tls 1.2握手超时docker容器

tag-icon tag-icon ubuntu ssl docker timeout curl
tls 1.2握手超时docker容器

我正在使用全新的 ubuntu 18.04.01,按照官方安装指南安装了 Docker 版本 18.09.1,版本 4c52b90。我遇到了一个与 TLS 1.2 有关的奇怪问题

在主机上,我可以使用 https 毫无问题地 curl 到任何 URL。下面是使用 github 的示例,但使用 google 等也很好。

$ curl --version
curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.0g zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3
Release-Date: 2018-01-24
$ curl -v https://github.com
* Rebuilt URL to: https://github.com/
*   Trying 140.82.118.3...
* TCP_NODELAY set
* Connected to github.com (140.82.118.3) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
...

在我无法访问的 Docker 容器上https://github.org和其他人,而https://google.com例如工作得很好。

这是 curl 版本和与 google 的连接

$ docker run -it --rm ubuntu:18.04 bash
$ root@66c5a69546fc:/# curl --version
curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.0g zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3
Release-Date: 2018-01-24

root@ 66c5a69546fc:/# curl -v https://google.com
* Rebuilt URL to: https://google.com/
*   Trying 216.58.205.110...
* TCP_NODELAY set
* Connected to google.com (216.58.205.110) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):

以下是对 github 的 curl,最终将以握手超时结束

$ root@c69bad8b7d95:/# curl -v https://github.com
* Rebuilt URL to: https://github.com/
*   Trying 140.82.118.3...
* TCP_NODELAY set
* Connected to github.com (140.82.118.3) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):

而 http 中的 ping 和 curl 都可以正常工作

$ root@c69bad8b7d95:/# ping github.com
PING github.com (140.82.118.3) 56(84) bytes of data.
64 bytes from lb-git-ssh.net.am4-ams.github.net (140.82.118.3): icmp_seq=1 ttl=49 time=25.6 ms
64 bytes from lb-git-ssh.net.am4-ams.github.net (140.82.118.3): icmp_seq=2 ttl=49 time=25.7 ms
^C
--- github.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 25.644/25.685/25.726/0.041 ms
$ root@c69bad8b7d95:/# curl -v http://github.com
* Rebuilt URL to: http://github.com/
*   Trying 140.82.118.4...
* TCP_NODELAY set
* Connected to github.com (140.82.118.4) port 80 (#0)

我是否遗漏了某个 docker 设置?我尝试在 daemon.json 中设置不同的 DNS,更改 docker 的 bip,但似乎没有任何效果

感谢 Alberto 的帮助

相关内容