我有一台服务器运行多个网站,每个网站都使用 SSL。
其中一个网站现在拒绝通过 SSL 进行连接。以前这没问题,我想寻求帮助以确定发生了什么变化。
情况如下:
http://site1.com/- 作品
https://site1.com/- 作品
http://site2.com/- 作品
https://site2.com/- 不起作用(但以前起作用)
两个站点都在同一台服务器上(Win Server 2003 SP2 - IIS6)
两个站点都使用来自同一颁发机构的证书,并且均有效(根据 IIS)。
据我所知,两个站点在 IIS 中配置的证书完全相同。(通过手动/目视检查属性,并排检查)
通过使用 OpenSSL,我可以看到尝试使用 https 连接到 site2 时出现“ssl 握手失败”。
这可能是什么原因造成的?
我该如何进一步调查?
如果此站点没有可用的 SSL 连接,用户将无法登录或注册。:(
免责声明:我不是服务器管理员,也不负责这个盒子。是的,这里存在更广泛的问题,但我需要先让它重新工作。
编辑
通过查看 WireShark 日志,我发现在发送以下内容时 Internet 协议数据中存在校验和错误Client Hello:
No. Time Source Destination Protocol Info
119 5.734139 10.0.0.16 94.236.90.219 SSL Client Hello
Frame 119: 112 bytes on wire (896 bits), 112 bytes captured (896 bits)
Arrival Time: Jan 6, 2011 13:00:30.550690000 GMT Standard Time
Epoch Time: 1294318830.550690000 seconds
[Time delta from previous captured frame: 0.000460000 seconds]
[Time delta from previous displayed frame: 0.000460000 seconds]
[Time since reference or first frame: 5.734139000 seconds]
Frame Number: 119
Frame Length: 112 bytes (896 bits)
Capture Length: 112 bytes (896 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:tcp:ssl]
[Coloring Rule Name: Checksum Errors]
[Coloring Rule String: cdp.checksum_bad==1 || edp.checksum_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1 || mstp.checksum_bad==1]
Ethernet II, Src: Dell_ad:44:31 (b8:ac:6f:ad:44:31), Dst: Draytek_c5:c4:44 (00:50:7f:c5:c4:44)
Destination: Draytek_c5:c4:44 (00:50:7f:c5:c4:44)
Address: Draytek_c5:c4:44 (00:50:7f:c5:c4:44)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Dell_ad:44:31 (b8:ac:6f:ad:44:31)
Address: Dell_ad:44:31 (b8:ac:6f:ad:44:31)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 10.0.0.16 (10.0.0.16), Dst: 94.236.90.219 (94.236.90.219)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 98
Identification: 0x0a94 (2708)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (6)
Header checksum: 0x0000 [incorrect, should be 0x2c2b]
[Good: False]
[Bad: True]
[Expert Info (Error/Checksum): Bad checksum]
[Message: Bad checksum]
[Severity level: Error]
[Group: Checksum]
Source: 10.0.0.16 (10.0.0.16)
Destination: 94.236.90.219 (94.236.90.219)
Transmission Control Protocol, Src Port: 50108 (50108), Dst Port: https (443), Seq: 1, Ack: 1, Len: 58
Secure Socket Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: SSL 3.0 (0x0300)
Length: 53
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 49
Version: SSL 3.0 (0x0300)
Random
gmt_unix_time: Jan 6, 2011 13:00:33.000000000 GMT Standard Time
random_bytes: 8b4a18cdfc3836100a7251faf181e09e8eea795c9df0b267...
Session ID Length: 0
Cipher Suites Length: 10
Cipher Suites (5 suites)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: Unknown (0x00ff)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
响应如下:
No. Time Source Destination Protocol Info
122 5.756401 94.236.90.219 10.0.0.16 TCP https > 50108 [FIN, ACK] Seq=1 Ack=59 Win=65477 Len=0
Frame 122: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
Arrival Time: Jan 6, 2011 13:00:30.572952000 GMT Standard Time
Epoch Time: 1294318830.572952000 seconds
[Time delta from previous captured frame: 0.009587000 seconds]
[Time delta from previous displayed frame: 0.022262000 seconds]
[Time since reference or first frame: 5.756401000 seconds]
Frame Number: 122
Frame Length: 60 bytes (480 bits)
Capture Length: 60 bytes (480 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: TCP SYN/FIN]
[Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1]
Ethernet II, Src: Draytek_c5:c4:44 (00:50:7f:c5:c4:44), Dst: Dell_ad:44:31 (b8:ac:6f:ad:44:31)
Destination: Dell_ad:44:31 (b8:ac:6f:ad:44:31)
Address: Dell_ad:44:31 (b8:ac:6f:ad:44:31)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Draytek_c5:c4:44 (00:50:7f:c5:c4:44)
Address: Draytek_c5:c4:44 (00:50:7f:c5:c4:44)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Trailer: 000000000000
Internet Protocol, Src: 94.236.90.219 (94.236.90.219), Dst: 10.0.0.16 (10.0.0.16)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 40
Identification: 0x13f2 (5106)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 115
Protocol: TCP (6)
Header checksum: 0x3007 [correct]
[Good: True]
[Bad: False]
Source: 94.236.90.219 (94.236.90.219)
Destination: 10.0.0.16 (10.0.0.16)
Transmission Control Protocol, Src Port: https (443), Dst Port: 50108 (50108), Seq: 1, Ack: 59, Len: 0
编辑2
IIS 没有记录任何内容,因为它还没有到达那个程度。这是一个 TCP 级别的错误。
答案1
尝试将 wireshark 结果与好站点的数据进行比较。我不确定校验和错误是否正常。
可以尝试以下操作:
- 将其他站点的有效证书放到此站点上,以排除其与证书本身的相关性
- 仔细检查绑定以确保它们没有被更改。由于您使用的是不同的证书,因此您需要为 https 绑定指定一个唯一的 IP。
- 有时,不相关的事情可能会混淆。例如,如果页面重定向到另一个网站,则可能不会立即显现出来。尝试针对 test.html 页面进行测试,以确保它与网站代码无关。
- 尝试中断测试...即暂时停止站点并确保错误发生变化,这将确认绑定按预期工作。