我有一台服务器,位于私有网络上远程位置的设备使用 SSL 通过互联网连接到该服务器。已安装服务器域名的 SSL 证书。我有许多设备通过代理服务器连接到服务器,无法使用域名连接,而是使用服务器的 IP 地址。有些设备连接和通信成功。我有一台新设备,当它尝试连接但无法通信时,会出现证书错误。问题设备的 WireShark 日志如下,
No. Time Source Destination Protocol Length Info
75 124.992557 cc.e.135.194 aaa.bb.165.30 HTTP 93 CONNECT xxx.yy.177.237:443 HTTP/1.1
No. Time Source Destination Protocol Length Info
76 124.992762 aaa.bb.165.30 cc.e.135.194 TCP 60 http-alt > screencast [ACK] Seq=1 Ack=40 Win=5840 Len=0
No. Time Source Destination Protocol Length Info
77 125.019946 aaa.bb.165.30 cc.e.135.194 HTTP 93 HTTP/1.1 200 Connection established
No. Time Source Destination Protocol Length Info
78 125.021486 cc.e.135.194 aaa.bb.165.30 TCP 60 screencast > http-alt [ACK] Seq=40 Ack=40 Win=3600 Len=0
No. Time Source Destination Protocol Length Info
79 125.023154 cc.e.135.194 aaa.bb.165.30 TLSv1 112 Client Hello
No. Time Source Destination Protocol Length Info
80 125.063292 aaa.bb.165.30 cc.e.135.194 TCP 60 http-alt > screencast [ACK] Seq=40 Ack=98 Win=5840 Len=0
No. Time Source Destination Protocol Length Info
81 125.802441 aaa.bb.165.30 cc.e.135.194 TLSv1 590 Server Hello
No. Time Source Destination Protocol Length Info
82 125.802545 aaa.bb.165.30 cc.e.135.194 TCP 590 [TCP segment of a reassembled PDU]
No. Time Source Destination Protocol Length Info
83 125.803882 cc.e.135.194 aaa.bb.165.30 TCP 60 screencast > http-alt [ACK] Seq=98 Ack=576 Win=3600 Len=0
No. Time Source Destination Protocol Length Info
84 125.806427 cc.e.135.194 aaa.bb.165.30 TCP 60 screencast > http-alt [ACK] Seq=98 Ack=1112 Win=3600 Len=0
No. Time Source Destination Protocol Length Info
85 125.835481 aaa.bb.165.30 cc.e.135.194 TCP 590 [TCP segment of a reassembled PDU]
No. Time Source Destination Protocol Length Info
86 125.835606 aaa.bb.165.30 cc.e.135.194 TCP 590 [TCP segment of a reassembled PDU]
No. Time Source Destination Protocol Length Info
87 125.835607 aaa.bb.165.30 cc.e.135.194 TLSv1 98 Certificate
No. Time Source Destination Protocol Length Info
88 125.837384 cc.e.135.194 aaa.bb.165.30 TCP 60 screencast > http-alt [ACK] Seq=98 Ack=1648 Win=3600 Len=0
No. Time Source Destination Protocol Length Info
89 125.839309 cc.e.135.194 aaa.bb.165.30 TCP 60 screencast > http-alt [ACK] Seq=98 Ack=2184 Win=3600 Len=0
No. Time Source Destination Protocol Length Info
90 125.996227 cc.e.135.210 cc.e.135.223 UDP 93 Source port: di-traceware Destination port: di-traceware
No. Time Source Destination Protocol Length Info
91 126.041261 aaa.bb.165.30 cc.e.135.194 TCP 98 [TCP Retransmission] http-alt > screencast [PSH, ACK] Seq=2184 Ack=98 Win=5840 Len=44[Reassembly error, protocol TCP: New fragment overlaps old data (retransmission?)]
No. Time Source Destination Protocol Length Info
92 126.126265 cc.e.135.194 aaa.bb.165.30 TCP 60 screencast > http-alt [ACK] Seq=98 Ack=2228 Win=3600 Len=0
No. Time Source Destination Protocol Length Info
93 126.127579 cc.e.135.194 aaa.bb.165.30 TLSv1 61 Alert (Level: Fatal, Description: Bad Certificate)
No. Time Source Destination Protocol Length Info
94 126.127769 aaa.bb.165.30 cc.e.135.194 TCP 60 http-alt > screencast [ACK] Seq=2228 Ack=105 Win=5840 Len=0
No. Time Source Destination Protocol Length Info
95 126.128131 cc.e.135.194 aaa.bb.165.30 TCP 60 screencast > http-alt [FIN, ACK] Seq=105 Ack=2228 Win=3600 Len=0
No. Time Source Destination Protocol Length Info
96 126.128973 cc.e.135.194 aaa.bb.165.30 TCP 60 [TCP Dup ACK 95#1] screencast > http-alt [ACK] Seq=106 Ack=2228 Win=3600 Len=0
设备连接良好的WireShark日志如下,
No. Time Source Destination Protocol Length Info
41 18.643335000 192.168.1.77 192.168.1.66 HTTP 93 CONNECT xxx.yy.177.237:443 HTTP/1.1
No. Time Source Destination Protocol Length Info
