICATE-----
MIIFZTCCBE2gAwIBAgIQPO5olnzo7AmygRYMaAwxWjANBgkqhkiG9w0BAQsFADCB
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xNDAyMjQwMDAwMDBaFw0xNzAyMjMyMzU5NTlaMGExITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEcMBoGA1UECxMTQ09NT0RPIFNTTCBXaWxk
Y2FyZDEeMBwGA1UEAxQVKi5pbm1vdGlvbmhvc3RpbmcuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqGodB+JkHpHHJHsJx+vYmSaUQOxqP9oS6YVk
OpoqKDygz6n5PgYm11KZzhSzdD+mY8YSGQOCmDry21irojJxxEsxt2+ATwJFC9V2
4FYfwKngMDoWy0n21gopeISgo7O8TIgAP+i/HxIFm0N3ROfs5nVvp8CvBhQSakRS
x5Zh+jB5Lo6Ajmko8Z8aRqq3WQvx3CCnJ0psb+efGVsVJ4kv8nHbsqJZqyHxw0Zv
3V58S3wWMO1RORDaG+1AyYCn6192zrpWwEeaQXaxNw9B6SZLTB37ixaQoQoze8wD
Nn7JAQ2x7SrCKIHO1tyRZqZvJion01g0E/MbCOh502H323KihwIDAQABo4IB5zCC
AeMwHwYDVR0jBBgwFoAUkK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFHuv
zpQRevgYmNy3FzxVJSVSOi+OMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAA
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysG
AQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5j
b20vQ1BTMAgGBmeBDAECATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNv
bW9kb2NhLmNvbS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVy
Q0EuY3JsMIGFBggrBgEFBQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQu
Y29tb2RvY2EuY29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2
ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTA1
BgNVHREELjAsghUqLmlubW90aW9uaG9zdGluZy5jb22CE2lubW90aW9uaG9zdGlu
Zy5jb20wDQYJKoZIhvcNAQELBQADggEBAAGSDm2jXQFgodUt5YBajGv4fUm1kVeX
wHcWnOWrYkdnzg1cdUgqQZx5evQxg/CBuxz6SKEos8ao1udFpXHcyVOqhs7vo8Vy
QjItiVX4zevtRnpqXzJ2LjlFqd5N+/ENq2pYMihJl6SvHGB/ejG5C0+DHw4RyOtc
c9OeKCfr7d/JGFSqzLidabSVboenzGBJW1aG4r2uza7J3QyxPpCsnL4sg1w2gagE
NAnHrghU50lK0Ha2NiWn4+G6PFQRiXanmPdFqqUGbMn/ZN6rK8+LIOEJ7NL8L3ED
mMh1aMqza9RY4iN8MXgxQ7da9l2rGbHf24FbdFM/qV7+FBoStQm6it8=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=COMODO SSL Wildcard/CN=*.inmotionhosting.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
没有发送客户端证书CA名称
---
SSL握手已读取4861字节并写入596字节
---
新的,TLSv1/SSLv3,密码是RC4-SHA
服务器公钥为2048位
支持安全重协商
压缩:无
扩展:无
SSL会话:
    协议:TLSv1
    密码:RC4-SHA
    会话ID:F532F400F99290364AECE777619E466E7C3C3086D23F77F694AEA7F86DB4A2A7
    会话ID上下文:
    主密钥:BF3551E6A77A02A7AA8F0273B1478D7C17AF6404D176974F55CDC4287671FAC71C7E454224001BE15C57BE6254CE5094
    密钥参数:无
    Krb5主体:无
    PSK标识:无
    PSK标识提示:无
    开始时间:1455730440
    超时:300(秒)
    验证返回代码:0(ok)
---
250 HELP
退出

有任何关于为什么它不喜欢Go的TLS的想法吗?

英文:

We're using the Go smtp.SendMail() function to send email. If we disable that function from using TLS, we have no problems sending email to kaser.com. With using TLS, we get the following error: remote error: handshake failure.

