AskOverflow.Dev

AskOverflow.Dev Logo AskOverflow.Dev Logo

AskOverflow.Dev Navigation

  • 主页
  • 系统&网络
  • Ubuntu
  • Unix
  • DBA
  • Computer
  • Coding
  • LangChain

Mobile menu

Close
  • 主页
  • 系统&网络
    • 最新
    • 热门
    • 标签
  • Ubuntu
    • 最新
    • 热门
    • 标签
  • Unix
    • 最新
    • 标签
  • DBA
    • 最新
    • 标签
  • Computer
    • 最新
    • 标签
  • Coding
    • 最新
    • 标签
主页 / user-178002

divB's questions

Martin Hope
divB
Asked: 2024-07-18 06:58:12 +0800 CST

多个 DNS 名称的证书:除了主题备用名称之外,还需要什么才能正确验证?

  • 5

我创建了一个包含两个域的 LetsEncrypt 证书,one.example.com 和 two.example.com(注意,我知道通配符证书,但这个问题是一个证书中的多个名称)。

该证书以 one.example.com 作为 CN,并以 one.example.com 和 two.example.com 作为 X509v3 主体备用名称属性。

我将证书与 nginx 一起使用。

按照惯例,客户端只需检查 CN 是否与 DNS 名称匹配,我预计只要 one.example.com 和 two.example.com 现在指向同一个 nginx 服务器,我就可以通过这两个 DNS 名称访问它们。但只有 one.example.com 有效。

我可以使用 openssl 重现此问题:

openssl s_client -showcerts -servername one.example.com -connect 192.168.151.97:443                                                          
Connecting to 192.168.151.97
CONNECTED(00000003)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=E5
verify return:1
depth=0 CN=one.example.com
verify return:1
---
Certificate chain
 0 s:CN=one.example.com
   i:C=US, O=Let's Encrypt, CN=E5
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Jul 17 05:27:55 2024 GMT; NotAfter: Oct 15 05:27:54 2024 GMT
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
 1 s:C=US, O=Let's Encrypt, CN=E5
   i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
---
Server certificate
subject=CN=one.example.com
issuer=C=US, O=Let's Encrypt, CN=E5
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2434 bytes and written 410 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---


openssl s_client -showcerts -servername two.example.com -connect 192.168.151.97:443
Connecting to 192.168.151.97
CONNECTED(00000003)
402EB7DC01000000:error:0A000458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:ssl/record/rec_layer_s3.c:907:SSL alert number 112
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 333 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

因此您可以看到,one.example.com 可以工作,但是 two.example.com 不工作,尽管它被列为主题备用名称。

即使我明确指定-servername two.example.com,情况也不会改变。

为什么 browsers/openssl 无法成功验证 two.example.com?

ssl
  • 1 个回答
  • 32 Views
Martin Hope
divB
Asked: 2024-01-18 05:11:42 +0800 CST

使用静态路由添加第二个 IP 作为 /32 是否会导致任何意外问题?

  • 5

我有一个 /28 网络,我想添加一个 IP(/32 网络)。在我的 Debian 机器上,它看起来像:

auto eth0
iface eth0 inet static 
  address 192.0.2.212/28
  gateway 192.0.2.209
iface eth0 inet static
  address 192.0.2.175/32

然后,在路由器(192.0.2.209/28)上,我有一条静态路由:“route 192.0.2.175/32 next-hop 192.0.2.212”

这种做法有什么问题吗?

networking
  • 1 个回答
  • 27 Views
Martin Hope
divB
Asked: 2021-08-29 23:36:18 +0800 CST

公共 IP 网络的路由

  • 6

给定一个路由到 HostA 的(公共)网络 198.51.100.0/24,我想将它的子网(例如,198.51.100.16/28)路由到 HostB。HostA 和 HostB 通过某种点对点链路(例如 VPN 或 PPP)连接。

路由这样的网络有哪些选项(以及最佳实践是什么)?从技术上讲,我不应该使用私有 IP (RFC1918),因为这样的 IP 永远不应该与可公开路由的 IP 地址混合。

我可以分离 /30 网络并将其用作 HostA 和 HostB 之间的点对点链接,并在其之上路由 198.51.100.16/28。但这似乎很浪费。

我可以使用 RFC1918 地址吗?我可以使用链接本地地址吗?

