从网站收到错误的 TLS 证书

从网站收到错误的 TLS 证书

这是一个奇怪的问题,(到目前为止)只出现在 plex.tv 网站上。我在网络上的各种设备上都看到了同样的问题。最终,只需尝试访问https://plex.tv在我的浏览器中,导致与 TLS 证书相关的安全错误。经过进一步挖掘,似乎服务器为该网站提供了不正确的 TLS 证书(结果不一致):

$ openssl s_client -servername plex.tv -connect plex.tv:443 2>/dev/null </dev/null | openssl x509 -text Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:ab:09:ea:f2:c6:3c:f2:d4:4f:60:63:b9:36:5b:40
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
        Validity
            Not Before: Oct 26 00:00:00 2021 GMT
            Not After : Nov 24 23:59:59 2022 GMT
        Subject: CN = *.prod-route-1bun4qeekg9pa-235394468.eu-west-1.convox.site
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:d0:3e:04:76:d6:d5:53:73:f9:01:21:c0:b5:6f:
                    3c:07:82:43:c5:c5:43:ba:34:55:47:bc:0e:8b:b5:
                    ac:f8:70:23:c4:b1:5c:a9:54:ac:9e:f7:e7:a3:7a:
                    ff:bd:b7:d4:23:33:0b:5c:18:dc:71:2d:ff:e7:9d:
                    74:5e:28:03:e5:e6:55:de:07:79:9b:d3:80:43:95:
                    8a:9d:5e:97:33:61:b7:ce:4e:9f:ca:7c:c1:14:b5:
                    d1:97:aa:1a:96:45:a4:99:7f:8b:92:d0:34:68:a2:
                    56:d8:d7:c0:e1:4a:bf:4f:73:42:43:b0:31:66:53:
                    73:fb:b5:12:a6:a9:da:29:67:bc:b8:a1:0f:f0:ff:
                    1e:fc:92:ac:b4:fa:07:18:f5:a3:b4:19:b2:f4:53:
                    42:b6:aa:eb:a1:3b:4a:fa:e3:4a:86:84:fc:4a:b3:
                    a6:c8:fe:64:fa:9f:68:d5:ba:f4:17:63:54:44:7c:
                    03:57:3b:44:12:c8:ab:b8:e9:ab:28:09:ee:f1:9d:
                    fa:e2:dd:bd:e3:3c:d6:81:74:1f:6c:90:e0:8e:19:
                    b3:3c:ba:84:4d:76:6f:9b:a4:68:f9:2b:45:04:4b:
                    ba:d4:a4:10:e0:c5:f5:8d:c7:22:6a:31:9b:55:57:
                    b8:cf:4e:99:61:37:9a:76:7a:1f:db:eb:fc:dc:7f:
                    90:9d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:59:A4:66:06:52:A0:7B:95:92:3C:A3:94:07:27:96:74:5B:F9:3D:D0

            X509v3 Subject Key Identifier:
                13:8A:D5:41:DB:F8:09:44:45:58:09:2C:8A:60:AB:63:3A:5C:5E:41
            X509v3 Subject Alternative Name:
                DNS:*.prod-route-1bun4qeekg9pa-235394468.eu-west-1.convox.site
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.sca1b.amazontrust.com/sca1b-1.crl

            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1

            Authority Information Access:
                OCSP - URI:http://ocsp.sca1b.amazontrust.com
                CA Issuers - URI:http://crt.sca1b.amazontrust.com/sca1b.crt

