https_tls_ssl
· 9 min read
最近找了个华为云的vps,想做个简单的网址,于是一番注册域名和http证书。
结过弄了很久发现居然访问不了。
其实原因是没有备案,我的证书配置是正常的。
排查过程
通过curl 定位
直接curl -v url可以看到详细的握手过程
./curl https://gitlab.shakudada.xyz -v
* STATE: INIT => CONNECT handle 0x1a23898; line 1491 (connection #-5000)
* Added connection 0. The cache now contains 1 members
* STATE: CONNECT => WAITRESOLVE handle 0x1a23898; line 1532 (connection #0)
* Trying 139.9.222.124:443...
* TCP_NODELAY set
* STATE: WAITRESOLVE => WAITCONNECT handle 0x1a23898; line 1611 (connection #0)
* Connected to gitlab.shakudada.xyz (139.9.222.124) port 443 (#0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x1a23898; line 1667 (connection #0)
* Marked for [keep alive]: HTTP default
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x1a23898; line 1682 (connection #0)
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Marked for [closure]: Failed HTTPS connection
* multi_done
* Closing connection 0
* The cache now contains 0 members
* Expire cleared (transfer 0x1a23898)
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
dinosaur@dinosaur-X550VXK:~/curl/mycurl/bin$
在client hello 后就失败了,所以直接tcpdump 看看包数据
tcpdump -i wlp3s0 host 139.9.222.124 and port 443 -A -X
其中139.9.222.124就是我那没有备案的ip
以下是抓包,去掉了开始的tcp的三次握手
22:22:23.280367 IP 192.168.1.106.33170 > 139.9.222.124.https: Flags [P.], seq 1:518, ack 1, win 229, options [nop,nop,TS val 434651673 ecr 3365805465], length 517
0x0000: 4500 0239 15ab 4000 4006 f77b c0a8 016a E..9..@.@..{...j
0x0010: 8b09 de7c 8192 01bb f6ab 981d 4d9a ceb8 ...|........M...
0x0020: 8018 00e5 22f2 0000 0101 080a 19e8 4219 ....".........B.
0x0030: c89e 1d99 1603 0102 0001 0001 fc03 0304 ................
0x0040: 6e2a ea14 6844 e2e1 db8c 1ee3 3582 e33f n*..hD......5..?
0x0050: 9128 2ad2 cd1c bac2 1e70 dd4f 6587 d700 .(*......p.Oe...
0x0060: 009e c030 c02c c028 c024 c014 c00a 00a5 ...0.,.(.$......
0x0070: 00a3 00a1 009f 006b 006a 0069 0068 0039 .......k.j.i.h.9
0x0080: 0038 0037 0036 0088 0087 0086 0085 c032 .8.7.6.........2
0x0090: c02e c02a c026 c00f c005 009d 003d 0035 ...*.&.......=.5
0x00a0: 0084 c02f c02b c027 c023 c013 c009 00a4 .../.+.'.#......
0x00b0: 00a2 00a0 009e 0067 0040 003f 003e 0033 .......g.@.?.>.3
0x00c0: 0032 0031 0030 009a 0099 0098 0097 0045 .2.1.0.........E
0x00d0: 0044 0043 0042 c031 c02d c029 c025 c00e .D.C.B.1.-.).%..
0x00e0: c004 009c 003c 002f 0096 0041 c012 c008 .....<./...A....
0x00f0: 0016 0013 0010 000d c00d c003 000a 00ff ................
0x0100: 0100 0135 0000 0019 0017 0000 1467 6974 ...5.........git
0x0110: 6c61 622e 7368 616b 7564 6164 612e 7879 lab.shakudada.xy
0x0120: 7a00 0b00 0403 0001 0200 0a00 1c00 1a00 z...............
0x0130: 1700 1900 1c00 1b00 1800 1a00 1600 0e00 ................
0x0140: 0d00 0b00 0c00 0900 0a00 0d00 2000 1e06 ................
0x0150: 0106 0206 0305 0105 0205 0304 0104 0204 ................
0x0160: 0303 0103 0203 0302 0102 0202 0300 0f00 ................
0x0170: 0101 3374 0000 0010 000b 0009 0868 7474 ..3t.........htt
0x0180: 702f 312e 3100 1500 b000 0000 0000 0000 p/1.1...........