42 18.686919000 xxx.yy.177.237 192.168.1.66 TCP 66 https > 57090 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
No. Time Source Destination Protocol Length Info
43 18.690931000 192.168.1.77 192.168.1.66 TCP 60 iee-qfx > 808 [ACK] Seq=40 Ack=62 Win=3600 Len=0
No. Time Source Destination Protocol Length Info
44 18.692715000 192.168.1.77 192.168.1.66 HTTP 112 Continuation or non-HTTP traffic
No. Time Source Destination Protocol Length Info
45 18.730597000 xxx.yy.177.237 192.168.1.66 TCP 1514 [TCP segment of a reassembled PDU]
No. Time Source Destination Protocol Length Info
46 18.731017000 xxx.yy.177.237 192.168.1.66 TCP 1514 [TCP segment of a reassembled PDU]
No. Time Source Destination Protocol Length Info
47 18.853088000 192.168.1.77 192.168.1.66 TCP 60 iee-qfx > 808 [ACK] Seq=98 Ack=598 Win=3600 Len=0
No. Time Source Destination Protocol Length Info
48 18.855235000 192.168.1.77 192.168.1.66 TCP 60 iee-qfx > 808 [ACK] Seq=98 Ack=1134 Win=3600 Len=0
No. Time Source Destination Protocol Length Info
49 18.857397000 192.168.1.77 192.168.1.66 TCP 60 iee-qfx > 808 [ACK] Seq=98 Ack=1670 Win=3600 Len=0
No. Time Source Destination Protocol Length Info
50 18.858940000 192.168.1.77 192.168.1.66 TCP 60 iee-qfx > 808 [ACK] Seq=98 Ack=2206 Win=3600 Len=0
No. Time Source Destination Protocol Length Info
51 18.860676000 192.168.1.77 192.168.1.66 TCP 60 iee-qfx > 808 [ACK] Seq=98 Ack=2742 Win=3600 Len=0
No. Time Source Destination Protocol Length Info
52 18.861709000 192.168.1.77 192.168.1.66 TCP 60 iee-qfx > 808 [ACK] Seq=98 Ack=2982 Win=3600 Len=0
No. Time Source Destination Protocol Length Info
53 18.885573000 xxx.yy.177.237 192.168.1.66 TLSv1 456 Server Hello, Certificate, Server Hello Done
No. Time Source Destination Protocol Length Info
54 19.831490000 192.168.1.77 192.168.1.66 HTTP 380 Continuation or non-HTTP traffic
No. Time Source Destination Protocol Length Info
55 19.832368000 192.168.1.77 192.168.1.66 TCP 60 [TCP Dup ACK 54#1] iee-qfx > 808 [ACK] Seq=424 Ack=3384 Win=3600 Len=0
No. Time Source Destination Protocol Length Info
56 19.833752000 192.168.1.77 192.168.1.66 TCP 60 [TCP Dup ACK 54#2] iee-qfx > 808 [ACK] Seq=424 Ack=3384 Win=3600 Len=0
No. Time Source Destination Protocol Length Info
57 19.883478000 xxx.yy.177.237 192.168.1.66 TLSv1 113 Change Cipher Spec, Encrypted Handshake Message
No. Time Source Destination Protocol Length Info
59 19.910346000 192.168.1.77 192.168.1.66 HTTP 251 Continuation or non-HTTP traffic
No. Time Source Destination Protocol Length Info
60 20.115266000 192.168.1.77 192.168.1.66 TCP 107 [TCP segment of a reassembled PDU]
No. Time Source Destination Protocol Length Info
61 20.136330000 xxx.yy.177.237 192.168.1.66 TCP 54 https > 57090 [ACK] Seq=3382 Ack=582 Win=65024 Len=0
No. Time Source Destination Protocol Length Info
62 20.171317000 xxx.yy.177.237 192.168.1.66 TLSv1 299 Application Data
有人能提供一些见解,说明这里发生了什么,为什么有些设备可以通信,而其他设备却不能,以及这里应该采取哪些最佳做法(我是否也应该为 IP 地址获取证书?)。直观地讲,我的证书是针对域名而不是 IP 地址的,这对我来说是有道理的,因此应该存在问题,但我有许多设备多年来一直以这种方式通信,没有出现问题。
答案1
您提供的 wireshark 转储没有帮助,因为它仅显示传输层 (TCP) 的信息,而不显示 TLS 层的信息。它也不显示来自客户端的任何错误消息,也不显示客户端如何使用这些代理以及如何验证证书。
通常,TLS 连接需要验证服务器证书,包括验证信任链和证书中的名称。如果名称与预期名称不匹配,则验证必定失败,因为否则您可以使用任何证书冒充其他主机,从而进行中间人攻击。
这也意味着如果仅通过 IP 地址进行访问,则证书必须在主题备用名称部分中将 IP 地址作为 IP 类型合并(并且由于一些损坏的 TLS 堆栈,最好也作为 DNS 类型合并)。
如果某些客户端失败而其他客户端成功,则可能是某些客户端使用正确的主机名进行验证而其他客户端没有使用,或者某些客户端忽略了验证错误。根据您的信息,无法知道其中哪种情况是这种情况。
我有多台设备都要通过代理服务器连接服务器,无法使用域名连接,只能使用服务器的IP地址。
合适的客户端在 http 代理(CONNECT 请求)的帮助下创建隧道,然后在该隧道内建立 TLS 连接并根据原始主机名验证证书。这就是代理连接在浏览器中的工作方式。这就是您的 wireshark 转储显示的内容。通常,客户端不会在 CONNECT 请求中提供目标的 IP 地址,而是提供主机名,因此这可能是一个客户端,它要么预先解析了主机名,要么在配置中被赋予了 IP 地址而不是主机名。在后一种情况下,客户端将无法正确验证证书,因为它不知道证书中预期的主机名,但会期望一个不存在的 IP 地址。