编辑:我试过tracert,确实,中间有RFC1918地址(注意:我认为第一个是我的CGNAT,但其他的肯定在公共网络中):

  [...]
  2    70 ms    70 ms    71 ms  10.8.0.1
  3    78 ms    71 ms    73 ms  D [64.44.32.1]
  4    72 ms    71 ms    71 ms  89-88-12-198.as20278.net [198.12.88.89]
  5    72 ms    74 ms    70 ms  10.8.40.245
  6    71 ms    71 ms    73 ms  10.8.6.33
  7    75 ms    71 ms    73 ms  buf-b1-link.ip.twelve99.net [62.115.59.89]
  8    82 ms     *       81 ms  nyk-bb1-link.ip.twelve99.net [62.115.118.122]
  9   188 ms     *      157 ms  ldn-bb4-link.ip.twelve99.net [62.115.112.245]
 10   364 ms   212 ms   294 ms  prs-bb2-link.ip.twelve99.net [62.115.114.229]
 11   208 ms   297 ms   304 ms  ffm-bb2-link.ip.twelve99.net [62.115.122.139]
 12   282 ms   246 ms   361 ms  win-bb4-link.ip.twelve99.net [62.115.138.23]
 13   303 ms   180 ms   325 ms  win-b2-link.ip.twelve99.net [62.115.114.183]
[...]
networking ip
  • 1 个回答
  • 211 Views
Martin Hope
divB
Asked: 2021-08-22 21:12:48 +0800 CST

/29 网络的数据包过滤器(防火墙)

  • 5

我的 ISP 路由 /29 网络(8 个 IP 地址)。第一个和最后一个当然是网络和广播地址,第二个是由 ISP 分配给调制解调器的。调制解调器有一个带有 /29 网络的以太网 LAN 端口,我可以使用它。不幸的是,我无法访问或更换调制解调器,只有 ISP 可以访问它。在此讨论中,它需要被视为黑匣子。我的端点是提供 /29 网络的调制解调器的 LAN 连接。

当然,我可以将剩下的 5 个 IP 地址分配给不同的机器,并通过以太网端口将它们连接到调制解调器。这就是我现在正在做的事情。

但是,我想在两者之间有一个数据包过滤器(防火墙)。通常防火墙需要两个接口和两个子网。从技术上讲,我可以将 /29 分成两个 /30 网络,并将防火墙放在它们之间。

另一种选择是将所有五个静态 IP 分配给防火墙并进行 NAT 和端口转发。

第三种选择是让所有 L2 流量通过我的防火墙,将其配置为网桥并使用基本的 L2 过滤。

这些选项中没有一个对我有吸引力。

有没有一种无需NAT 或 L2 过滤即可在我的 IP 网络前面放置防火墙的好方法?

networking ip
  • 2 个回答
  • 66 Views
Martin Hope
divB
Asked: 2020-03-30 12:23:17 +0800 CST

Windows 1809 更新总是失败并显示 0x80070490

  • 6

在此处输入图像描述

它总是在“状态:准备安装 - 80%”时失败。

我已经尝试了我能想到的一切:

DISM.exe /Online /Cleanup-image /Scanhealth
sfc /scannow

删除 c:\Windows\SoftwareDistribution ( https://community.spiceworks.com/topic/2223969-1809-update-error-at-install-0x80070490?page=1#entry-8486582 ) 或“Windows 修复” ( https: //www.tweaking.com/content/page/windows_repair_all_in_one.html)。

我得到的 WindowsUpdate.logGet-WindowsUpdateLog也不包含任何有用的东西。最后的消息是:

