所以我无法连接到某些网站。只有几个,大多数都可以。我真正关心的是 paypal.com。
我已经做了通常的事情。让我们看看:
- 清除浏览历史记录
- 尝试过不同的浏览器
- 卸载并下载/安装新浏览器
- 系统恢复到问题发生之前
- 已安装所有系统补丁
- 检查了我的 etc/hosts
- 刷新 DNS 缓存
- 检查防火墙
- 打开和关闭病毒防护
- 打开和关闭广告拦截
- 已 ping 站点
- 无需使用路由器,直接连接到 ISP 接入点
最后,我决定看看 curl 到底在说什么
== Info: About to connect() to www.paypal.com port 443 (#0)
== Info: Trying 66.211.169.2... == Info: connected
== Info: SSLv3, TLS handshake, Client hello (1):
=> Send SSL data, 110 bytes (0x6e)
0000: 01 00 00 6a 03 01 4f 6c aa 8c 57 2b 3d 1e 74 64 ...j..Ol..W+=.td
0010: c1 27 25 a5 3a 12 7f 3f 41 0a 17 15 2e c9 67 7c .'%.:.?A.....g|
0020: b3 e1 f6 9a db a9 00 00 2a 00 39 00 38 00 35 00 ........*.9.8.5.
0030: 16 00 13 00 0a 00 33 00 32 00 2f 00 07 00 05 00 ......3.2./.....
0040: 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 ................
0050: 03 00 ff 01 00 00 17 00 00 00 13 00 11 00 00 0e ................
0060: 77 77 77 2e 70 61 79 70 61 6c 2e 63 6f 6d www.paypal.com
(hangs here for ever)
在我看来,这就像 PayPal 拒绝回复第一次 SSL 握手。
我对 SSL 了解不多,但与我工作的网站的输出相比,这一点似乎很明显
== Info: About to connect() to www.cibc.com port 443 (#0)
== Info: Trying 159.231.80.200... == Info: connected
== Info: SSLv3, TLS handshake, Client hello (1):
=> Send SSL data, 108 bytes (0x6c)
0000: 01 00 00 68 03 01 4f 6c ad 6a 1f 67 d5 84 c4 4b ...h..Ol.j.g...K
0010: 0d 49 ae d6 b9 5b c3 63 f9 48 aa 18 da 43 d1 32 .I...[.c.H...C.2
0020: 47 ae 17 e5 cd e9 00 00 2a 00 39 00 38 00 35 00 G.......*.9.8.5.
0030: 16 00 13 00 0a 00 33 00 32 00 2f 00 07 00 05 00 ......3.2./.....
0040: 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 ................
0050: 03 00 ff 01 00 00 15 00 00 00 11 00 0f 00 00 0c ................
0060: 77 77 77 2e 63 69 62 63 2e 63 6f 6d www.cibc.com
== Info: SSLv3, TLS handshake, Server hello (2):
<= Recv SSL data, 74 bytes (0x4a)
0000: 02 00 00 46 03 01 00 00 58 cf 26 e2 e1 65 db 11 ...F....X.&..e..
0010: bc 6f 26 7b 3b 6d eb 14 5f ad 47 dd 86 ea 4d a3 .o&{;m.._.G...M.
0020: fb 9f b7 2a 54 3e 20 5f 6b 04 5a 12 38 64 5d 18 ...*T> _k.Z.8d].
0030: 65 9e e9 cd 61 eb 91 c1 16 25 61 30 bb 08 2a 78 e...a....%a0..*x
0040: b8 ee b8 7e f2 65 6a 00 04 00 ...~.ej...
== Info: SSLv3, TLS handshake, CERT (11):
... and so on - working nicely eventually get some nice HTML
现在我真的被困住了。这种情况已经持续了五天,所以我很确定问题不在于 paypal。但是我的系统上有什么可能会干扰 curl 与这个特定网站进行的 SSL 握手?
接下来我安装了 WireShark 来捕获与 paypal.com 交换的数据包
No. Time Source Destination Protocol Length Info
123 118.847059 192.168.100.3 66.211.169.14 TCP 66 59884 > https [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1
124 118.982913 66.211.169.14 192.168.100.3 TCP 66 https > 59884 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1440 WS=1 SACK_PERM=1
125 118.982981 192.168.100.3 66.211.169.14 TCP 54 59884 > https [ACK] Seq=1 Ack=1 Win=66240 Len=0
126 118.983728 192.168.100.3 66.211.169.14 SSL 240 Client Hello
129 119.373787 192.168.100.3 66.211.169.14 SSL 240 [TCP Retransmission] Client Hello
132 119.560671 66.211.169.14 192.168.100.3 SSL 153 [TCP Previous segment lost] Continuation Data
133 119.560714 192.168.100.3 66.211.169.14 TCP 66 [TCP Dup ACK 129#1] 59884 > https [ACK] Seq=187 Ack=1 Win=66240 Len=0 SLE=4381 SRE=4480
很有意思!
