请教一下关于 Redhat 8.5 系统上 tls 握手失败的问题，非常感谢！

请教各位大佬一个关于 linux ，建立 ssl 连接失败，应该如何分析问题？

今天在一个 RedHat 8.5 机器上部署 Zabbix 服务，发现从这台服务器上建立于任何位置的 ssl 连接都会失败。

下面是完整的分析记录，非常感谢任何评论！！！

环境 1 ，自己电脑 Macbook pro

MacOS 14.5 (23F79) openssl version OpenSSL 1.1.1u 30 May 2023 

环境 2 ，服务器

$ cat /proc/version Linux version 4.18.0-553.22.1.el8_10.x86_64 ([email protected]) (gcc version 8.5.0 20210514 (Red Hat 8.5. 0-22) (GCC)) #1 SMP Wed Sep 25 09:20:43 UTC 2024 $ openssl version OpenSSL 1.1.1k FIPS 25 Mar 2021 

今天想在服务器上部署一下 Zabbix 的，

wget https://cdn.zabbix.com/zabbix/sources/oldstable/6.4/zabbix-6.4.21.tar.gz --2025-07-11 11:42:31-- https://cdn.zabbix.com/zabbix/sources/oldstable/6.4/zabbix-6.4.21.tar.gz Resolving cdn.zabbix.com (cdn.zabbix.com)... 104.26.6.148, 172.67.69.4, 104.26.7.148, ... Connecting to cdn.zabbix.com (cdn.zabbix.com)|104.26.6.148|:443... connected. GnuTLS: Error in the pull function. Unable to establish SSL connection. 

尝试一：

curl -vI https://cdn.zabbix.com * Rebuilt URL to: https://cdn.zabbix.com/ * Trying 104.26.6.148... * TCP_NODELAY set * Connected to cdn.zabbix.com (104.26.6.148) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * TLSv1.3 (OUT), TLS handshake, Client hello (1): * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to cdn.zabbix.com:443 * Closing connection 0 curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to cdn.zabbix.com:443 

• 可以发现是<font style="background-color:#FCE75A;">建立 SSL 连接时发生错误</font>。
• 同时尝试了 curl -k 或 wget --no-check-certificate 虽然跳过验证证书，但还是会进行 ssl 握手；因此就算加了这两个参数，还报错，更加证明是 ssl 握手时的问题。

尝试二：

telnet www.zabbix.com 443 Trying 172.67.69.4... Connected to www.zabbix.com. Escape character is '^]'. 

• telnet 域名+端口可以通，说明 DNS 解析 ok ，传输层可以通。<font style="background-color:#FCE75A;">定位问题在应用层</font>。
• telnet 测试过程中，出现这个网站过一会儿通，过一会儿不通，分析是该网站服务器做了对应限制。后面就用其他随便找了个网站测试 wget ，curl 等，ssl 握手是否顺利。<font style="background-color:#FCE75A;">发现这个服务器上对任意网站 ssl 握手都失败。</font>

尝试三：

排除 TLS 版本，关闭本地防火墙和确保没走其他代理都还是 ssl 握手失败。

curl --tlsv1.2 --tls-max 1.2 -k -o abc.png \ "https://pica.zhimg.com/v2-9f0c86ebbec2f298401a22d272d3d066_r.jpg" 

curl -k -v --noproxy "*" "https://ts3.tc.mm.bing.net/th/id/OIP-C.q2noN_8X9FnzTGtqe_ZNbwHaDH?w=474&h=199&c=7&bgcl=fffffe&r=0&o=6&pid=23.1" -o aaaa.png 解释： - `--noproxy "*"`：告诉 curl 忽略任何代理设置，直接连接。 - `-k`：忽略 SSL 证书错误。 - `-v`：详细输出，方便调试。 [5 bytes data] * TLSv1.3 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to ts3.tc.mm.bing.net:443 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 

尝试四：详细检查 SSL 握手日志

$ curl -vvv -k -o /dev/null https://pica.zhimg.com/v2-9f0c86ebbec2f298401a22d272d3d066_r.jpg % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 115.238.220.41... * TCP_NODELAY set * Connected to pica.zhimg.com (115.238.220.41) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none } [5 bytes data] * TLSv1.3 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to pica.zhimg.com:443 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 * Closing connection 0 curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to pica.zhimg.com:443 

• 在发送 Client Hello 后立即收到SSL_ERROR_SYSCALL错误，且没有收到任何来自服务器的响应数据（读取 0 字节）。
• 能到这里说明 TCP 已经三次握手建立了。
• <font style="background-color:#FBDE28;">为什么自己电脑上，就能正常收到 sever hello ， 服务器就不行，看一下这俩主机发的 client hello 包有什么不同？</font>

正确建立连接大概是下面这个样： * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): 

