下面的tls握手,有什么问题吗?

问题描述 投票:0回答:1

VPN 环境中发生 

app.zeplin.io:443
连接错误。 在同一VPN环境下,访问
github.com:443
stackoverflow.com:443
均正常。 我对tls握手的背景知识有点缺乏,所以我这样问。

问题)

  • 为什么访问
    app.zeplin.io:443
    失败,如下图。

问题)VPN环境异常

  • 假设vpn环境下tls握手有问题。
curl -iv https://app.zeplin.io
*   Trying 75.2.40.227:443...
* Connected to app.zeplin.io (75.2.40.227) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* Recv failure: Connection reset by peer    >>>>>>> issue message print
* LibreSSL SSL_connect: Connection reset by peer in connection to app.zeplin.io:443
* Closing connection 0
curl: (35) Recv failure: Connection reset by peer

检查1)VPN环境
openssl
正常

  • 通过openssl命令连接vpn环境正常
openssl s_client  app.zeplin.io:443
CONNECTED(00000006)
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, CN = Amazon RSA 2048 M01
verify return:1
depth=0 CN = zeplin.io
verify return:1
write:errno=54
---
Certificate chain
 0 s:CN = zeplin.io
   i:C = US, O = Amazon, CN = Amazon RSA 2048 M01
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 29 00:00:00 2023 GMT; NotAfter: Jun 26 23:59:59 2024 GMT
 1 s:C = US, O = Amazon, CN = Amazon RSA 2048 M01
   i:C = US, O = Amazon, CN = Amazon Root CA 1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 23 22:21:28 2022 GMT; NotAfter: Aug 23 22:21:28 2030 GMT
 2 s:C = US, O = Amazon, CN = Amazon Root CA 1
   i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 25 12:00:00 2015 GMT; NotAfter: Dec 31 01:00:00 2037 GMT
 3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
   i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  2 00:00:00 2009 GMT; NotAfter: Jun 28 17:39:16 2034 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFyzCCBLOgAwIBAgIQCkBfE5qkg6ri1fCScfHFlTANBgkqhkiG9w0BAQsFADA8
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRwwGgYDVQQDExNBbWF6b24g
UlNBIDIwNDggTTAxMB4XDTIzMDUyOTAwMDAwMFoXDTI0MDYyNjIzNTk1OVowFDES
MBAGA1UEAxMJemVwbGluLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAss40J+c2dg3/UzO4BKxieJywOUyi6dGrud4hNdupHFv3Y9bnHvgJdEdbRD3q
0y8wani2rTO8g3TIGx4CuvDH7A8ZdR4v+VEw8KJz4OSWxIRQr4Hq5T+D5p1WoT3L
1yKAY0/o/axP/Evoz9y83B2pYukiRcNOfG0LdavoNcqSPLCaxKNzSGSUVF/9sSEK
d6sPGMTZoBy35JG6n9go3QDDGlxGP5rQbmEH9pVCnmBxR3Ef10AcH8b5dMwdso2m
9OhYmMJLRDGa2o0MBxD8ZvVhnVc33Q2jdaUp/XvME+H8kKdRHQXavMqmQvINEJ/w
9BCsOrO/8uuravzYC698u5TIGwIDAQABo4IC7zCCAuswHwYDVR0jBBgwFoAUgbgO
Y4qJEhjl+js7UJWf5uWQE4UwHQYDVR0OBBYEFKHRH6jls0AFG45mujbkKhI9wmHY
MCEGA1UdEQQaMBiCCXplcGxpbi5pb4ILKi56ZXBsaW4uaW8wDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA7BgNVHR8ENDAyMDCg
LqAshipodHRwOi8vY3JsLnIybTAxLmFtYXpvbnRydXN0LmNvbS9yMm0wMS5jcmww
EwYDVR0gBAwwCjAIBgZngQwBAgEwdQYIKwYBBQUHAQEEaTBnMC0GCCsGAQUFBzAB
hiFodHRwOi8vb2NzcC5yMm0wMS5hbWF6b250cnVzdC5jb20wNgYIKwYBBQUHMAKG
Kmh0dHA6Ly9jcnQucjJtMDEuYW1hem9udHJ1c3QuY29tL3IybTAxLmNlcjAMBgNV
HRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgB2/4g/Crb7lVHC
Ycz1h7o0tKTNuyncaEIKn+ZnTFo6dAAAAYhmaivSAAAEAwBHMEUCIQD46NwIqW+h
5G8kPxnvY9y7vgtXNrWLwWwSjPiCHy4VZAIgIMDc9UdWZmYS3yvCEhlWIKsdiSSZ
ysKgbarft9bdma8AdgBIsONr2qZHNA/lagL6nTDrHFIBy1bdLIHZu7+rOdiEcwAA
AYhmaiu7AAAEAwBHMEUCIGVDPtg5UrG4mt5y//m3EgPX/F4nLcwc2Tw1zba9pF8D
AiEApWgVxFnG7MGF9URgc0xgiQz0p8T4GA5+UK8fwBhw0tEAdgDatr9rP7W2Ip+b
wrtca+hwkXFsu1GEhTS9pD0wSNf7qwAAAYhmaivqAAAEAwBHMEUCIC0mkMIPcJ6h
JKcq/YNOSMDGm7P69Sq6qwE8h2dqq6gxAiEArGD9QXl7n/WO0jcP1GiZwFQICG5c
4FpPwI9y/Dx435QwDQYJKoZIhvcNAQELBQADggEBANSBH6XAK9gMKkVCEFXNtNdN
CLmYJnPmpoWlqf0SyxchG3DrSI4+YszsWWJJGdwokXKO0gOYrS2EF9CaZ22T6lyg
xArwE1v+UI0GXPXPvM0FhOY4uXt2cfuUaRk/wpgxm3X4eJKUdZKc9/GHjyUh6O+5
DYi6T1Tq8eeii1RRqBUnT77Qj/CSQksnUHT69SPU3oG4CT3pcs3sbbb14clRIvxT
iUhQofNpMcFMlcwj4AIsZSY+9/ahDJiTone2H7LVeH05U9QdruJANZyXJ95K5C71
LQ4bLq2c7vwonPpZINgISqwrBmgOTxEdMH3VB7RSLRzdIsH/WmS+rXqvxZwG/6E=
-----END CERTIFICATE-----
subject=CN = zeplin.io
issuer=C = US, O = Amazon, CN = Amazon RSA 2048 M01
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 5403 bytes and written 441 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 9281DEE6853902F9C8A7828D88BE81C7BA672049832B5F9ECBCDAD26180C54F6
    Session-ID-ctx:
    Master-Key: D39326ED25FA57D0740B43444E8EB19C4C4C3C8A10AFEBC4062D4BF1600A4B9FC0D7272709D1A0AA14417F4B8DF2A129
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1692336863
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

