Windows:ClientHello 后 SSL/TLS 连接重置(ECONNRESET / write:errno=10054)

Windows:ClientHello 后 SSL/TLS 连接重置(ECONNRESET / write:errno=10054)

我使用 Windows Server 2012 作为工作站。问题是 node.js 发起的 HTTPS 连接随机失败。这可能是系统范围的问题,不仅 node 受到影响,而且它主要出现在 node 上。

由于任何 HTTPS 请求都可能随机失败,因此 npm install 就像抽奖一样,对于较大的包,在无数次重试后,它总是会在 TLSWrap.onread 错误处出现 ECONNRESET 而失败。另一个例子是我的 node 脚本用于从 Github 获取文件夹内容,如果尝试下载第一个文件,它几乎总是会失败,但有时它可以获取几个然后失败。

该计算机上仅安装了标准 Windows 防火墙和 System Center Endpoint Protection(又称 Microsoft Security Essentials),我尝试将它们都关闭 - 没有帮助。更改网卡、IP 地址、网关甚至 ISP 也无济于事。我还尝试卸载然后重新安装一些与 SSL 相关的 Windows 更新,但也没有帮助。但是,在连接到同一台交换机的另一台 PC 上,甚至在这台 Linux 上的 PC 上,一切都运行正常。时间和日期是正确的,浏览(HTTP 和 HTTPS)也很好,除了在某些(但不是所有)启用 HTTPS 的网站上出现罕见的连接重置错误(例如 imgur.com)。

这是来自 openssl 的两个输出,相隔几秒钟,第一个通过,第二个失败。

openssl s_client -msg -debug -state -connect www.npmjs.com:443

第一个太大了,无法放入邮件中,所以这是pastebin 链接

第二个:

CONNECTED(00000138)
write to 0xf4e608 [0xf87210] (307 bytes => 307 (0x133))
0000 - 16 03 01 01 2e 01 00 01-2a 03 03 4b 71 63 8e 02   ........*..Kqc..
0010 - 73 68 40 9b 77 eb 06 5f-47 58 c5 3e d5 0f 33 1d   [email protected].._GX.>..3.
0020 - 76 73 d1 b0 0a 11 b8 84-29 32 e3 00 00 ac c0 30   vs......)2.....0
0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 a5 00 a3 00 a1   .,.(.$..........
0040 - 00 9f 00 6b 00 6a 00 69-00 68 00 39 00 38 00 37   ...k.j.i.h.9.8.7
0050 - 00 36 00 88 00 87 00 86-00 85 c0 32 c0 2e c0 2a   .6.........2...*
0060 - c0 26 c0 0f c0 05 00 9d-00 3d 00 35 00 84 c0 2f   .&.......=.5.../
0070 - c0 2b c0 27 c0 23 c0 13-c0 09 00 a4 00 a2 00 a0   .+.'.#..........
0080 - 00 9e 00 67 00 40 00 3f-00 3e 00 33 00 32 00 31   ...g.@.?.>.3.2.1
0090 - 00 30 00 9a 00 99 00 98-00 97 00 45 00 44 00 43   .0.........E.D.C
00a0 - 00 42 c0 31 c0 2d c0 29-c0 25 c0 0e c0 04 00 9c   .B.1.-.).%......
00b0 - 00 3c 00 2f 00 96 00 41-00 07 c0 11 c0 07 c0 0c   .<./...A........
00c0 - c0 02 00 05 00 04 c0 12-c0 08 00 16 00 13 00 10   ................
00d0 - 00 0d c0 0d c0 03 00 0a-00 ff 01 00 00 55 00 0b   .............U..
00e0 - 00 04 03 00 01 02 00 0a-00 1c 00 1a 00 17 00 19   ................
00f0 - 00 1c 00 1b 00 18 00 1a-00 16 00 0e 00 0d 00 0b   ................
0100 - 00 0c 00 09 00 0a 00 23-00 00 00 0d 00 20 00 1e   .......#..... ..
0110 - 06 01 06 02 06 03 05 01-05 02 05 03 04 01 04 02   ................
0120 - 04 03 03 01 03 02 03 03-02 01 02 02 02 03 00 0f   ................
0130 - 00 01 01                                          ...
>>> TLS 1.2  [length 0005]
    16 03 01 01 2e
>>> TLS 1.2 Handshake [length 012e], ClientHello
    01 00 01 2a 03 03 4b 71 63 8e 02 73 68 40 9b 77
    eb 06 5f 47 58 c5 3e d5 0f 33 1d 76 73 d1 b0 0a
    11 b8 84 29 32 e3 00 00 ac c0 30 c0 2c c0 28 c0
    24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00
    6a 00 69 00 68 00 39 00 38 00 37 00 36 00 88 00
    87 00 86 00 85 c0 32 c0 2e c0 2a c0 26 c0 0f c0
    05 00 9d 00 3d 00 35 00 84 c0 2f c0 2b c0 27 c0
    23 c0 13 c0 09 00 a4 00 a2 00 a0 00 9e 00 67 00
    40 00 3f 00 3e 00 33 00 32 00 31 00 30 00 9a 00
    99 00 98 00 97 00 45 00 44 00 43 00 42 c0 31 c0
    2d c0 29 c0 25 c0 0e c0 04 00 9c 00 3c 00 2f 00
    96 00 41 00 07 c0 11 c0 07 c0 0c c0 02 00 05 00
    04 c0 12 c0 08 00 16 00 13 00 10 00 0d c0 0d c0
    03 00 0a 00 ff 01 00 00 55 00 0b 00 04 03 00 01
    02 00 0a 00 1c 00 1a 00 17 00 19 00 1c 00 1b 00
    18 00 1a 00 16 00 0e 00 0d 00 0b 00 0c 00 09 00
    0a 00 23 00 00 00 0d 00 20 00 1e 06 01 06 02 06
    03 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03
    02 03 03 02 01 02 02 02 03 00 0f 00 01 01
read from 0xf4e608 [0xf8c770] (7 bytes => -1 (0xFFFFFFFF))
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 307 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1457623360
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
write:errno=10054

