我正在尝试在端口 55434(不同于标准 443)上建立 https。我的 nginx 配置如下:
server {
server_name example.org;
listen 55434 ssl;
ssl on;
ssl_certificate /etc/ssl/certs/example.org.crt;
ssl_certificate_key /etc/ssl/private/example.org.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
...
}
端口 55434 已开放
iptables -L
ACCEPT tcp -- anywhere anywhere tcp dpt:55434
端口 55434 正在监听:
netstat -a | egrep 'Proto|LISTEN'
tcp 0 0 *:55434 *:* LISTEN
证书由以下人员生成https://www.startssl.com/.当我访问https://example.org:55434我收到以下回复。
wget https://example.org:55434
--2013-01-11 11:11:11-- https://example.org:55434/
Resolving example.org... 1.2.3.4
Connecting to example.org|1.2.3.4|:55434... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.
openssl s_client -showcerts -connect example.org:55434 结果是
CONNECTED(00000003)
8528:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:607
wget --version
GNU Wget 1.12 built on linux-gnu.
+digest +ipv6 +nls +ntlm +opie +md5/openssl +https -gnutls +openssl
-iri
Wgetrc:
/etc/wgetrc (system)
Locale: /usr/share/locale
Compile: gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc"
-DLOCALEDIR="/usr/share/locale" -I. -I../lib -g -O2
-D_FILE_OFFSET_BITS=64 -O2 -g -Wall
Link: gcc -g -O2 -D_FILE_OFFSET_BITS=64 -O2 -g -Wall /usr/lib/libssl.so
/usr/lib/libcrypto.so -ldl -lrt ftp-opie.o openssl.o http-ntlm.o
gen-md5.o ../lib/libgnu.a
nginx -V (我自己编译的)
nginx version: nginx/1.2.6
built by gcc 4.4.5 (Debian 4.4.5-8)
TLS SNI support enabled
configure arguments:
--conf-path=/etc/nginx/nginx.conf
--add-module=../naxsi-core-0.49/naxsi_src/
--error-log-path=/var/log/nginx/error.log
--http-client-body-temp-path=/var/lib/nginx/body
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi
--http-log-path=/var/log/nginx/access.log
--http-proxy-temp-path=/var/lib/nginx/proxy
--lock-path=/var/lock/nginx.lock
--pid-path=/var/run/nginx.pid
--with-http_ssl_module
--without-mail_pop3_module
--without-mail_smtp_module
--without-mail_imap_module
--without-http_uwsgi_module
--without-http_scgi_module
--with-ipv6
--prefix=/usr
--with-http_realip_module
首先,我认为端口 443 被我的主机提供商阻止了。wgethttps://example.org--无检查证书
--2013-03-18 19:35:54-- https://example.org/
Resolving example.org... 1.2.3.4
Connecting to example.org|1.2.3.4|:443... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.
openssl s_client -connect example.org:443 -debug -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0xf5d77a0 [0xf5d78b0] (121 bytes => 121 (0x79))
0000 - 80 77 01 03 01 00 4e 00-00 00 20 00 00 39 00 00 .w....N... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............
0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00 ..3..2../.......
0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00 ................
0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80 @...............
0050 - 00 00 03 02 00 80 00 00-ff 8b 1a e3 12 30 7c ce .............0|.
0060 - fe 39 68 93 f1 52 d6 20-94 7c 41 4d aa e6 b0 9a .9h..R. .|AM....
0070 - b8 d3 1d 1e ab a3 53 60-5d ......S`]
SSL_connect:SSLv2/v3 write client hello A
read from 0xf5d77a0 [0xf5dce10] (7 bytes => 7 (0x7))
0000 - 3c 68 74 6d 6c 3e 0d <html>.
SSL_connect:error in SSLv2/v3 read server hello A
30203:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:607:
在 Google Chrome 中我收到错误 107 (net::ERR_SSL_PROTOCOL_ERROR)