尝试五：使用 OpenSSL 直接测试 TLS 握手

• 自己电脑正确 TLS 握手 对比 服务器握手失败的输出；

服务器握手失败：值得注意的是失败输出是非常快的，回车结束后马上输出如下结果。

$ openssl s_client -connect pica.zhimg.com:443 -servername pica.zhimg.com -showcerts --debug CONNECTED(00000003) write to 0x559b289f6af0 [0x559b28a0d210] (312 bytes => 312 (0x138)) 0000 - 16 03 01 01 33 01 00 01-2f 03 03 bd 80 dc f1 e5 ....3.../....... 0010 - 38 4d 73 73 d0 dd f9 48-7f 39 06 e6 5a 53 78 2c 8Mss...H.9..ZSx, 0020 - 31 e2 97 8d f3 ed 2b 57-c4 95 15 20 15 25 ef 66 1.....+W... .%.f 0030 - 2d 2b 91 a9 02 4e 04 d5-24 54 e8 78 99 ad 16 73 -+...N..$T.x...s 0040 - 87 b7 a0 c5 d7 a4 a1 4a-40 fb 21 31 00 48 13 02 .......J@.!1.H.. 0050 - 13 03 13 01 13 04 c0 2c-c0 30 cc a9 cc a8 c0 ad .......,.0...... 0060 - c0 2b c0 2f c0 ac c0 23-c0 27 c0 0a c0 14 c0 09 .+./...#.'...... 0070 - c0 13 00 9d c0 9d 00 9c-c0 9c 00 3d 00 3c 00 35 ...........=.<.5 0080 - 00 2f 00 9f cc aa c0 9f-00 9e c0 9e 00 6b 00 67 ./...........k.g 0090 - 00 39 00 33 00 ff 01 00-00 9e 00 00 00 13 00 11 .9.3............ 00a0 - 00 00 0e 70 69 63 61 2e-7a 68 69 6d 67 2e 63 6f ...pica.zhimg.co 00b0 - 6d 00 0b 00 04 03 00 01-02 00 0a 00 0c 00 0a 00 m............... 00c0 - 1d 00 17 00 1e 00 19 00-18 00 23 00 00 00 16 00 ..........#..... 00d0 - 00 00 17 00 00 00 0d 00-26 00 24 04 03 05 03 06 ........&.$..... 00e0 - 03 08 07 08 08 08 09 08-04 08 0a 08 05 08 0b 08 ................ 00f0 - 06 04 01 05 01 06 01 03-03 03 01 02 03 02 01 00 ................ 0100 - 2b 00 05 04 03 04 03 03-00 2d 00 02 01 01 00 33 +........-.....3 0110 - 00 26 00 24 00 1d 00 20-98 66 ba cf 81 51 e1 af .&.$... .f...Q.. 0120 - ee 4e 72 76 c0 f6 29 8e-47 d9 2a d6 79 8c 4d df .Nrv..).G.*.y.M. 0130 - 9c c4 57 2c 57 48 06 22- ..W,WH." read from 0x559b289f6af0 [0x559b28a03ff3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF)) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 312 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- read from 0x559b289f6af0 [0x559b2891ce00] (8192 bytes => 0 (0x0)) 

自己电脑正确 TLS 握手：为了和上面对比此处输出只截取 client hello 包

~ openssl s_client -connect pica.zhimg.com:443 -servername pica.zhimg.com -showcerts --debug CONNECTED(00000005) write to 0x600003c9c100 [0x7f8042018a00] (316 bytes => 316 (0x13C)) 0000 - 16 03 01 01 37 01 00 01-33 03 03 7e f2 c8 f2 fc ....7...3..~.... 0010 - 41 7 63 fc 52 d6 66 6d-34 63 60 73 1c 86 ee ac A.c.R.fm4c`s.... 0020 - b3 01 b4 7a 04 11 17 c4-18 46 0d 20 e7 af 8c 4d ...z.....F. ...M 0030 - 8d 25 6a 04 ed c8 51 22-27 1b 3a 67 d6 43 4c b8 .%j...Q"'.:g.CL. 0040 - 59 a5 60 69 7f ab a1 15-09 75 ac 42 00 3e 13 02 Y.`i.....u.B.>.. 0050 - 13 03 13 01 c0 2c c0 30-00 9f cc a9 cc a8 cc aa .....,.0........ 0060 - c0 2b c0 2f 00 9e c0 24-c0 28 00 6b c0 23 c0 27 .+./...$.(.k.#.' 0070 - 00 67 c0 0a c0 14 00 39-c0 09 c0 13 00 33 00 9d .g.....9.....3.. 0080 - 00 9c 00 3d 00 3c 00 35-00 2f 00 ff 01 00 00 ac ...=.<.5./...... 0090 - 00 00 00 13 00 11 00 00-0e 70 69 63 61 2e 7a 68 .........pica.zh 00a0 - 69 6d 67 2e 63 6f 6d 00-0b 00 04 03 00 01 02 00 img.com......... 00b0 - 0a 00 0c 00 0a 00 1d 00-17 00 1e 00 19 00 18 00 ................ 00c0 - 23 00 00 00 16 00 00 00-17 00 00 00 0d 00 30 00 #.............0. 00d0 - 2e 04 03 05 03 06 03 08-07 08 08 08 09 08 0a 08 ................ 00e0 - 0b 08 04 08 05 08 06 04-01 05 01 06 01 03 03 02 ................ 00f0 - 03 03 01 02 01 03 02 02-02 04 02 05 02 06 02 00 ................ 0100 - 2b 00 09 08 03 04 03 03-03 02 03 01 00 2d 00 02 +............-.. 0110 - 01 01 00 33 00 26 00 24-00 1d 00 20 d9 f7 d0 45 ...3.&.$... ...E 0120 - 47 da f2 7e 5b f7 70 25-62 ff 10 71 7a 3e 0a ee G..~[.p%b..qz>.. 0130 - 3f e2 0a d0 32 11 ec 60-82 53 75 12 ?...2..`.Su. read from 0x600003c9c100 [0x7f804200f603] (5 bytes => 5 (0x5)) 

对上输出的报文分析，client hello 包两个看上去都并没有什么问题，请教，还可以从哪些角度分析。