            X509v3 Basic Constraints: critical
                CA:FALSE
            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 29:79:BE:F0:9E:39:39:21:F0:56:73:9F:63:A5:77:E5:
                                BE:57:7D:9C:60:0A:F8:F9:4D:5D:26:5C:25:5D:C7:84
                    Timestamp : Oct 26 09:27:20.701 2021 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:C0:80:22:90:66:67:44:5D:F2:02:CC:
                                4F:B7:65:7A:B3:85:19:26:3D:1F:75:A1:1D:11:17:0D:
                                BC:E0:54:5E:EC:02:20:38:E9:B5:AB:13:75:98:CB:EF:
                                77:EB:65:24:DE:16:8F:3E:CF:3A:1A:53:ED:BB:4F:80:
                                7D:55:6D:16:55:5F:9D
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 51:A3:B0:F5:FD:01:79:9C:56:6D:B8:37:78:8F:0C:A4:
                                7A:CC:1B:27:CB:F7:9E:88:42:9A:0D:FE:D4:8B:05:E5
                    Timestamp : Oct 26 09:27:20.775 2021 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:61:14:E9:12:D0:15:D7:BC:9D:A7:B5:DC:
                                23:DC:49:F1:11:C9:6C:9E:3D:D7:3E:2D:5B:13:57:3B:
                                10:EB:8A:77:02:20:32:E2:8F:B4:98:77:99:D8:6E:3B:
                                2B:84:E3:27:D8:9E:FF:E2:5C:95:B9:9F:2E:47:6F:93:
                                BD:12:20:CC:F7:CD
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 41:C8:CA:B1:DF:22:46:4A:10:C6:A1:3A:09:42:87:5E:
                                4E:31:8B:1B:03:EB:EB:4B:C7:68:F0:90:62:96:06:F6
                    Timestamp : Oct 26 09:27:20.711 2021 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:7A:28:AA:62:3E:A6:45:B3:43:98:AE:F7:
                                41:68:5C:BF:CD:90:E8:EB:00:B8:51:C0:69:08:F8:81:
                                AE:98:12:40:02:21:00:A5:EC:A7:4F:15:F2:4E:E2:8D:
                                95:19:70:EA:62:F6:4F:88:97:07:38:87:97:4B:53:25:
                                E0:CB:28:29:C0:19:B3
    Signature Algorithm: sha256WithRSAEncryption
         16:3f:02:df:0d:04:d4:fd:a4:d7:1b:71:ba:55:ec:3f:8f:2c:
         37:89:bb:83:1a:67:93:9b:cc:3a:e5:d2:8a:0a:02:ac:ee:f7:
         ed:05:64:11:0f:c5:6f:99:96:85:60:cc:b2:c2:4c:d4:47:db:
         8b:8a:25:9b:8d:30:ad:1c:e1:0d:e9:d4:c7:38:b3:a3:6c:a4:
         b9:25:20:55:fe:12:5d:5c:95:79:b2:55:f9:74:49:7c:83:20:
         b1:1e:e2:0e:2c:33:7d:87:ab:fb:ab:98:44:bd:2b:8c:13:8c:
         c7:f1:dc:1d:b3:1b:20:61:72:2d:b7:49:66:ea:be:7f:3a:7b:
         52:d5:ba:c6:77:0a:c6:6d:f6:07:dc:fa:78:18:ce:08:22:6a:
         95:1a:37:d2:b0:68:d8:f6:0f:0b:74:53:6f:fb:57:61:a2:9f:
