我正在尝试在stunnel
本地主机上使用 HTTPS(端口 443)来为在端口 8000 上本地运行的开发 Web 服务器提供服务。
它启动并接受连接,但每次我打开时https://localhost:443
,连接都会立即重置。
根据配置,相关证书属于 TLSv1.2 类型。
启动命令stunnel
:
$sudo stunnel www.example.com.conf
配置文件:
pid=
cert = certs/www.example.com/fullchain.pem
key = certs/www.example.com/privkey.pem
sslVersion = TLSv1.2
foreground = yes
output = log/www.example.com.log
debug = 7
[https]
accept=443
connect=8000
命令的输出:
2018.05.20 16:54:38 LOG7[ui]: Clients allowed=500
2018.05.20 16:54:38 LOG5[ui]: stunnel 5.44 on x86_64-pc-linux-gnu platform
2018.05.20 16:54:38 LOG5[ui]: Compiled/running with OpenSSL 1.1.0g 2 Nov 2017
2018.05.20 16:54:38 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
2018.05.20 16:54:38 LOG7[ui]: errno: (*__errno_location ())
2018.05.20 16:54:38 LOG5[ui]: Reading configuration from file /home/helgihg/stunnel/www.example.com.conf
2018.05.20 16:54:38 LOG5[ui]: UTF-8 byte order mark not detected
2018.05.20 16:54:38 LOG5[ui]: FIPS mode disabled
2018.05.20 16:54:38 LOG7[ui]: Compression disabled
2018.05.20 16:54:38 LOG7[ui]: Snagged 64 random bytes from /home/helgihg/.rnd
2018.05.20 16:54:38 LOG7[ui]: Wrote 1024 new random bytes to /home/helgihg/.rnd
2018.05.20 16:54:38 LOG7[ui]: PRNG seeded successfully
2018.05.20 16:54:38 LOG6[ui]: Initializing service [https]
2018.05.20 16:54:38 LOG7[ui]: Ciphers: HIGH:!DH:!aNULL:!SSLv2
2018.05.20 16:54:38 LOG7[ui]: TLS options: 0x02024004 (+0x02004000, -0x00000000)
2018.05.20 16:54:38 LOG6[ui]: Loading certificate from file: certs/www.example.com/fullchain.pem
2018.05.20 16:54:38 LOG6[ui]: Certificate loaded from file: certs/www.example.com/fullchain.pem
2018.05.20 16:54:38 LOG6[ui]: Loading private key from file: certs/www.example.com/privkey.pem
2018.05.20 16:54:38 LOG6[ui]: Private key loaded from file: certs/www.example.com/privkey.pem
2018.05.20 16:54:38 LOG7[ui]: Private key check succeeded
2018.05.20 16:54:38 LOG7[ui]: DH initialization
2018.05.20 16:54:38 LOG7[ui]: Could not load DH parameters from certs/www.example.com/fullchain.pem
2018.05.20 16:54:38 LOG6[ui]: Using dynamic DH parameters
2018.05.20 16:54:38 LOG7[ui]: ECDH initialization
2018.05.20 16:54:38 LOG7[ui]: ECDH initialized with curve prime256v1
2018.05.20 16:54:38 LOG5[ui]: Configuration successful
2018.05.20 16:54:38 LOG7[ui]: Binding service [https]
2018.05.20 16:54:38 LOG7[ui]: Listening file descriptor created (FD=7)
2018.05.20 16:54:38 LOG7[ui]: Option SO_REUSEADDR set on accept socket
2018.05.20 16:54:38 LOG7[ui]: Service [https] (FD=7) bound to 0.0.0.0:443
2018.05.20 16:54:38 LOG7[ui]: No pid file being created
2018.05.20 16:54:38 LOG7[cron]: Cron thread initialized
以下是我使用浏览器访问时发生的情况:
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55668
2018.05.20 16:55:20 LOG7[0]: Service [https] started
2018.05.20 16:55:20 LOG7[0]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[0]: Service [https] accepted connection from 127.0.0.1:55668
2018.05.20 16:55:20 LOG6[0]: Peer certificate not required
2018.05.20 16:55:20 LOG7[0]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[0]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[0]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[0]: Service [https] finished (0 left)
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55670
2018.05.20 16:55:20 LOG7[1]: Service [https] started
2018.05.20 16:55:20 LOG7[1]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[1]: Service [https] accepted connection from 127.0.0.1:55670
2018.05.20 16:55:20 LOG6[1]: Peer certificate not required
2018.05.20 16:55:20 LOG7[1]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[1]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[1]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[1]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[1]: Service [https] finished (0 left)
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55672
2018.05.20 16:55:20 LOG7[2]: Service [https] started
2018.05.20 16:55:20 LOG7[2]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[2]: Service [https] accepted connection from 127.0.0.1:55672
2018.05.20 16:55:20 LOG6[2]: Peer certificate not required
2018.05.20 16:55:20 LOG7[2]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[2]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[2]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[2]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[2]: Service [https] finished (0 left)
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55674
2018.05.20 16:55:20 LOG7[3]: Service [https] started
