问题描述
要访问目标文件,我必须在请求中添加特定的主机头,因为服务器正在使用SNI。
我的服务器的IP是172.1.1.61,mydomain.com是可以给我文件的目标主机。
我试图使用 curl 却没有成功:
curl -I --resolve mydomain.com:443:172.1.1.61 https://172.1.1.61:443/FederationMetadata/2007-06/FederationMetadata.xml -v
* Added mydomain.com:443:172.1.1.61 to DNS cache
* About to connect() to 172.1.1.61 port 443 (#0)
* Trying 172.1.1.61...
* Connected to 172.1.1.61 (172.1.1.61) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -5961 (PR_CONNECT_RESET_ERROR)
* TCP connection reset by peer
* Closing connection 0
curl: (35) TCP connection reset by peer
我也尝试使用 openssl客户端:
openssl s_client -connect 172.1.1.61:443 -servername mydomain.com
它为我显示了与mydomain.com相关的有效证书:
CONNECTED(00000003)
depth=3 C = US,O = "The Go Daddy Group,Inc.",OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=2 C = US,ST = Arizona,L = ScottsDale,O = "GoDaddy.com,CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US,OU = http://certs.godaddy.com/repository/,CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated,CN = mydomain.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=mydomain.com
i:/C=US/ST=Arizona/L=ScottsDale/O=GoDaddy.com,Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
1 s:/C=US/ST=Arizona/L=ScottsDale/O=GoDaddy.com,Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
i:/C=US/ST=Arizona/L=ScottsDale/O=GoDaddy.com,Inc./CN=Go Daddy Root Certificate Authority - G2
2 s:/C=US/ST=Arizona/L=ScottsDale/O=GoDaddy.com,Inc./CN=Go Daddy Root Certificate Authority - G2
i:/C=US/O=The Go Daddy Group,Inc./OU=Go Daddy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
some moar strings
cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMTkwNDAzMDQyODE3Wh==
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=mydomain.com
issuer=/C=US/ST=Arizona/L=ScottsDale/O=GoDaddy.com,Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH,P-256,256 bits
---
SSL handshake has read 4609 bytes and written 438 bytes
---
New,TLSv1/SSLv3,Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 9B020000BE0E627BF16F61C924ED4B90FF698F1868168A0467E0F359F98DE1FA
Session-ID-ctx:
Master-Key: (hidden)
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1602236714
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
read:errno=104
但是最后一个字符串是read:errno=104,它等于连接重置错误。
作为我的最后希望,我在Chrome浏览器上安装了Modify Header Value插件,并进行了如下设置:
但仍然没有连接:
我做错了什么?
解决方法
openssl s_client -connect 172.1.1.61:443 -servername mydomain.com ... SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384...
但是最后一个字符串是:errno = 104,等于连接重置错误。
您在此处看到的错误意味着连接重置发生在最后阶段或TLS握手之后。在此阶段,已经使用SNI选择证书,并且尚未发送带有Host标头的HTTP请求。这意味着SNI和Host标头都不是这里的实际问题。
这意味着可以排除错误的SNI和主机标头作为连接重置的可能原因。还可以找到共享密码,因此这也不是问题。例如,可能是缺少客户端证书或其他内容。也许服务器日志会显示。