         de:d3:26:8f:08:f4:d9:bc:6a:27:d8:fc:78:23:04:4a:b8:7c:
         c9:e9:ff:06:8d:88:2f:42:d7:d4:19:62:bd:ff:d1:7b:ea:26:
         de:be:d6:c0:bd:cc:dc:b8:2f:8e:b9:58:27:b2:e6:bb:60:08:
         90:a9:c3:37:98:55:b0:6f:9e:55:a0:57:81:f4:39:71:34:5b:
         b1:85:30:a7:0f:23:6b:59:b8:86:4e:05:5e:40:04:36:4b:1e:
         d9:4f:8b:11
-----BEGIN CERTIFICATE----- MIIGKzCCBROgAwIBAgIQAasJ6vLGPPLUT2BjuTZbQDANBgkqhkiG9w0BAQsFADBG MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRUwEwYDVQQLEwxTZXJ2ZXIg Q0EgMUIxDzANBgNVBAMTBkFtYXpvbjAeFw0yMTEwMjYwMDAwMDBaFw0yMjExMjQy MzU5NTlaMEUxQzBBBgNVBAMMOioucHJvZC1yb3V0ZS0xYnVuNHFlZWtnOXBhLTIz NTM5NDQ2OC5ldS13ZXN0LTEuY29udm94LnNpdGUwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDQPgR21tVTc/kBIcC1bzwHgkPFxUO6NFVHvA6Ltaz4cCPE sVypVKye9+ejev+9t9QjMwtcGNxxLf/nnXReKAPl5lXeB3mb04BDlYqdXpczYbfO Tp/KfMEUtdGXqhqWRaSZf4uS0DRoolbY18DhSr9Pc0JDsDFmU3P7tRKmqdopZ7y4 oQ/w/x78kqy0+gcY9aO0GbL0U0K2quuhO0r640qGhPxKs6bI/mT6n2jVuvQXY1RE fANXO0QSyKu46asoCe7xnfri3b3jPNaBdB9skOCOGbM8uoRNdm+bpGj5K0UES7rU pBDgxfWNxyJqMZtVV7jPTplhN5p2eh/b6/zcf5CdAgMBAAGjggMUMIIDEDAfBgNV HSMEGDAWgBRZpGYGUqB7lZI8o5QHJ5Z0W/k90DAdBgNVHQ4EFgQUE4rVQdv4CURF WAksimCrYzpcXkEwRQYDVR0RBD4wPII6Ki5wcm9kLXJvdXRlLTFidW40cWVla2c5 cGEtMjM1Mzk0NDY4LmV1LXdlc3QtMS5jb252b3guc2l0ZTAOBgNVHQ8BAf8EBAMC BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMD0GA1UdHwQ2MDQwMqAw oC6GLGh0dHA6Ly9jcmwuc2NhMWIuYW1hem9udHJ1c3QuY29tL3NjYTFiLTEuY3Js MBMGA1UdIAQMMAowCAYGZ4EMAQIBMHUGCCsGAQUFBwEBBGkwZzAtBggrBgEFBQcw AYYhaHR0cDovL29jc3Auc2NhMWIuYW1hem9udHJ1c3QuY29tMDYGCCsGAQUFBzAC hipodHRwOi8vY3J0LnNjYTFiLmFtYXpvbnRydXN0LmNvbS9zY2ExYi5jcnQwDAYD VR0TAQH/BAIwADCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHYAKXm+8J45OSHw VnOfY6V35b5XfZxgCvj5TV0mXCVdx4QAAAF8u+zzfQAABAMARzBFAiEAwIAikGZn RF3yAsxPt2V6s4UZJj0fdaEdERcNvOBUXuwCIDjptasTdZjL73frZSTeFo8+zzoa U+27T4B9VW0WVV+dAHUAUaOw9f0BeZxWbbg3eI8MpHrMGyfL956IQpoN/tSLBeUA AAF8u+zzxwAABAMARjBEAiBhFOkS0BXXvJ2ntdwj3EnxEclsnj3XPi1bE1c7EOuK dwIgMuKPtJh3mdhuOyuE4yfYnv/iXJW5ny5Hb5O9EiDM980AdgBByMqx3yJGShDG oToJQodeTjGLGwPr60vHaPCQYpYG9gAAAXy77POHAAAEAwBHMEUCIHooqmI+pkWz Q5iu90FoXL/NkOjrALhRwGkI+IGumBJAAiEApeynTxXyTuKNlRlw6mL2T4iXBziH l0tTJeDLKCnAGbMwDQYJKoZIhvcNAQELBQADggEBABY/At8NBNT9pNcbcbpV7D+P LDeJu4MaZ5ObzDrl0ooKAqzu9+0FZBEPxW+ZloVgzLLCTNRH24uKJZuNMK0c4Q3p 1Mc4s6NspLklIFX+El1clXmyVfl0SXyDILEe4g4sM32Hq/urmES9K4wTjMfx3B2z GyBhci23SWbqvn86e1LVusZ3CsZt9gfc+ngYzggiapUaN9KwaNj2Dwt0U2/7V2Gi n97TJo8I9Nm8aifY/HgjBEq4fMnp/waNiC9C19QZYr3/0XvqJt6+1sC9zNy4L465 WCey5rtgCJCpwzeYVbBvnlWgV4H0OXE0W7GFMKcPI2tZuIZOBV5ABDZLHtlPixE=
-----END CERTIFICATE-----

