在非标准端口上建立 https

在非标准端口上建立 https

我正在尝试在端口 55434(不同于标准 443)上建立 https。我的 nginx 配置如下:

server {
  server_name         example.org;
  listen              55434 ssl;
  ssl                 on;
  ssl_certificate     /etc/ssl/certs/example.org.crt;
  ssl_certificate_key /etc/ssl/private/example.org.key;
  ssl_protocols       SSLv3 TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers         HIGH:!aNULL:!MD5;

  ...
}

端口 55434 已开放

iptables -L
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:55434

端口 55434 正在监听:

netstat -a | egrep 'Proto|LISTEN'   
tcp        0      0 *:55434                 *:*                     LISTEN 

证书由以下人员生成https://www.startssl.com/.当我访问https://example.org:55434我收到以下回复。

wget https://example.org:55434
--2013-01-11 11:11:11--  https://example.org:55434/
Resolving example.org... 1.2.3.4
Connecting to example.org|1.2.3.4|:55434... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.

openssl s_client -showcerts -connect example.org:55434 结果是

CONNECTED(00000003)
8528:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:607

wget --version

GNU Wget 1.12 built on linux-gnu.

+digest +ipv6 +nls +ntlm +opie +md5/openssl +https -gnutls +openssl
-iri

Wgetrc:
    /etc/wgetrc (system)
Locale: /usr/share/locale
Compile: gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc"
    -DLOCALEDIR="/usr/share/locale" -I. -I../lib -g -O2
    -D_FILE_OFFSET_BITS=64 -O2 -g -Wall
Link: gcc -g -O2 -D_FILE_OFFSET_BITS=64 -O2 -g -Wall /usr/lib/libssl.so
    /usr/lib/libcrypto.so -ldl -lrt ftp-opie.o openssl.o http-ntlm.o
    gen-md5.o ../lib/libgnu.a

nginx -V (我自己编译的)

nginx version: nginx/1.2.6
built by gcc 4.4.5 (Debian 4.4.5-8)
TLS SNI support enabled
configure arguments:
   --conf-path=/etc/nginx/nginx.conf
   --add-module=../naxsi-core-0.49/naxsi_src/
   --error-log-path=/var/log/nginx/error.log
   --http-client-body-temp-path=/var/lib/nginx/body
   --http-fastcgi-temp-path=/var/lib/nginx/fastcgi
   --http-log-path=/var/log/nginx/access.log
   --http-proxy-temp-path=/var/lib/nginx/proxy
   --lock-path=/var/lock/nginx.lock
   --pid-path=/var/run/nginx.pid
   --with-http_ssl_module
   --without-mail_pop3_module
   --without-mail_smtp_module
   --without-mail_imap_module
   --without-http_uwsgi_module
   --without-http_scgi_module
   --with-ipv6
   --prefix=/usr
   --with-http_realip_module

首先,我认为端口 443 被我的主机提供商阻止了。wgethttps://example.org--无检查证书

--2013-03-18 19:35:54--  https://example.org/
Resolving example.org... 1.2.3.4
Connecting to example.org|1.2.3.4|:443... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.

openssl s_client -connect example.org:443 -debug -state

CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0xf5d77a0 [0xf5d78b0] (121 bytes => 121 (0x79))
0000 - 80 77 01 03 01 00 4e 00-00 00 20 00 00 39 00 00   .w....N... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00   ..3..2../.......
0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00   ................
0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80   @...............
0050 - 00 00 03 02 00 80 00 00-ff 8b 1a e3 12 30 7c ce   .............0|.
0060 - fe 39 68 93 f1 52 d6 20-94 7c 41 4d aa e6 b0 9a   .9h..R. .|AM....
0070 - b8 d3 1d 1e ab a3 53 60-5d                        ......S`]
SSL_connect:SSLv2/v3 write client hello A
read from 0xf5d77a0 [0xf5dce10] (7 bytes => 7 (0x7))
0000 - 3c 68 74 6d 6c 3e 0d                              <html>.
SSL_connect:error in SSLv2/v3 read server hello A
30203:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:607:

在 Google Chrome 中我收到错误 107 (net::ERR_SSL_PROTOCOL_ERROR)

相关内容