以下是来自www.howsmyssl.com API来自 node.js 请求

{  
   "given_cipher_suites":[  
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
      "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
      "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
      "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
      "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
      "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
      "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
      "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
      "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
      "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
      "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
      "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
      "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
      "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
      "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
      "TLS_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_RSA_WITH_AES_256_CBC_SHA256",
      "TLS_RSA_WITH_AES_256_CBC_SHA",
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
      "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
      "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
      "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
      "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
      "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
      "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
      "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
      "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
      "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
      "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
      "TLS_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_RSA_WITH_AES_128_CBC_SHA",
      "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
      "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
      "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
      "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
      "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
      "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
      "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
      "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
      "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
      "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
   ],
   "ephemeral_keys_supported":true,
   "session_ticket_supported":true,
   "tls_compression_supported":false,
   "unknown_cipher_suite_supported":false,
   "beast_vuln":false,
   "able_to_detect_n_minus_one_splitting":false,
   "insecure_cipher_suites":{  

   },
   "tls_version":"TLS 1.2",
   "rating":"Probably Okay"
}

我已经花了无数个小时试图解决这个问题,但什么都没用。我无法在这台电脑上使用节点,在现代社会,这很痛苦,所以我把它发布在这里作为最后的希望,以避免重新安装操作系统和所有软件。

答案1

您可以以管理员身份在命令提示符中运行以下命令来重置 TCP/IP 堆栈:

  • 将 WINSOCK 条目重置为安装默认值:netsh winsock reset catalog
  • 将 IPv4 TCP/IP 堆栈重置为安装默认值。netsh int ipv4 reset reset.log
  • 将 IPv6 TCP/IP 堆栈重置为安装默认值。netsh int ipv6 reset reset.log
  • 重置 winsock 目录:netsh winsock reset catalog
  • 要不就 :netsh int ip reset reset.log
  • netsh winsock reset catalog

上述命令可能有一些重复,但这些都是我所知道的所有重置命令。

如果一切都失败了,禁用 IPv6乃至证监会/扫描验证 Windows 组件。

相关内容