再次运行相同的命令,我得到略有不同的结果:

$ openssl s_client -servername plex.tv -connect plex.tv:443 2>/dev/null </dev/null | openssl x509 -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            07:3c:cd:0c:d9:b4:37:2a:6a:b0:3d:c2:a6:5e:84:9b:27:70:2c
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = Illinois, L = Chicago, O = "Trustwave Holdings, Inc.", CN = "Trustwave Organization Validation SHA256 CA, Level 1", emailAddress = [email protected]
        Validity
            Not Before: Feb 22 12:08:05 2021 GMT
            Not After : Mar 24 12:07:05 2022 GMT
        Subject: CN = *.bankersalmanac.com, O = LNRS Data Services Ltd, L = Sutton, ST = Surrey, C = GB
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:d8:3a:5c:1a:07:d2:43:07:e6:4c:60:04:f7:88:
                    09:4e:1c:80:85:65:b3:52:f8:1a:e1:db:a9:f8:91:
                    e9:c4:da:d4:11:f7:e0:af:b3:02:ea:e5:b5:7b:48:
                    3b:c8:f6:21:4f:f4:f2:1c:c6:df:c7:e7:81:fb:b3:
                    6b:3f:ee:a9:78:a7:1b:15:f6:e2:be:08:92:97:f1:
                    97:39:49:4a:2c:78:60:c7:c2:c2:5d:77:8a:33:30:
                    6d:c1:1c:05:d7:7e:1b:52:e4:75:61:39:c4:a8:5d:
                    96:ab:ef:1d:56:d1:ff:35:f4:43:e2:81:ac:ce:ac:
                    7c:79:3d:2c:23:fd:cb:24:83:d3:f1:36:46:69:f9:
                    0e:ff:67:e0:b3:b3:38:ab:39:c3:43:36:2c:c0:22:
                    0b:fe:bb:1e:a7:e6:ae:d0:39:8b:e1:9d:98:d8:6f:
                    d3:3d:04:5b:45:e8:b2:a1:e6:15:7b:ef:4b:f5:0d:
                    c5:89:54:92:05:8a:24:14:52:cc:d5:66:3b:9d:8c:
                    d5:9f:7c:10:15:a8:8c:eb:57:e6:7b:c5:19:58:f2:
                    48:01:ee:36:d5:8d:9f:14:3c:26:ba:73:5c:09:68:
                    67:be:c2:c0:99:af:23:96:4f:18:2e:bc:b5:be:c1:
                    b3:23:b2:cb:5e:ec:0c:a9:0c:fe:7c:d0:bd:bb:d4:
                    84:e7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Subject Key Identifier:
                54:23:E1:8A:6D:76:AA:55:60:A4:00:DC:2B:CC:C4:7E:DE:3A:91:8B
            X509v3 Authority Key Identifier:
                keyid:CA:CE:1D:18:03:77:1E:1C:F3:7C:58:B2:9A:70:A8:08:80:16:F4:AE

            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.2
                  CPS: https://certs.securetrust.com/CA

            X509v3 Subject Alternative Name:
                DNS:*.bankersalmanac.com, DNS:bankersalmanac.com
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.securetrust.com/OVCA2_L1.crl

            Authority Information Access:
                OCSP - URI:http://ocsp.securetrust.com/
                CA Issuers - URI:http://certs.securetrust.com/issuers/OVCA2_L1.crt