检查2)非vpn环境是否正常

  • 非VPN环境,tls握手正常
curl -iv https://app.zeplin.io
*   Trying 75.2.40.227:443...
* Connected to app.zeplin.io (75.2.40.227) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): >>>>>>>> The segment is not found in the vpn environment
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=zeplin.io
*  start date: May 29 00:00:00 2023 GMT
*  expire date: Jun 26 23:59:59 2024 GMT
*  subjectAltName: host "app.zeplin.io" matched cert's "*.zeplin.io"
*  issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M01
*  SSL certificate verify ok.
* using HTTP/2
* h2 [:method: GET]
* h2 [:scheme: https]
* h2 [:authority: app.zeplin.io]
* h2 [:path: /]
* h2 [user-agent: curl/8.1.2]
* h2 [accept: */*]
* Using Stream ID: 1 (easy handle 0x11f00a800)
> GET / HTTP/2
> Host: app.zeplin.io
> User-Agent: curl/8.1.2
> Accept: */*
>
< HTTP/2 302
HTTP/2 302
.... response body .....
ssl https handshake ssl-handshake
1个回答
0
投票

通过openssl命令连接vpn环境正常

不,不是。 

openssl
curl
显示了同样的问题。不过 
openssl
不太明显:

openssl s_client  app.zeplin.io:443
CONNECTED(00000006)
...
write:errno=54
...
 0 s:CN = zeplin.io


write:errno=54
中的
openssl s_client
Connection reset by peer
中的
curl
相同。

这表明此错误发生在 TLS 握手已经基本建立之后。由于它无需 VPN 即可工作,问题可能是 VPN 提供商使用深度数据包检查阻止访问,或者服务器或其前面的某些防火墙由于检测到 VPN 而阻止访问。您无法通过客户端代码对此执行任何操作。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.