主页 / coding / 问题 / 76926760
Accepted
jihoon yoo
Asked: 2023-08-18 13:55:31 +0800 CST

下面的 tls 握手,有什么问题吗?

  • 772

app.zeplin.io:443VPN 环境中发生连接错误。在同一个vpn环境下,访问github.com:443或者stackoverflow.com:443是正常的。我对tls握手的背景知识有点缺乏,所以我这样问。

问题)

  • 为什么访问app.zeplin.io:443失败如下图。

issues) vpn环境异常

  • 假设vpn环境下tls握手有问题。
curl -iv https://app.zeplin.io
*   Trying 75.2.40.227:443...
* Connected to app.zeplin.io (75.2.40.227) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* Recv failure: Connection reset by peer    >>>>>>> issue message print
* LibreSSL SSL_connect: Connection reset by peer in connection to app.zeplin.io:443
* Closing connection 0
curl: (35) Recv failure: Connection reset by peer

检查1)VPN环境openssl异常

  • 通过openssl命令连接vpn环境异常
openssl s_client  app.zeplin.io:443
CONNECTED(00000006)
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, CN = Amazon RSA 2048 M01
verify return:1
depth=0 CN = zeplin.io
verify return:1
write:errno=54   >>>>> !!!!! issue !!!!!
---
Certificate chain
 0 s:CN = zeplin.io
   i:C = US, O = Amazon, CN = Amazon RSA 2048 M01
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 29 00:00:00 2023 GMT; NotAfter: Jun 26 23:59:59 2024 GMT
 1 s:C = US, O = Amazon, CN = Amazon RSA 2048 M01
   i:C = US, O = Amazon, CN = Amazon Root CA 1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 23 22:21:28 2022 GMT; NotAfter: Aug 23 22:21:28 2030 GMT
 2 s:C = US, O = Amazon, CN = Amazon Root CA 1
   i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 25 12:00:00 2015 GMT; NotAfter: Dec 31 01:00:00 2037 GMT
 3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
   i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  2 00:00:00 2009 GMT; NotAfter: Jun 28 17:39:16 2034 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
...(skip)....
-----END CERTIFICATE-----
subject=CN = zeplin.io
issuer=C = US, O = Amazon, CN = Amazon RSA 2048 M01
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 5403 bytes and written 441 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: ....(skip)....
    Session-ID-ctx:
    Master-Key: ....(skip).....
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1692336863
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

check2) 非vpn环境是否正常

  • 非vpn环境,tls握手正常
curl -iv https://app.zeplin.io
*   Trying 75.2.40.227:443...
* Connected to app.zeplin.io (75.2.40.227) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): >>>>>>>> The segment is not found in the vpn environment
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=zeplin.io
*  start date: May 29 00:00:00 2023 GMT
*  expire date: Jun 26 23:59:59 2024 GMT
*  subjectAltName: host "app.zeplin.io" matched cert's "*.zeplin.io"
*  issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M01
*  SSL certificate verify ok.
* using HTTP/2
* h2 [:method: GET]
* h2 [:scheme: https]
* h2 [:authority: app.zeplin.io]
* h2 [:path: /]
* h2 [user-agent: curl/8.1.2]
* h2 [accept: */*]
* Using Stream ID: 1 (easy handle 0x11f00a800)
> GET / HTTP/2
> Host: app.zeplin.io
> User-Agent: curl/8.1.2
> Accept: */*
>
< HTTP/2 302
HTTP/2 302
.... response body .....
ssl

1 个回答

  1. Best Answer

    通过openssl命令连接vpn环境正常

    不,这不对。opensslcurl显示同样的问题。但它不太明显openssl

    openssl s_client  app.zeplin.io:443
CONNECTED(00000006)
...
write:errno=54
...
 0 s:CN = zeplin.io

    in与write:errno=54inopenssl s_client相同。Connection reset by peercurl

    它表明此错误发生在 TLS 握手已基本建立之后。由于它无需 VPN 即可工作,问题可能是 VPN 提供商使用深度数据包检查阻止访问,或者服务器或其前面的某些防火墙由于检测到 VPN 而阻止访问。您无法通过客户端代码对此执行任何操作。

    • 0

相关问题