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77:
                                15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13
                    Timestamp : Feb 22 18:08:05.907 2021 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:D1:76:7D:FF:E8:3F:BF:B5:02:BF:34:
                                A1:95:F9:64:FD:4D:F4:E9:66:6A:41:CD:C8:DB:1C:87:
                                44:37:12:D2:0E:02:21:00:FA:DA:55:1E:85:9C:5F:CF:
                                60:4A:38:B7:E1:88:A3:A1:5A:A8:BF:3E:B5:CD:CF:2B:
                                C5:5C:E2:84:B5:AD:B6:7C
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 29:79:BE:F0:9E:39:39:21:F0:56:73:9F:63:A5:77:E5:
                                BE:57:7D:9C:60:0A:F8:F9:4D:5D:26:5C:25:5D:C7:84
                    Timestamp : Feb 22 18:08:05.462 2021 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:78:A7:23:96:7F:4A:5C:F2:3D:03:71:95:
                                89:88:4C:D8:02:65:6C:D7:0F:F3:30:E4:66:58:FA:73:
                                84:EA:E0:C6:02:20:4C:C4:A6:04:5F:B3:76:55:D4:A7:
                                C2:25:E1:EF:C7:0F:67:25:2D:08:A4:4C:55:91:C9:C8:
                                A1:B8:5F:91:E8:1C
    Signature Algorithm: sha256WithRSAEncryption
         9a:d0:31:15:2e:c8:d0:b4:63:22:8d:c1:b0:11:44:a3:13:8d:
         35:83:1a:5d:52:77:64:29:30:ae:03:fb:80:3a:de:9f:56:4b:
         18:a3:99:0a:ad:a4:a6:3e:bb:cf:69:bd:94:3d:35:42:18:6e:
         87:10:17:35:5f:a7:32:a8:95:50:d5:68:df:a8:82:52:db:71:
         ce:a5:b8:46:b4:bc:db:a6:c0:de:d1:41:25:bc:a5:cf:d8:80:
         d2:de:e0:36:ca:c1:ed:e8:4e:9b:26:2b:40:29:7b:be:4a:2e:
         52:9b:fe:19:a7:b3:41:01:f9:74:14:3b:2b:cb:2a:2d:9c:af:
         bb:8e:8c:43:0b:48:55:04:8b:37:a4:1b:27:3a:2b:92:e8:d0:
         42:6d:fb:0a:68:be:fe:8c:71:0e:a2:05:6d:b7:49:7e:75:b6:
         d7:dd:42:35:48:e6:00:30:40:7c:66:6b:6b:94:e8:4a:c5:28:
         30:28:10:d2:c4:71:61:e8:59:22:d7:b9:53:ab:57:29:4c:22:
         35:6e:9b:e1:e8:d7:b3:36:48:8c:94:24:ac:f3:e4:13:75:11:
         be:c1:ca:93:0c:18:da:ac:9d:a2:21:1b:6a:ee:dd:de:ed:55:
         95:fc:34:9b:94:b3:d8:4c:f1:05:dc:b1:37:1c:21:a9:7b:83:
         a7:99:d7:36
-----BEGIN CERTIFICATE-----
MIIGajCCBVKgAwIBAgITBzzNDNm0NypqsD3Cpl6EmydwLDANBgkqhkiG9w0BAQsF
ADCBtTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCElsbGlub2lzMRAwDgYDVQQHEwdD
aGljYWdvMSEwHwYDVQQKExhUcnVzdHdhdmUgSG9sZGluZ3MsIEluYy4xPTA7BgNV
BAMTNFRydXN0d2F2ZSBPcmdhbml6YXRpb24gVmFsaWRhdGlvbiBTSEEyNTYgQ0Es
IExldmVsIDExHzAdBgkqhkiG9w0BCQEWEGNhQHRydXN0d2F2ZS5jb20wHhcNMjEw
MjIyMTIwODA1WhcNMjIwMzI0MTIwNzA1WjBvMR0wGwYDVQQDDBQqLmJhbmtlcnNh
bG1hbmFjLmNvbTEfMB0GA1UEChMWTE5SUyBEYXRhIFNlcnZpY2VzIEx0ZDEPMA0G
A1UEBxMGU3V0dG9uMQ8wDQYDVQQIEwZTdXJyZXkxCzAJBgNVBAYTAkdCMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2DpcGgfSQwfmTGAE94gJThyAhWWz
Uvga4dup+JHpxNrUEffgr7MC6uW1e0g7yPYhT/TyHMbfx+eB+7NrP+6peKcbFfbi
vgiSl/GXOUlKLHhgx8LCXXeKMzBtwRwF134bUuR1YTnEqF2Wq+8dVtH/NfRD4oGs
zqx8eT0sI/3LJIPT8TZGafkO/2fgs7M4qznDQzYswCIL/rsep+au0DmL4Z2Y2G/T
PQRbReiyoeYVe+9L9Q3FiVSSBYokFFLM1WY7nYzVn3wQFaiM61fme8UZWPJIAe42
1Y2fFDwmunNcCWhnvsLAma8jlk8YLry1vsGzI7LLXuwMqQz+fNC9u9SE5wIDAQAB
o4ICtjCCArIwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw
FAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQWBBRUI+GKbXaqVWCkANwrzMR+
3jqRizAfBgNVHSMEGDAWgBTKzh0YA3ceHPN8WLKacKgIgBb0rjBDBgNVHSAEPDA6
MDgGBmeBDAECAjAuMCwGCCsGAQUFBwIBFiBodHRwczovL2NlcnRzLnNlY3VyZXRy
dXN0LmNvbS9DQTAzBgNVHREELDAqghQqLmJhbmtlcnNhbG1hbmFjLmNvbYISYmFu
a2Vyc2FsbWFuYWMuY29tMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc2Vj
dXJldHJ1c3QuY29tL09WQ0EyX0wxLmNybDB3BggrBgEFBQcBAQRrMGkwKAYIKwYB
BQUHMAGGHGh0dHA6Ly9vY3NwLnNlY3VyZXRydXN0LmNvbS8wPQYIKwYBBQUHMAKG
MWh0dHA6Ly9jZXJ0cy5zZWN1cmV0cnVzdC5jb20vaXNzdWVycy9PVkNBMl9MMS5j
cnQwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdwBvU3asMfAxGdiZAKRRFf93FRwR
2QLBACkGjbIImjfZEwAAAXfK7U8TAAAEAwBIMEYCIQDRdn3/6D+/tQK/NKGV+WT9
TfTpZmpBzcjbHIdENxLSDgIhAPraVR6FnF/PYEo4t+GIo6FaqL8+tc3PK8Vc4oS1
rbZ8AHUAKXm+8J45OSHwVnOfY6V35b5XfZxgCvj5TV0mXCVdx4QAAAF3yu1NVgAA
BAMARjBEAiB4pyOWf0pc8j0DcZWJiEzYAmVs1w/zMORmWPpzhOrgxgIgTMSmBF+z
dlXUp8Il4e/HD2clLQikTFWRycihuF+R6BwwDQYJKoZIhvcNAQELBQADggEBAJrQ
MRUuyNC0YyKNwbARRKMTjTWDGl1Sd2QpMK4D+4A63p9WSxijmQqtpKY+u89pvZQ9
NUIYbocQFzVfpzKolVDVaN+oglLbcc6luEa0vNumwN7RQSW8pc/YgNLe4DbKwe3o
TpsmK0Ape75KLlKb/hmns0EB+XQUOyvLKi2cr7uOjEMLSFUEizekGyc6K5Lo0EJt
+wpovv6McQ6iBW23SX51ttfdQjVI5gAwQHxma2uU6ErFKDAoENLEcWHoWSLXuVOr
VylMIjVum+Ho17M2SIyUJKzz5BN1Eb7BypMMGNqsnaIhG2ru3d7tVZX8NJuUs9hM
8QXcsTccIal7g6eZ1zY=
-----END CERTIFICATE-----

