![什么原因导致客户端没有发送[ChangeCipherSpec]包](https://linux22.com/image/1685003/%E4%BB%80%E4%B9%88%E5%8E%9F%E5%9B%A0%E5%AF%BC%E8%87%B4%E5%AE%A2%E6%88%B7%E7%AB%AF%E6%B2%A1%E6%9C%89%E5%8F%91%E9%80%81%5BChangeCipherSpec%5D%E5%8C%85.png)
我遇到一个问题。我在进行 TLS 握手时有一个设备,客户端发送 [ChangeCipherSpec] 失败,目前所有 https 网站都失败了,但 http 可以工作。
我从 wireshark 检查它,它显示如下所示,没有 [ChangeCipherSpec] 并且失败,另外 2 个设备显示 [ChangeCipherSpec] 并且成功。
1587 8.836364 192.168.250.5 157.240.7.35 TCP 66 64134 → 443 [SYN, ECE, CWR] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM
1589 8.836480 157.240.7.35 192.168.250.5 TCP 66 443 → 64134 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM WS=128
1590 8.836514 192.168.250.5 157.240.7.35 TCP 54 64134 → 443 [ACK] Seq=1 Ack=1 Win=65536 Len=0
1592 8.838231 192.168.250.5 157.240.7.35 TLSv1.3 571 Client Hello
1593 8.838397 157.240.7.35 192.168.250.5 TCP 60 443 → 64134 [ACK] Seq=1 Ack=518 Win=30336 Len=0
1609 8.946316 157.240.7.35 192.168.250.5 TLSv1.3 1514 Server Hello, Change Cipher Spec, Application Data
1610 8.946357 157.240.7.35 192.168.250.5 TLSv1.3 1514 Application Data
1611 8.946357 157.240.7.35 192.168.250.5 TLSv1.3 566 Application Data
1612 8.946381 192.168.250.5 157.240.7.35 TCP 54 64134 → 443 [ACK] Seq=518 Ack=3433 Win=65536 Len=0
2228 18.947282 192.168.250.5 157.240.7.35 TCP 55 [TCP Keep-Alive] 64134 → 443 [ACK] Seq=517 Ack=3433 Win=65536 Len=1
2229 18.947350 157.240.7.35 192.168.250.5 TCP 66 [TCP Keep-Alive ACK] 443 → 64134 [ACK] Seq=3433 Ack=518 Win=30336 Len=0 SLE=517 SRE=518
2421 28.956723 192.168.250.5 157.240.7.35 TCP 55 [TCP Keep-Alive] 64134 → 443 [ACK] Seq=517 Ack=3433 Win=65536 Len=1
2422 28.956791 157.240.7.35 192.168.250.5 TCP 66 [TCP Keep-Alive ACK] 443 → 64134 [ACK] Seq=3433 Ack=518 Win=30336 Len=0 SLE=517 SRE=518
7627 38.966424 192.168.250.5 157.240.7.35 TCP 55 [TCP Keep-Alive] 64134 → 443 [ACK] Seq=517 Ack=3433 Win=65536 Len=1
7628 38.966471 157.240.7.35 192.168.250.5 TCP 66 [TCP Keep-Alive ACK] 443 → 64134 [ACK] Seq=3433 Ack=518 Win=30336 Len=0 SLE=517 SRE=518
10615 48.974212 192.168.250.5 157.240.7.35 TCP 55 [TCP Keep-Alive] 64134 → 443 [ACK] Seq=517 Ack=3433 Win=65536 Len=1
10616 48.974281 157.240.7.35 192.168.250.5 TCP 66 [TCP Keep-Alive ACK] 443 → 64134 [ACK] Seq=3433 Ack=518 Win=30336 Len=0 SLE=517 SRE=518
12473 58.982406 192.168.250.5 157.240.7.35 TCP 55 [TCP Keep-Alive] 64134 → 443 [ACK] Seq=517 Ack=3433 Win=65536 Len=1
12474 58.982474 157.240.7.35 192.168.250.5 TCP 66 [TCP Keep-Alive ACK] 443 → 64134 [ACK] Seq=3433 Ack=518 Win=30336 Len=0 SLE=517 SRE=518
16847 68.951086 157.240.7.35 192.168.250.5 TLSv1.3 78 Application Data
16848 68.951226 157.240.7.35 192.168.250.5 TCP 60 443 → 64134 [FIN, ACK] Seq=3457 Ack=518 Win=30336 Len=0
16849 68.951251 192.168.250.5 157.240.7.35 TCP 54 64134 → 443 [ACK] Seq=518 Ack=3457 Win=65536 Len=0
16850 68.951315 192.168.250.5 157.240.7.35 TCP 54 64134 → 443 [ACK] Seq=518 Ack=3458 Win=65536 Len=0
16851 68.951537 192.168.250.5 157.240.7.35 TCP 54 64134 → 443 [RST, ACK] Seq=518 Ack=3458 Win=0 Len=0