不到 0.5 秒后,客户端 Hello 被重新传输。为什么?这会造成混乱吗?我能以某种方式控制它吗?
收到了来自 paypal 的回复,但市场显示“前一个片段丢失”,这似乎是我的问题。如何解决???
看起来这很可能是网络问题。两台机器连接到此 ISP 时都会发生这种情况。但是,当我将此网络上出现问题的其中一台机器连接到使用其他 ISP 的朋友家的互联网时,问题就消失了!
(注:我如何连接到互联网(据我所知)。我将计算机上的以太网端口连接到一个称为“无线接入点”的小黑盒子。这反过来又连接到看起来像是加固的以太网电缆的东西,该电缆连接到我屋顶上的微波天线,它通过一系列微波天线连接到互联网。)
我该怎么跟 ISP 说呢?他们不会相信他们的网络会干扰某些站点的 SSL 握手,而不会干扰其他站点的 SSL 握手。
以下是链接Wireshark 捕获 SSL 握手
答案1
数据包重新传输是因为客户端没有看到它发送的第一个客户端 hello 的响应。您的路由器似乎有来自 Zinwell 的设备或此类设备的重新标记版本。如果可用,我会进行一些固件更新。如果您提供另一个示例跟踪会更好,因为这个跟踪不完整/被过滤了。如果您在访问站点之前启动 wireshark/netmon,我们将看到连接请求的详细信息,如下所示。
3 38.1779028 iexplore.exe 192.168.0.14 192.168.0.1 TCP TCP:Flags=......S., SrcPort=49301, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=1380476926, Ack=0, Win=8192 ( Negotiating scale factor 0x2 ) = 8192 {TCP:2, IPv4:1}
4 38.1781162 iexplore.exe 192.168.0.1 192.168.0.14 TCP TCP:Flags=...A..S., SrcPort=HTTP Alternate(8080), DstPort=49301, PayloadLen=0, Seq=92792191, Ack=1380476927, Win=16384 ( Negotiated scale factor 0x0 ) = 16384 {TCP:2, IPv4:1}
5 38.1786808 iexplore.exe 192.168.0.14 192.168.0.1 TCP TCP:Flags=...A...., SrcPort=49301, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=1380476927, Ack=92792192, Win=16425 (scale factor 0x2) = 65700 {TCP:2, IPv4:1}
6 38.1788535 iexplore.exe 192.168.0.14 192.168.0.1 HTTP HTTP:Request, CONNECT www.paypal.com:443 {HTTP:3, TCP:2, IPv4:1}
7 38.3178172 iexplore.exe 192.168.0.1 192.168.0.14 TCP TCP:Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=49301, PayloadLen=0, Seq=92792192, Ack=1380477151, Win=65311 (scale factor 0x0) = 65311 {TCP:2, IPv4:1}
8 38.3784467 iexplore.exe 192.168.0.1 192.168.0.14 HTTP HTTP:Response, HTTP/1.1, Status: Ok, URL: www.paypal.com:443 {HTTP:3, TCP:2, IPv4:1}
9 38.3826707 iexplore.exe 192.168.0.14 192.168.0.1 TLS TLS:TLS Rec Layer-1 HandShake: Client Hello. {TLS:5, SSLVersionSelector:4, HTTP:3, TCP:2, IPv4:1}
10 38.5365475 iexplore.exe 192.168.0.1 192.168.0.14 TCP TCP:Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=49301, PayloadLen=0, Seq=92792299, Ack=1380477280, Win=65182 (scale factor 0x0) = 65182 {TCP:2, IPv4:1}
11 38.5485415 iexplore.exe 192.168.0.1 192.168.0.14 TLS TLS:TLS Rec Layer-1 HandShake: Server Hello.; TLS Rec Layer-2 HandShake: Certificate. {TLS:5, SSLVersionSelector:4, HTTP:3, TCP:2, IPv4:1}
12 38.5486008 iexplore.exe 192.168.0.1 192.168.0.14 TCP TCP:[Continuation to #11]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=49301, PayloadLen=1460, Seq=92793759 - 92795219, Ack=1380477280, Win=65182 (scale factor 0x0) = 65182 {TCP:2, IPv4:1}
13 38.5486008 iexplore.exe 192.168.0.1 192.168.0.14 TCP TCP:[Continuation to #11]Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=49301, PayloadLen=1460, Seq=92795219 - 92796679, Ack=1380477280, Win=65182 (scale factor 0x0) = 65182 {TCP:2, IPv4:1}