更简洁地说,这应该能够更好地突出我所看到的问题:

$ openssl s_client -servername plex.tv -connect plex.tv:443 2>/dev/null </dev/null | openssl x509 -text| grep 'Subject:'
        Subject: CN = *.bankersalmanac.com, O = LNRS Data Services Ltd, L = Sutton, ST = Surrey, C = GB
$ openssl s_client -servername plex.tv -connect plex.tv:443 2>/dev/null </dev/null | openssl x509 -text| grep 'Subject:'
        Subject: CN = *.bankersalmanac.com, O = LNRS Data Services Ltd, L = Sutton, ST = Surrey, C = GB
$ openssl s_client -servername plex.tv -connect plex.tv:443 2>/dev/null </dev/null | openssl x509 -text| grep 'Subject:'
        Subject: CN = *.prod-route-1bun4qeekg9pa-235394468.eu-west-1.convox.site
$ openssl s_client -servername plex.tv -connect plex.tv:443 2>/dev/null </dev/null | openssl x509 -text| grep 'Subject:'
        Subject: CN = *.bankersalmanac.com, O = LNRS Data Services Ltd, L = Sutton, ST = Surrey, C = GB
$ openssl s_client -servername plex.tv -connect plex.tv:443 2>/dev/null </dev/null | openssl x509 -text| grep 'Subject:'
        Subject: CN = *.prod-route-1bun4qeekg9pa-235394468.eu-west-1.convox.site
$ openssl s_client -servername plex.tv -connect plex.tv:443 2>/dev/null </dev/null | openssl x509 -text| grep 'Subject:'
        Subject: CN = *.bankersalmanac.com, O = LNRS Data Services Ltd, L = Sutton, ST = Surrey, C = GB

为什么访问 plex.tv 域时需要提供 banksalmanac.com 和 convox.site TLS 证书?此外,如果我使用 www 子域,我会得到正确的结果:

$ openssl s_client -servername www.plex.tv -connect www.plex.tv:443 2>/dev/null </dev/null | openssl x509 -text| grep 'Subject:'
        Subject: C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = plex.tv

我的本地 ISP(Comcast)和 plex.tv 服务器(Cloudflare?AWS?)之间似乎发生了一些奇怪的事情。有人知道这里发生了什么吗?我会就此事直接联系 Plex 团队,但我显然无法访问他们的支持论坛来发布这个问题。

答案1

所以最后我关闭了路由器和电缆调制解调器的电源,似乎问题已经解决了。我不知道发生了什么,也不知道是什么原因造成的,但我只能把这归咎于康卡斯特的怪异行为……

相关内容