我无法通过HTTPS访问我的Synology DSM918(NAS),它位于具有公共静态IPv4地址并指向它的域的路由器后面。 network topology在图片中。
问题是,每当我尝试从连接到无线网桥的计算机(PC2)访问NAS时,一切都会按预期进行。但是,当我尝试从计算机(直接连接到路由器的PC1_)访问NAS时,无法使用域名访问它(只能通过本地IP地址连接)。
我试图调查此问题,发现以下内容:
curl https://<domain-name> -v
* Rebuilt URL to: https://<domain-name>
* Trying <ipv4-address>...
* TCP_NODELAY set
* Connected to <domain-name> (<ipv4-address>) port <port> (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to <domain-name>:<port>
* stopped the pause stream!
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to <domain-name>:<port>
openssl s_client -connect <domain-name>:<port> -msg -showcerts
CONNECTED(00000005)
>>> TLS 1.2 Handshake [length 00c3], ClientHello
...
<<< TLS 1.2 Handshake [length 0059], ServerHello
...
<<< TLS 1.2 Handshake [length 09fc], Certificate
...
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = <domain-name>
verify return:1
<<< TLS 1.2 Handshake [length 014d], ServerKeyExchange
...
>>> TLS 1.2 Handshake [length 0046], ClientKeyExchange
...
>>> TLS 1.2 ChangeCipherSpec [length 0001]
01
>>> TLS 1.2 Handshake [length 0010], Finished
14 00 00 0c 18 f1 a3 91 fe 6d 91 a2 86 62 fd 81
4711933548:error:1401E0E5:SSL routines:CONNECT_CR_FINISHED:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/ssl/ssl_pkt.c:585:
---
...
...
...
---
SSL handshake has read 3002 bytes and written 126 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: ACCB7A7AACFD5A838382B467FBFE26766E0D6147CAAE3A51FEE5A7B39BD84004
Session-ID-ctx:
Master-Key: 015E73F4347EF4954DA9FE58F5F34D73A662EDDEE9F7B4F8650977756EE2778DFB80F0C22ABF608B8CE55721578A9CA4
Start Time: 1577712963
Timeout : 7200 (sec)
Verify return code: 0 (ok)
有人可以帮助我,并指出正确的方向吗?在我看来,路由器似乎在某种程度上扭曲了SSL握手。
非常感谢!
我怀疑Synology的TLS存在一般性问题。我无法在同一邮件服务器(Mail Plus,端口587)上通过TLS从Acronis发送邮件。我什至尝试配置“旧的TLS兼容性”,但没有用。我不得不在端口25上坚持使用未加密的邮件。
除此之外:似乎也未始终正确设置对相关目录的访问权限。在过去的几天中,我对Git服务器进行了设置,并且必须仔细阅读各种说明和文章,直到获得正确的配置。