0x0190: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x01a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x01b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x01c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x01d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x01e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x01f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0200: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0210: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0220: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0230: 0000 0000 0000 0000 00 .........
22:22:23.292507 IP 139.9.222.124.https > 192.168.1.106.33170: Flags [FP.], seq 1:650, ack 518, win 8192, length 649
0x0000: 4500 02b1 15ac 4000 f606 4102 8b09 de7c [email protected]....|
0x0010: c0a8 016a 01bb 8192 4d9a ceb8 f6ab 9a22 ...j....M......"
0x0020: 5019 2000 d25b 0000 4854 5450 2f31 2e31 P....[..HTTP/1.1
0x0030: 2034 3033 2046 6f72 6269 6464 656e 0a43 .403.Forbidden.C
0x0040: 6f6e 7465 6e74 2d54 7970 653a 2074 6578 ontent-Type:.tex
0x0050: 742f 6874 6d6c 3b20 6368 6172 7365 743d t/html;.charset=
0x0060: 7574 662d 380a 5365 7276 6572 3a20 4144 utf-8.Server:.AD
0x0070: 4d2f 322e 312e 310a 436f 6e6e 6563 7469 M/2.1.1.Connecti
0x0080: 6f6e 3a20 636c 6f73 650a 436f 6e74 656e on:.close.Conten
0x0090: 742d 4c65 6e67 7468 3a20 3533 300a 0a3c t-Length:.530..<
0x00a0: 6874 6d6c 3e0a 3c68 6561 643e 0a3c 6d65 html>.<head>.<me
0x00b0: 7461 2068 7474 702d 6571 7569 763d 2243 ta.http-equiv="C
0x00c0: 6f6e 7465 6e74 2d54 7970 6522 2063 6f6e ontent-Type".con
0x00d0: 7465 6e74 3d22 7465 7874 6d6c 3b63 6861 tent="textml;cha
0x00e0: 7273 6574 3d47 4232 3331 3222 202f 3e0a rset=GB2312"./>.
0x00f0: 2020 203c 7374 796c 653e 626f 6479 7b62 ...<style>body{b
0x0100: 6163 6b67 726f 756e 642d 636f 6c6f 723a ackground-color:
0x0110: 2346 4646 4646 467d 3c2f 7374 796c 653e #FFFFFF}</style>
0x0120: 200a 3c74 6974 6c65 3ee9 9d9e e6b3 95e9 ..<title>.......
0x0130: 98bb e696 ad32 3334 3c2f 7469 746c 653e .....234</title>
0x0140: 0a20 203c 7363 7269 7074 206c 616e 6775 ...<script.langu
0x0150: 6167 653d 226a 6176 6173 6372 6970 7422 age="javascript"
0x0160: 2074 7970 653d 2274 6578 742f 6a61 7661 .type="text/java
0x0170: 7363 7269 7074 223e 0a20 2020 2020 2020 script">........
0x0180: 2020 7769 6e64 6f77 2e6f 6e6c 6f61 6420 ..window.onload.
0x0190: 3d20 6675 6e63 7469 6f6e 2028 2920 7b20 =.function.().{.
0x01a0: 0a20 2020 2020 2020 2020 2020 646f 6375 ............docu
0x01b0: 6d65 6e74 2e67 6574 456c 656d 656e 7442 ment.getElementB
0x01c0: 7949 6428 226d 6169 6e46 7261 6d65 2229 yId("mainFrame")
0x01d0: 2e73 7263 3d20 2268 7474 703a 2f2f 3131 .src=."http://11
0x01e0: 342e 3131 352e 3139 322e 3234 363a 3930 4.115.192.246:90
0x01f0: 3830 2f65 7272 6f72 2e68 746d 6c22 3b0a 80/error.html";.
0x0200: 2020 2020 2020 2020 2020 2020 7d0a 3c2f ............}.</
0x0210: 7363 7269 7074 3e20 2020 0a3c 2f68 6561 script>....</hea
0x0220: 643e 0a20 203c 626f 6479 3e0a 2020 2020 d>...<body>.....
