两个内部 Continuity247(更名为 R1Soft,基于 Ubuntu)服务器位于两个不同的 LAN 上,分别使用 Cyberoam CR50iNG 和 Sophos XG 85。两者运行均非常良好。
服务器的网络被重新配置,并被移至使用 Sophos XG 210 的同一个新 LAN。从那时起,两者都可以访问互联网(ping、telnet 等),但都无法连接到云托管的 Continuity247 系统。
我确认 Sophos XG 210 没有在防火墙中阻止任何相关内容,也没有执行 HTTPS 拦截。
Sophos 的技术支持建议联系 Continuity247 的技术支持。
Continuity247 的技术支持澄清说,服务器备份管理器确实使用证书进行身份验证,但在迁移期间不会改变,并建议联系 Sophos 的技术支持。
执行命令wget https://r1rm_prod.itsupport247.net
报告以下内容:
--2017-06-22 10:17:11-- https://r1rm_prod.itsupport247.net/
Resolving r1rm_prod.itsupport247.net (r1rm_prod.itsupport247.net)... 173.193.238.197
Connecting to r1rm_prod.itsupport247.net (r1rm_prod.itsupport247.net)|173.193.238.197|:443... connected.
OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Unable to establish SSL connection.
执行命令openssl s_client -connect r1rm_prod.itsupport247.net:443
报告以下内容:
depth=0 C = US, ST = Texas, O = R1Soft, OU = ContinuumLLC, CN = r1rm.r1soft.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = Texas, O = R1Soft, OU = ContinuumLLC, CN = r1rm.r1soft.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = US, ST = Texas, O = R1Soft, OU = ContinuumLLC, CN = r1rm.r1soft.com
verify error:num=21:unable to verify the first certificate
verify return:1
139940236781216:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1262:SSL alert number 42
139940236781216:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
CONNECTED(00000003)
---
Certificate chain
0 s:/C=US/ST=Texas/O=R1Soft/OU=ContinuumLLC/CN=r1rm.r1soft.com
i:/C=US/ST=Texas/L=Houston/O=R1Soft/OU=ContinuumLLC/CN=R1RMRootCA_GA
---
Server certificate
-----BEGIN CERTIFICATE-----
[redacted due to potential sensitivity]
-----END CERTIFICATE-----
subject=/C=US/ST=Texas/O=R1Soft/OU=ContinuumLLC/CN=r1rm.r1soft.com
issuer=/C=US/ST=Texas/L=Houston/O=R1Soft/OU=ContinuumLLC/CN=R1RMRootCA_GA
---
Acceptable client certificate CA names
/C=US/ST=Texas/L=Houston/O=R1Soft/OU=ContinuumLLC/CN=R1RMRootCA_GA
---
SSL handshake has read 1708 bytes and written 162 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key: D4495614F968E3090AAA487E29B8779A155096502CD7158D24D96BEE5951E05C309C6568F6CF1FFC75489BC859BE8CF1
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1498205867
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
执行另一个命令(我没有看到它是什么)报告以下内容:
Jun 23 09:39:06 localhost /opt/r1soft/r1ctl/bin/r1ctl[20025]: 2017/06/23 09:39:06.475657 vbox.go:143: Failed to get live config, using defaults: Get https://r1rm_prod.itsupport247.net:443/liveConfig/a56cc223-e414-4573-910a-5566a6528656: x509: certificate signed by unknown authority
有人能提供进一步的帮助吗?
答案1
通过将 Sophos XG 的固件从版本 16.05.3 MR-3 更新至版本 16.05.5 MR-5 解决了连接问题。
OpenSSL 错误从未消退,所以它们一定是个转移注意力的花招。