[...]
2020-03-29 16:05:06.3603049 5044  13616 DownloadManager Downloading from http://tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/3b376681-46d3-4369-a7f1-3af38277adc8?P1=1585512870&P2=402&P3=2&P4=aCBW3EDTml8B3XQaaUTnexmcly%2bmH%2byssGFFFtbhnYX8QDW1RHpyPd4Opi2NSoMTypqeNB6%2btIJcpPn8xt0hvw%3d%3d to C:\WINDOWS\SoftwareDistribution\Download\9a7a8eff8aff2a1fe2261d6b7d7a8929\amd64_Microsoft-OneCore-ApplicationModel-Sync-Desktop-FOD-Package_rs4_release.17134.1304.180410-1804.cab (full file).
2020-03-29 16:05:06.3604000 5044  13616 DownloadManager Created download job 251FE845-A47A-400C-B811-5176752184E0; memory stream: No.
2020-03-29 16:05:06.3750224 5044  13616 DownloadManager New download job {251FE845-A47A-400C-B811-5176752184E0} for UpdateId 6EA6D7FF-D374-4148-AED4-0830478A03FC.1
2020-03-29 16:05:06.7986064 5044  13616 DownloadManager Update the URLs for DO Job 251FE845-A47A-400C-B811-5176752184E0 - Update 6EA6D7FF-D374-4148-AED4-0830478A03FC.1
2020-03-29 16:05:07.1322490 5044  13616 DownloadManager Download job 251FE845-A47A-400C-B811-5176752184E0 resumed.
2020-03-29 16:09:14.2221009 5044  5340  DownloadManager DO job {251FE845-A47A-400C-B811-5176752184E0} completed successfully, updateId = 6EA6D7FF-D374-4148-AED4-0830478A03FC.1
2020-03-29 16:09:15.7372836 5044  13616 DownloadManager Queueing update 6EA6D7FF-D374-4148-AED4-0830478A03FC.1 for download handler request generation.
2020-03-29 16:09:15.8376936 5044  7388  DownloadManager Generating download request for update 6EA6D7FF-D374-4148-AED4-0830478A03FC.1.
2020-03-29 16:09:15.9092473 5044  7388  DownloadManager Calling into handler 0xc to generate download request for update 6EA6D7FF-D374-4148-AED4-0830478A03FC.1.
2020-03-29 16:09:15.9389298 5044  6840  Misc            Validating signature for C:\WINDOWS\SoftwareDistribution\Download\9a7a8eff8aff2a1fe2261d6b7d7a8929\DesktopDeployment.cab with dwProvFlags 0x00000080:
2020-03-29 16:09:15.9770877 5044  6840  Misc             Microsoft signed: Yes
2020-03-29 16:09:16.0383498 5044  6840  Handler         Using the update's service stack dll file 'C:\WINDOWS\SoftwareDistribution\Download\9a7a8eff8aff2a1fe2261d6b7d7a8929\Metadata\UpdateAgent.dll' 
2020-03-29 16:09:16.9296167 5044  7388  Handler         UUP GDR: Event Fired: TimeOut
2020-03-29 16:09:16.9296380 5044  7388  DownloadManager GenerateDownloadRequest returned WU_E_OPERATIONINPROGRESS for update 6EA6D7FF-D374-4148-AED4-0830478A03FC.1.
2020-03-29 16:15:45.7517899 5044  6840  DownloadManager Subscribing to GDR Retry due to async handler trigger.
2020-03-29 16:15:46.1669676 5044  7388  DownloadManager Generating download request for update 6EA6D7FF-D374-4148-AED4-0830478A03FC.1.
2020-03-29 16:15:46.2460245 5044  7388  DownloadManager Calling into handler 0xc to generate download request for update 6EA6D7FF-D374-4148-AED4-0830478A03FC.1.
2020-03-29 16:15:46.2460364 5044  7388  Handler         *FAILED* [80070490] UUP GDR: Completed
2020-03-29 16:15:46.2523025 5044  7388  DownloadManager *FAILED* [80070490] GDR
2020-03-29 16:15:46.5577866 5044  7388  DownloadManager *FAILED* [80070490] Error occurred while downloading update 6EA6D7FF-D374-4148-AED4-0830478A03FC.1; notifying dependent calls.
2020-03-29 16:15:46.6679550 5044  13616 DownloadManager * END * Download Call Complete Call 4 for caller UpdateOrchestrator has completed; signaling completion.
2020-03-29 16:15:46.6685862 5044  13616 Agent           Effective power state: AC; IsOnAC: Yes.
2020-03-29 16:15:46.6685996 5044  13616 IdleTimer       WU operation (DL.UpdateOrchestrator, operation # 425) stopped; does use network; is not at background priority
2020-03-29 16:15:46.6686071 5044  13616 Agent           Released network PDC reference for callId {7C31AE7B-B2E8-4E9D-9FAE-E69C5EEB4AA5}; ActivationID: 425
2020-03-29 16:15:46.6689426 5044  5276  ComApi          *RESUMED* Download ClientId = UpdateOrchestrator
2020-03-29 16:15:46.6689474 5044  5276  ComApi          Download call complete (succeeded = 0, succeeded with errors = 0, failed = 1, cancelled = 0, unaccounted = 0)
2020-03-29 16:15:46.6689588 5044  5276  ComApi          ClientId = UpdateOrchestrator: Exit code = 0x00000000; Call error code = 0x80240022
2020-03-29 16:15:46.6689608 5044  5276  ComApi          * END *   Download ClientId = UpdateOrchestrator
2020-03-29 16:15:46.6689667 5044  5276  Agent           WU client calls back to download call {7C31AE7B-B2E8-4E9D-9FAE-E69C5EEB4AA5} with code Call complete and error 0x80070490
2020-03-29 16:15:46.6693800 5044  5796  ComApi          Download call complete (succeeded = 0, succeeded with errors = 0, failed = 1, cancelled = 0, unaccounted = 0)
2020-03-29 16:15:46.6693911 5044  5796  ComApi          * END *   All federated downloads have completed. ClientId = UpdateOrchestrator (cV = Kuodo0a890eUtjBr.3.1)
2020-03-29 16:15:46.6823141 5044  13616 DownloadManager DynamicDownloadDataFetcher Refresh Svc: {8B24B027-1DEE-BABB-9A95-3517DFB9C552}
2020-03-29 16:15:46.6823196 5044  13616 DownloadManager *FAILED* [8024000C] DynamicDownloadDataFetcher Refresh complete