0x0230: 3c69 6672 616d 6520 7374 796c 653d 2277 <iframe.style="w
0x0240: 6964 7468 3a31 3030 253b 2068 6569 6768 idth:100%;.heigh
0x0250: 743a 3130 3025 3b22 2069 643d 226d 6169 t:100%;".id="mai
0x0260: 6e46 7261 6d65 2220 7372 633d 2222 2066 nFrame".src="".f
0x0270: 7261 6d65 626f 7264 6572 3d22 3022 2073 rameborder="0".s
0x0280: 6372 6f6c 6c69 6e67 3d22 6e6f 223e 3c2f crolling="no"></
0x0290: 6966 7261 6d65 3e0a 2020 2020 3c2f 626f iframe>.....</bo
0x02a0: 6479 3e0a 2020 2020 2020 3c2f 6874 6d6c dy>.......</html
0x02b0: 3e >
22:22:23.292552 IP 192.168.1.106.33170 > 139.9.222.124.https: Flags [.], ack 651, win 239, options [nop,nop,TS val 434651685 ecr 3365805465], length 0
0x0000: 4500 0034 15ac 4000 4006 f97f c0a8 016a E..4..@[email protected]
0x0010: 8b09 de7c 8192 01bb f6ab 9a22 4d9a d142 ...|......."M..B
0x0020: 8010 00ef d4f7 0000 0101 080a 19e8 4225 ..............B%
0x0030: c89e 1d99 ....
22:22:23.292562 IP 139.9.222.124.https > 192.168.1.106.33170: Flags [.], ack 518, win 235, options [nop,nop,TS val 3365805485 ecr 434651673], length 0
0x0000: 4500 0034 1ff1 4000 3106 fe3a 8b09 de7c [email protected]..:...|
0x0010: c0a8 016a 01bb 8192 4d9a ceb8 f6ab 9a22 ...j....M......"
0x0020: 8010 00eb d77d 0000 0101 080a c89e 1dad .....}..........
0x0030: 19e8 4219
4500 这两个字节开头明显就是ip报头,4代表ipv4,5则是ip报头的长度,也就是ip报头长度是5*4=20;
ip报头
也就是
0x0000: 4500 0239 15ab 4000 4006 f77b c0a8 016a E..9..@.@..{...j
0x0010: 8b09 de7c
一直到de7c都是ip报头
tcp 报头
0x0000: 4500 0239 15ab 4000 4006 f77b c0a8 016a E..9..@.@..{...j
0x0010: 8b09 de7c 8192 01bb <- 01bb就是443也就是目的端口
1*16*16+11*16+16=443
版本:IP协议的版本,目前的IP协议版本号为4,下一代IP协议版本号为6。
首部长度:IP报头的长度。固定部分的长度(20字节)和可变部分的长度之和。共占4位。最大为1111,即10进制的15,代表IP报头的最大长度可以为15个32bits(4字节),也就是最长可为15*4=60字节,除去固定部分的长度20字节,可变部分的长度最大为40字节。
翻了一下rfc8446,TLSV12的client hello的版本magic number是0x0303,搜索了一下果然有
struct {
ProtocolVersion legacy_version = 0x0303; /* TLS v1.2 */
Random random;
opaque legacy_session_id<0..32>;
CipherSuite cipher_suites<2..2^16-2>;
opaque legacy_compression_methods<1..2^8-1>;
Extension extensions<8..2^16-1>;
} ClientHello;
但是返回的明文很明显不是一个错误的链接
所以被sni阻断了
In the OCSPStatusRequest, the "ResponderIDs" provides a list of OCSP
responders that the client trusts. A zero-length "responder_id_list"
sequence has the special meaning that the responders are implicitly
known to the server - e.g., by prior arrangement. "Extensions" is a
DER encoding of OCSP request extensions.
Both "ResponderID" and "Extensions" are DER-encoded ASN.1 types as
defined in [OCSP]. "Extensions" is imported from [PKIX]. A zero-
length "request_extensions" value means that there are no extensions
(as opposed to a zero-length ASN.1 SEQUENCE, which is not valid for
the "Extensions" type).
In the case of the "id-pkix-ocsp-nonce" OCSP extension, [OCSP] is
unclear about its encoding; for clarification, the nonce MUST be a
DER-encoded OCTET STRING, which is encapsulated as another OCTET
STRING (note that implementations based on an existing OCSP client
will need to be checked for conformance to this requirement).
Servers that receive a client hello containing the "status_request"
extension, MAY return a suitable certificate status response to the
client along with their certificate. If OCSP is requested, they
SHOULD use the information contained in the extension when selecting
an OCSP responder, and SHOULD include request_extensions in the OCSP
request.