铬错误: 无法访问此网站,雅虎意外关闭了连接。 火狐错误: 安全连接失败,错误代码:PR_END_OF_FILE_ERROR
我确实尝试过: 其他浏览器(IE、opera)也失败。重新安装 chrome/firefox。重置 firefox 设置。dism restorehealth,sfc scannow。重启设备。windows 更新。更改本地 IP。更改为不同的时间然后再改回时间。关闭 windows 防火墙。
设备 2:它与设备 1 保持相同的防火墙区域和相同的操作系统。这是成功显示的网站。
1233 13.395296 192.168.250.6 157.240.7.35 TCP 66 31442 → 443 [SYN, ECN, CWR] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
1234 13.395446 157.240.7.35 192.168.250.6 TCP 66 443 → 31442 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
1235 13.395495 192.168.250.6 157.240.7.35 TCP 54 31442 → 443 [ACK] Seq=1 Ack=1 Win=525568 Len=0
1236 13.396814 192.168.250.6 157.240.7.35 TLSv1.3 571 Client Hello
1237 13.396916 157.240.7.35 192.168.250.6 TCP 60 443 → 31442 [ACK] Seq=1 Ack=518 Win=30336 Len=0
1240 13.481057 157.240.7.35 192.168.250.6 TLSv1.3 1446 Server Hello, Change Cipher Spec, Application Data
1241 13.489076 157.240.7.35 192.168.250.6 TLSv1.3 1514 Application Data [TCP segment of a reassembled PDU]
1242 13.489076 157.240.7.35 192.168.250.6 TLSv1.3 632 Application Data
1243 13.489138 192.168.250.6 157.240.7.35 TCP 54 31442 → 443 [ACK] Seq=518 Ack=3431 Win=525568 Len=0
1246 13.508110 192.168.250.6 157.240.7.35 TLSv1.3 118 Change Cipher Spec, Application Data
1247 13.508184 157.240.7.35 192.168.250.6 TCP 60 443 → 31442 [ACK] Seq=3431 Ack=582 Win=30336 Len=0
1269 13.824157 157.240.7.35 192.168.250.6 TLSv1.3 1514 Application Data [TCP segment of a reassembled PDU]
1270 13.824157 157.240.7.35 192.168.250.6 TLSv1.3 131 Application Data
1271 13.824204 192.168.250.6 157.240.7.35 TCP 54 31442 → 443 [ACK] Seq=1109 Ack=6649 Win=525568 Len=0
设备 3:这也成功加载了页面。
6034 39.799054 192.168.123.126 157.240.235.35 TCP 66 10033 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM
6050 39.817120 157.240.235.35 192.168.123.126 TCP 66 443 → 10033 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1392 SACK_PERM WS=256
6051 39.817195 192.168.123.126 157.240.235.35 TCP 54 10033 → 443 [ACK] Seq=1 Ack=1 Win=132096 Len=0
6052 39.819030 192.168.123.126 157.240.235.35 TLSv1.3 571 Client Hello
6061 39.837593 157.240.235.35 192.168.123.126 TCP 60 443 → 10033 [ACK] Seq=1 Ack=518 Win=66816 Len=0
6063 39.837919 157.240.235.35 192.168.123.126 TLSv1.3 1446 Server Hello, Change Cipher Spec, Application Data
6065 39.838300 157.240.235.35 192.168.123.126 TLSv1.3 1446 Application Data
6066 39.838300 157.240.235.35 192.168.123.126 TLSv1.3 703 Application Data
6067 39.838357 192.168.123.126 157.240.235.35 TCP 54 10033 → 443 [ACK] Seq=518 Ack=3434 Win=132096 Len=0
6098 39.895065 192.168.123.126 157.240.235.35 TLSv1.3 118 Change Cipher Spec, Application Data
6101 39.895785 192.168.123.126 157.240.235.35 TLSv1.3 224 Application Data
6102 39.895828 192.168.123.126 157.240.235.35 TLSv1.3 1346 Application Data
6111 39.913437 157.240.235.35 192.168.123.126 TCP 60 443 → 10033 [ACK] Seq=3434 Ack=752 Win=67840 Len=0
我确实尝试使用其他工具(Procmon64、procexp64 等)进行检查,但没有帮助。