排除CommPilot错误"SSL_ERROR_NO_CIPHER_OVERLAP"

下载选项

  • PDF     (360.8 KB)
    在各种设备上使用 Adobe Reader 查看
已更新: 2023 年 1 月 31 日
文档 ID:220174

非歧视性语言

此产品的文档集力求使用非歧视性语言。在本文档集中,非歧视性语言是指不隐含针对年龄、残障、性别、种族身份、族群身份、性取向、社会经济地位和交叉性的歧视的语言。由于产品软件的用户界面中使用的硬编码语言、基于 RFP 文档使用的语言或引用的第三方产品使用的语言,文档中可能无法确保完全使用非歧视性语言。 深入了解思科如何使用包容性语言。

关于此翻译

思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言,希望全球的用户都能通过各自的语言得到支持性的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任,并建议您总是参考英文原始文档(已提供链接)。

    简介

    本文档介绍如何对BroadWorks进行配置和故障排除以避免“SSL_ERROR_NO_CIPHER_OVERLAP”错误。

    先决条件

    要求

    思科建议您了解BroadWorks平台。

    背景信息

    BroadWorks配置

    对于Broadworks版本22及更高版本,协议和密码可通过CLI通过不同配置级别看到的情景进行配置。

    'Interface/Port specific - low level'
    CLI/Interface/Http/HttpServer/SSLSettings/Protocols
    CLI/Interface/Http/HttpServer/SSLSettings/Ciphers

    'All interfaces - mid level'
    CLI/Interface/Http/SSLCommonSettings/Protocols
    CLI/Interface/Http/SSLCommonSettings/Ciphers

    'Generic system level - high level'
    CLI/System/SSLCommonSettings/JSSE/Protocols
    CLI/System/SSLCommonSettings/JSSE/Ciphers

    名为SSLCommonSettings的上下文是指SSL层次结构中不太具体的项,而名为SSLSettings的上下文是指SSL层次结构中比较具体的项。

    功能实验室示例

    配置

    绑定到特定接口和端口且未定义密码的低级配置:

    CLI/Interface/Http/HttpServer/SSLSettings/Protocols> get 172.16.30.146 443
    Protocol Name
    ===============
    TLSv1.1
    TLSv1.2
    TLSv1

    CLI/Interface/Http/HttpServer/SSLSettings/Ciphers> get 172.16.30.146 443
    Cipher Name
    =============

    0 entry found.

    确认

    使用 curl 指令:

    $ curl -v -k https://172.16.30.146
    * About to connect() to 172.16.30.146 port 443 (#0)
    * Trying 172.16.30.146...
    * Connected to 172.16.30.146 (172.16.30.146) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    * skipping SSL peer certificate verification
    * SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA256 <-----
    * Server certificate:
    * subject: E=broadworks_tac@cisco.com,CN=*.calo.cisco.com,OU=BroadworksTAC,O=TestIssuer,ST=Veracruz,C=MX
    * start date: Apr 04 20:39:56 2022 GMT
    * expire date: Apr 04 20:39:56 2023 GMT
    * common name: *.calo.cisco.com
    * issuer: CN=Root CA test,OU=BroadworksTAC,O=TestIssuer,L=Tecolutla,ST=Veracruz,C=MX
    > GET / HTTP/1.1
    > User-Agent: curl/7.29.0
    > Host: 172.16.30.146
    > Accept: */*
    > 
    < HTTP/1.1 302 Found

    在这里,它已成功通过TLSv1.2与密码TLS_RSA_WITH_AES_256_CBC_SHA256连接。

    连接审核

    要验证接受的协议和密码,请执行以下操作:

    $ nmap -sV --script ssl-enum-ciphers -p 443 172.16.30.146

    Starting Nmap 6.40 ( http://nmap.org ) at 2022-05-09 04:26 EDT
    Nmap scan report for r23xsp01.calo.cisco.com (172.16.30.146)
    Host is up (0.00013s latency).
    PORT STATE SERVICE VERSION
    443/tcp open ssl/https?
    | ssl-enum-ciphers: 
    | TLSv1.0: 
    | ciphers: 
    | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
    | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
    | TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
    | TLS_RSA_WITH_AES_128_CBC_SHA - strong
    | TLS_RSA_WITH_AES_256_CBC_SHA - strong
    | TLS_RSA_WITH_RC4_128_SHA - strong
    | compressors: 
    | NULL
    | TLSv1.1: 
    | ciphers: 
    | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
    | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
    | TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
    | TLS_RSA_WITH_AES_128_CBC_SHA - strong
    | TLS_RSA_WITH_AES_256_CBC_SHA - strong
    | TLS_RSA_WITH_RC4_128_SHA - strong
    | compressors: 
    | NULL
    | TLSv1.2: 
    | ciphers: 
    | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
    | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
    | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
    | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
    | TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
    | TLS_RSA_WITH_AES_128_CBC_SHA - strong
    | TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
    | TLS_RSA_WITH_AES_256_CBC_SHA - strong
    | TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
    | TLS_RSA_WITH_RC4_128_SHA - strong
    | compressors: 
    | NULL
    |_ least strength: strong