If I run openssl s_client -connect kaser.com:25 -starttls smtp, I get the following:

CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = COMODO SSL Wildcard, CN = *.inmotionhosting.com
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=COMODO SSL Wildcard/CN=*.inmotionhosting.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFZTCCBE2gAwIBAgIQPO5olnzo7AmygRYMaAwxWjANBgkqhkiG9w0BAQsFADCB
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xNDAyMjQwMDAwMDBaFw0xNzAyMjMyMzU5NTlaMGExITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEcMBoGA1UECxMTQ09NT0RPIFNTTCBXaWxk
Y2FyZDEeMBwGA1UEAxQVKi5pbm1vdGlvbmhvc3RpbmcuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqGodB+JkHpHHJHsJx+vYmSaUQOxqP9oS6YVk
OpoqKDygz6n5PgYm11KZzhSzdD+mY8YSGQOCmDry21irojJxxEsxt2+ATwJFC9V2
4FYfwKngMDoWy0n21gopeISgo7O8TIgAP+i/HxIFm0N3ROfs5nVvp8CvBhQSakRS
x5Zh+jB5Lo6Ajmko8Z8aRqq3WQvx3CCnJ0psb+efGVsVJ4kv8nHbsqJZqyHxw0Zv
3V58S3wWMO1RORDaG+1AyYCn6192zrpWwEeaQXaxNw9B6SZLTB37ixaQoQoze8wD
Nn7JAQ2x7SrCKIHO1tyRZqZvJion01g0E/MbCOh502H323KihwIDAQABo4IB5zCC
AeMwHwYDVR0jBBgwFoAUkK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFHuv
zpQRevgYmNy3FzxVJSVSOi+OMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAA
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysG
AQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5j
b20vQ1BTMAgGBmeBDAECATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNv
bW9kb2NhLmNvbS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVy
Q0EuY3JsMIGFBggrBgEFBQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQu
Y29tb2RvY2EuY29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2
ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTA1
BgNVHREELjAsghUqLmlubW90aW9uaG9zdGluZy5jb22CE2lubW90aW9uaG9zdGlu
Zy5jb20wDQYJKoZIhvcNAQELBQADggEBAAGSDm2jXQFgodUt5YBajGv4fUm1kVeX
wHcWnOWrYkdnzg1cdUgqQZx5evQxg/CBuxz6SKEos8ao1udFpXHcyVOqhs7vo8Vy
QjItiVX4zevtRnpqXzJ2LjlFqd5N+/ENq2pYMihJl6SvHGB/ejG5C0+DHw4RyOtc
c9OeKCfr7d/JGFSqzLidabSVboenzGBJW1aG4r2uza7J3QyxPpCsnL4sg1w2gagE
NAnHrghU50lK0Ha2NiWn4+G6PFQRiXanmPdFqqUGbMn/ZN6rK8+LIOEJ7NL8L3ED
mMh1aMqza9RY4iN8MXgxQ7da9l2rGbHf24FbdFM/qV7+FBoStQm6it8=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=COMODO SSL Wildcard/CN=*.inmotionhosting.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 4861 bytes and written 596 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: F532F400F99290364AECE777619E466E7C3C3086D23F77F694AEA7F86DB4A2A7
    Session-ID-ctx:
    Master-Key: BF3551E6A77A02A7AA8F0273B1478D7C17AF6404D176974F55CDC4287671FAC71C7E454224001BE15C57BE6254CE5094
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1455730440
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 HELP
quit

Any ideas why it doesn't like Go's TLS?

答案1

得分: 2

如果你确定服务器只接受不安全的密码套件并且无法进行更新,Go语言确实包含了一些已禁用的RC4密码套件。

smtp.SendMail方便函数没有提供更改tls.Config的方法,但是可以轻松地使用smtp.Client手动完成。

你可以创建一个带有所需密码套件的tls.Config,并将其传递给Client.StartTLS

config := &tls.Config{
    ServerName:   serverName,
    CipherSuites: []uint16{tls.TLS_RSA_WITH_RC4_128_SHA},
}

// c 是一个 smtp.Client
if err = c.StartTLS(config); err != nil {
    return err
}
英文:

If you're certain that the server only accepts insecure cipher suites and can't be updated, go does have some RC4 ciphers included, but disabled.

The smtp.SendMail convenience function doesn't have a way to change the tls.Config, but it's easy to take the body of that function and use the smtp.Client manually.

You can create a tls.Config with the CipherSuites you want, and pass it to Client.StartTLS

config := &tls.Config{
	ServerName:   serverName,
	CipherSuites: []uint16{tls.TLS_RSA_WITH_RC4_128_SHA},
}

// c is an smtp.Client
if err = c.StartTLS(config); err != nil {
	return err
}

huangapple
  • 本文由 发表于 2016年2月18日 01:56:54
  • 转载请务必保留本文链接:https://go.coder-hub.com/35464211.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定