太令人沮丧了。是否希望在不重新安装 Windows 的情况下安装更新?

windows-10 windows-update
  • 1 个回答
  • 448 Views
Martin Hope
divB
Asked: 2020-03-29 22:45:14 +0800 CST

当 Windows 10 更新失败时,真正要调试的日志文件在哪里?

  • 6

我正在为 Win 10 更新而苦苦挣扎:

Feature update to Windows 10, version 1809 x64 2020-03B - Error 0x80070490

谷歌充斥着关于随机人经历的无用文章,但没有实际或系统的解决方案,我已经完成了通常的解决方案 [ DSIM, Sfc]:

  • 根据我的研究,0x80070490与驱动程序问题有关,但在设备管理器中一切正常,所有设备都按预期工作(Windows 必须在某个地方放置比这个愚蠢代码更多的信息)
  • 据说里面应该有日志文件C:\$WINDOWS.~BT\Sources\Rollback,但是Rollback不存在;同样,事件日志中没有(当前)文件C:\Windows\Panther\或有用信息

更新实际上将日志文件放在哪里?

windows-10 installation
  • 1 个回答
  • 1078 Views
Martin Hope
divB
Asked: 2020-03-21 16:01:12 +0800 CST

apt 假装密钥不可用。不对

  • 5

我删除了 /var/lib/apt 和 /var/cache/apt 因为我无法摆脱 apt 的奇怪问题。

现在我总是得到:

Get:1 http://security-cdn.debian.org buster/updates InRelease [65.4 kB]
Err:1 http://security-cdn.debian.org buster/updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA8E81B4331F7F50 NO_PUBKEY 112695A0E562B32A
Reading package lists... Done
W: GPG error: http://security-cdn.debian.org buster/updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA8E81B4331F7F50 NO_PUBKEY 112695A0E562B32A
E: The repository 'http://security.debian.org buster/updates InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

这显然不是真的。但是好的,删除 /etc/apt/trusted.gpg 并重新开始:

# rm /etc/apt/trusted.gpg
# apt-key adv --keyserver pgp.mit.edu --recv-keys AA8E81B4331F7F50
Executing: /tmp/apt-key-gpghome.DwxpIbllfu/gpg.1.sh --keyserver pgp.mit.edu --recv-keys AA8E81B4331F7F50
gpg: key EDA0D2388AE22BA9: public key "Debian Security Archive Automatic Signing Key (9/stretch) <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1
# apt-key adv --keyserver pgp.mit.edu --recv-keys 112695A0E562B32A
Executing: /tmp/apt-key-gpghome.TFiPCm4ThF/gpg.1.sh --keyserver pgp.mit.edu --recv-keys 112695A0E562B32A
gpg: key 4DFAB270CAA96DFA: public key "Debian Security Archive Automatic Signing Key (10/buster) <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1
# apt-key list
/etc/apt/trusted.gpg
--------------------
pub   rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
      6ED6 F5CB 5FA6 FB2F 460A  E88E EDA0 D238 8AE2 2BA9
uid           [ unknown] Debian Security Archive Automatic Signing Key (9/stretch) <[email protected]>
sub   rsa4096 2017-05-22 [S] [expires: 2025-05-20]

pub   rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
      5E61 B217 265D A980 7A23  C5FF 4DFA B270 CAA9 6DFA
uid           [ unknown] Debian Security Archive Automatic Signing Key (10/buster) <[email protected]>
sub   rsa4096 2019-04-14 [S] [expires: 2027-04-12]

# apt update
Get:1 http://security-cdn.debian.org buster/updates InRelease [65.4 kB]
Err:1 http://security-cdn.debian.org buster/updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA8E81B4331F7F50 NO_PUBKEY 112695A0E562B32A
Reading package lists... Done
W: GPG error: http://security-cdn.debian.org buster/updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA8E81B4331F7F50 NO_PUBKEY 112695A0E562B32A
E: The repository 'http://security.debian.org buster/updates InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Apt 只是显示远离现实的信息。它在撒谎!这个怎么可能?