    有错误的实验示例

    问题

    观察到错误 — 通过浏览器显示“SSL_ERROR_NO_CIPHER_OVERLAP”。

    # curl -v https://172.16.30.146
    * About to connect() to 172.16.30.146 port 443 (#0) 
    * Trying 172.16.30.146... 
    * Connected to 172.16.30.146 (172.16.30.146) port 443 (#0) 
    * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none 
    * NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP) 
    * Cannot communicate securely with peer: no common encryption algorithm(s). 
    * Closing connection 0 curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).

    配置

    使用TLSv1.0密码TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256设置的TLSv1.2协议绑定到特定接口和端口的低级配置:

    CLI/Interface/Http/HttpServer/SSLSettings/Protocols> get 172.16.30.146 443
    Protocol Name
    ===============
    TLSv1.2

    CLI/Interface/Http/SSLCommonSettings/Ciphers> get
    Cipher Name
    ======================================
    TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256

    确认

    使用 curl 指令:

    $ curl -v -k https://172.16.30.146
    * About to connect() to 172.16.30.146 port 443 (#0)
    * Trying 172.16.30.146...
    * Connected to 172.16.30.146 (172.16.30.146) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    * NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
    * Cannot communicate securely with peer: no common encryption algorithm(s).
    * Closing connection 0
    curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).

    连接审核

    要验证接受的协议和密码,请执行以下操作:

    $ nmap -sV --script ssl-enum-ciphers -p 443 172.16.30.146

    Starting Nmap 6.40 ( http://nmap.org ) at 2022-05-09 05:31 EDT
    Nmap scan report for r23xsp01.calo.cisco.com (172.16.30.146)
    Host is up (0.000049s latency).
    PORT STATE SERVICE VERSION
    443/tcp open https?
    | ssl-enum-ciphers: 
    |_ TLSv1.2: No supported ciphers found

    从该工具的结果可以发现,TLSv1.2协议可用,但不支持密码。

    分辨率

    删除TLSv1.1密码 CLI/Interface/Http/SSLCommonSettings/Ciphers ,然后再次打开所有TLSv1.2密码(或添加TLSv1.2密码)。

    CLI/Interface/Http/HttpServer/SSLSettings/Protocols> get 172.16.30.146 443
    Protocol Name
    ===============
    TLSv1.2

    CLI/Interface/Http/HttpServer/SSLSettings/Ciphers> get 172.16.30.146 443
    Cipher Name
    =============
    0 entry found.

    CLI/Interface/Http/SSLCommonSettings/Ciphers> get 
    Cipher Name
    =============
    0 entry found.

    分辨率验证

    $ curl -v -k https://172.16.30.146
    * About to connect() to 172.16.30.146 port 443 (#0)
    * Trying 172.16.30.146...
    * Connected to 172.16.30.146 (172.16.30.146) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    * skipping SSL peer certificate verification
    * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 <-----
    * Server certificate:
    * subject: E=broadworks_tac@cisco.com,CN=*.calo.cisco.com,OU=BroadworksTAC,O=TestIssuer,ST=Veracruz,C=MX
    * start date: Apr 04 20:39:56 2022 GMT
    * expire date: Apr 04 20:39:56 2023 GMT
    * common name: *.calo.cisco.com
    * issuer: CN=Root CA test,OU=BroadworksTAC,O=TestIssuer,L=Tecolutla,ST=Veracruz,C=MX
    > GET / HTTP/1.1
    > User-Agent: curl/7.29.0
    > Host: 172.16.30.146
    > Accept: */*
    > 
    < HTTP/1.1 302 Found
    $ nmap -sV --script ssl-enum-ciphers -p 443 172.16.30.146

    Starting Nmap 6.40 ( http://nmap.org ) at 2022-05-09 05:44 EDT
    Nmap scan report for r23xsp01.calo.cisco.com (172.16.30.146)
    Host is up (0.000063s latency).
    PORT STATE SERVICE VERSION
    443/tcp open https?
    | ssl-enum-ciphers: 
    | TLSv1.2: 
    | ciphers: 
    | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
    | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
    | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
    | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong

    修订历史记录

    版本 发布日期 备注
    1.0
    31-Jan-2023
    初始版本
    TAC Authored

    由思科工程师提供

    • Paul Sanderson
      思科TAC工程师

    此文档是否有帮助?

    Feedback反馈

    联系我们

    本文档适用于以下产品