Está ocorrendo um app.zeplin.io:443erro de conexão no ambiente vpn. No mesmo ambiente vpn, o acesso a github.com:443ou stackoverflow.com:443é normal. Estou com um pouco de falta de conhecimento sobre o aperto de mão tls, então estou perguntando assim.
pergunta)
- Por que o acesso
app.zeplin.io:443falha conforme mostrado abaixo.
problema) o ambiente vpn é anormal
- Supõe-se que haja um problema com o handshake tls no ambiente vpn.
curl -iv https://app.zeplin.io
* Trying 75.2.40.227:443...
* Connected to app.zeplin.io (75.2.40.227) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* Recv failure: Connection reset by peer >>>>>>> issue message print
* LibreSSL SSL_connect: Connection reset by peer in connection to app.zeplin.io:443
* Closing connection 0
curl: (35) Recv failure: Connection reset by peer
check1) o ambiente vpn opensslestá anormal
- A conexão com o ambiente vpn através do comando openssl é anormal
openssl s_client app.zeplin.io:443
CONNECTED(00000006)
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, CN = Amazon RSA 2048 M01
verify return:1
depth=0 CN = zeplin.io
verify return:1
write:errno=54 >>>>> !!!!! issue !!!!!
---
Certificate chain
0 s:CN = zeplin.io
i:C = US, O = Amazon, CN = Amazon RSA 2048 M01
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: May 29 00:00:00 2023 GMT; NotAfter: Jun 26 23:59:59 2024 GMT
1 s:C = US, O = Amazon, CN = Amazon RSA 2048 M01
i:C = US, O = Amazon, CN = Amazon Root CA 1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 23 22:21:28 2022 GMT; NotAfter: Aug 23 22:21:28 2030 GMT
2 s:C = US, O = Amazon, CN = Amazon Root CA 1
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: May 25 12:00:00 2015 GMT; NotAfter: Dec 31 01:00:00 2037 GMT
3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 2 00:00:00 2009 GMT; NotAfter: Jun 28 17:39:16 2034 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
...(skip)....
-----END CERTIFICATE-----
subject=CN = zeplin.io
issuer=C = US, O = Amazon, CN = Amazon RSA 2048 M01
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 5403 bytes and written 441 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: ....(skip)....
Session-ID-ctx:
Master-Key: ....(skip).....
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1692336863
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
check2) ambiente não-vpn é normal
- ambiente não vpn, o handshake tls é normal
curl -iv https://app.zeplin.io
* Trying 75.2.40.227:443...
* Connected to app.zeplin.io (75.2.40.227) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): >>>>>>>> The segment is not found in the vpn environment
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server accepted h2
* Server certificate:
* subject: CN=zeplin.io
* start date: May 29 00:00:00 2023 GMT
* expire date: Jun 26 23:59:59 2024 GMT
* subjectAltName: host "app.zeplin.io" matched cert's "*.zeplin.io"
* issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M01
* SSL certificate verify ok.
* using HTTP/2
* h2 [:method: GET]
* h2 [:scheme: https]
* h2 [:authority: app.zeplin.io]
* h2 [:path: /]
* h2 [user-agent: curl/8.1.2]
* h2 [accept: */*]
* Using Stream ID: 1 (easy handle 0x11f00a800)
> GET / HTTP/2
> Host: app.zeplin.io
> User-Agent: curl/8.1.2
> Accept: */*
>
< HTTP/2 302
HTTP/2 302
.... response body .....
Não, não é.
opensslecurlapresentar o mesmo problema. É menos óbvio comopensslthough:O
write:errno=54inopenssl s_clienté o mesmo queConnection reset by peerincurl.Isso mostra que esse erro ocorre depois que o handshake TLS já foi estabelecido. Como funciona sem VPN, o problema pode ser que o provedor de VPN esteja bloqueando o acesso usando inspeção profunda de pacotes ou que o servidor ou algum firewall à sua frente esteja bloqueando o acesso, pois detectou uma VPN. Não há nada que você possa fazer sobre isso a partir do seu código de cliente.