2018.05.20 16:55:20 LOG7[3]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[3]: Service [https] accepted connection from 127.0.0.1:55674
2018.05.20 16:55:20 LOG6[3]: Peer certificate not required
2018.05.20 16:55:20 LOG7[3]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[3]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[3]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[3]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[3]: Service [https] finished (0 left)
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55676
2018.05.20 16:55:20 LOG7[4]: Service [https] started
2018.05.20 16:55:20 LOG7[4]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[4]: Service [https] accepted connection from 127.0.0.1:55676
2018.05.20 16:55:20 LOG6[4]: Peer certificate not required
2018.05.20 16:55:20 LOG7[4]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[4]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[4]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[4]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[4]: Service [https] finished (0 left)
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55678
2018.05.20 16:55:20 LOG7[5]: Service [https] started
2018.05.20 16:55:20 LOG7[5]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[5]: Service [https] accepted connection from 127.0.0.1:55678
2018.05.20 16:55:20 LOG6[5]: Peer certificate not required
2018.05.20 16:55:20 LOG7[5]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[5]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[5]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[5]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[5]: Service [https] finished (0 left)
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55680
2018.05.20 16:55:20 LOG7[6]: Service [https] started
2018.05.20 16:55:20 LOG7[6]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[6]: Service [https] accepted connection from 127.0.0.1:55680
2018.05.20 16:55:20 LOG6[6]: Peer certificate not required
2018.05.20 16:55:20 LOG7[6]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[6]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[6]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[6]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[6]: Service [https] finished (0 left)
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55682
2018.05.20 16:55:20 LOG7[7]: Service [https] started
2018.05.20 16:55:20 LOG7[7]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[7]: Service [https] accepted connection from 127.0.0.1:55682
2018.05.20 16:55:20 LOG6[7]: Peer certificate not required
2018.05.20 16:55:20 LOG7[7]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[7]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[7]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[7]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[7]: Service [https] finished (0 left)
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55684
2018.05.20 16:55:20 LOG7[8]: Service [https] started
2018.05.20 16:55:20 LOG7[8]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[8]: Service [https] accepted connection from 127.0.0.1:55684
2018.05.20 16:55:20 LOG6[8]: Peer certificate not required
2018.05.20 16:55:20 LOG7[8]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[8]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[8]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[8]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[8]: Service [https] finished (0 left)
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55686
2018.05.20 16:55:20 LOG7[9]: Service [https] started
2018.05.20 16:55:20 LOG7[9]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[9]: Service [https] accepted connection from 127.0.0.1:55686
2018.05.20 16:55:20 LOG6[9]: Peer certificate not required
2018.05.20 16:55:20 LOG7[9]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[9]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[9]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[9]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[9]: Service [https] finished (0 left)
我怀疑问题出在这里:
2018.05.20 16:55:20 LOG3[9]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
但我不知道为什么会涉及到过时的 SSLv3 协议。我 3 年前使用的配置确实使用了 SSLv3,但这是 TLSv1.2 证书,配置明确表示为 TLSv3。我的版本stunnel
实际上似乎不支持 SSLv3,我认为我也不需要它。
这就是我被困住的地方。任何帮助都深表感谢。
答案1
就像往常一样,我发布问题后找到了答案。有时问问题似乎会有所帮助。
坦率地说,我不明白这背后的技术原因,但解决方案很简单,继续设置我的www.example.com
域名/etc/hosts
并使用它而不是本地主机。
就像这样:
127.0.0.1 www.example.com
然后就https://www.example.com
可以正常工作,从我的本地主机运行。
答案2
在服务器地址和 stunnel 监听的端口前添加“https://”。例如https://127.0.0.1:443。使用 Google Chrome 似乎不起作用,因此请尝试使用 Firefox (v. 65)。