PS:我应该说我在删除它们之前从 /var/lib/apt 和 /var/apt/cache 创建了一个备份。当我将备份复制回来时,没有任何变化。所以似乎有别的东西坏了。

PSS:我还删除了 /etc/apt、/var/lib/apt、/var/cache/apt 并通过“dpkg -i apt_1.8.2_amd64.deb”重新安装了 apt。所有目录都是从头开始重新创建的,但 apt update 仍然失败并出现同样的错误!

linux debian
  • 1 个回答
  • 541 Views
Martin Hope
divB
Asked: 2019-10-24 07:45:50 +0800 CST

Win10的windows图标存放在哪里?

  • 7

它让我发疯:Windows 10 中存储的普通 Windows 图标在哪里?

winver.exe 过去一直是一个安全的选择,但现在已经不存在了。

我尝试了通常的候选人(explorer.exe,shell32.dll,...)

windows-10 windows-explorer
  • 1 个回答
  • 97 Views

Sidebar

Stats

  • 问题 205573
  • 回答 270741
  • 最佳答案 135370
  • 用户 68524
  • 热门
  • 回答
  • Marko Smith

    如何减少“vmmem”进程的消耗?

    • 11 个回答
  • Marko Smith

    从 Microsoft Stream 下载视频

    • 4 个回答
  • Marko Smith

    Google Chrome DevTools 无法解析 SourceMap:chrome-extension

    • 6 个回答
  • Marko Smith

    Windows 照片查看器因为内存不足而无法运行?

    • 5 个回答
  • Marko Smith

    支持结束后如何激活 WindowsXP?

    • 6 个回答
  • Marko Smith

    远程桌面间歇性冻结

    • 7 个回答
  • Marko Smith

    子网掩码 /32 是什么意思?

    • 6 个回答
  • Marko Smith

    鼠标指针在 Windows 中按下的箭头键上移动?

    • 1 个回答
  • Marko Smith

    VirtualBox 无法以 VERR_NEM_VM_CREATE_FAILED 启动

    • 8 个回答
  • Marko Smith

    应用程序不会出现在 MacBook 的摄像头和麦克风隐私设置中

    • 5 个回答
  • Martin Hope
    Vickel Firefox 不再允许粘贴到 WhatsApp 网页中? 2023-08-18 05:04:35 +0800 CST
  • Martin Hope
    Saaru Lindestøkke 为什么使用 Python 的 tar 库时 tar.xz 文件比 macOS tar 小 15 倍? 2021-03-14 09:37:48 +0800 CST
  • Martin Hope
    CiaranWelsh 如何减少“vmmem”进程的消耗? 2020-06-10 02:06:58 +0800 CST
  • Martin Hope
    Jim Windows 10 搜索未加载,显示空白窗口 2020-02-06 03:28:26 +0800 CST
  • Martin Hope
    andre_ss6 远程桌面间歇性冻结 2019-09-11 12:56:40 +0800 CST
  • Martin Hope
    Riley Carney 为什么在 URL 后面加一个点会删除登录信息? 2019-08-06 10:59:24 +0800 CST
  • Martin Hope
    zdimension 鼠标指针在 Windows 中按下的箭头键上移动? 2019-08-04 06:39:57 +0800 CST
  • Martin Hope
    jonsca 我所有的 Firefox 附加组件突然被禁用了,我该如何重新启用它们? 2019-05-04 17:58:52 +0800 CST
  • Martin Hope
    MCK 是否可以使用文本创建二维码? 2019-04-02 06:32:14 +0800 CST
  • Martin Hope
    SoniEx2 更改 git init 默认分支名称 2019-04-01 06:16:56 +0800 CST

热门标签

windows-10 linux windows microsoft-excel networking ubuntu worksheet-function bash command-line hard-drive

Explore

  • 主页
  • 问题
    • 最新
    • 热门
  • 标签
  • 帮助

Footer

AskOverflow.Dev

关于我们

  • 关于我们
  • 联系我们

Legal Stuff

  • Privacy Policy

Language

  • Pt
  • Server
  • Unix

© 2023 AskOverflow.DEV All Rights Reserve