Letsencrypt 在非标准端口上吗?

Letsencrypt 在非标准端口上吗?

我遇到了一个无法解释的奇怪现象。我正在运行一个带有 letsencrypt 的 nginx 和一个 Java 应用程序服务器。nginx 在 443 上监听,而应用程序服务器在 8008 上监听。两者都使用 SSL 和相同的证书。Nginx 运行良好,但应用程序服务器很奇怪:

尝试这个网址

  • Postman 加载无错误
  • CURL 加载无错误
  • macOS 上的 Safari 加载时没有出现错误
  • macOS 上的 Chrome 可以加载页面,但 JavaScript 提取也会/openapi.json失败直接下载
  • macOS 上的 Firefox 失败(无法建立安全连接)
  • iOS 上的 Safari 失败

使用curl -v --http1.1 https://frascati.projectkeep.io:8008/openapi/表演:

curl -v --http1.1 https://frascati.projectkeep.io:8008/openapi/
*   Trying 18.218.218.93...
* TCP_NODELAY set
* Connected to frascati.projectkeep.io (18.218.218.93) port 8008 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=frascati.projectkeep.io
*  start date: Jan 27 13:46:16 2020 GMT
*  expire date: Apr 26 13:46:16 2020 GMT
*  subjectAltName: host "frascati.projectkeep.io" matched cert's "frascati.projectkeep.io"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> GET /openapi/ HTTP/1.1
> Host: frascati.projectkeep.io:8008
> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
> Accept: */*
> Referer: 
> 
< HTTP/1.1 200 OK
< accept-ranges: bytes
< content-length: 1394
< cache-control: public, max-age=86400
< last-modified: Mon, 27 Jan 2020 16:05:19 GMT
< date: Mon, 27 Jan 2020 18:11:52 GMT
< content-type: text/html;charset=UTF-8
< 
<!-- HTML for static distribution bundle build -->
<!DOCTYPE html>

更新

为了比较,这里是 nginx 的输出相同内容

 curl -v https://frascati.projectkeep.io/openapi/
*   Trying 18.218.218.93...
* TCP_NODELAY set
* Connected to frascati.projectkeep.io (18.218.218.93) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=frascati.projectkeep.io
*  start date: Jan 27 13:46:16 2020 GMT
*  expire date: Apr 26 13:46:16 2020 GMT
*  subjectAltName: host "frascati.projectkeep.io" matched cert's "frascati.projectkeep.io"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> GET /openapi/ HTTP/1.1
> Host: frascati.projectkeep.io
> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
> Accept: */*
> Referer: 
> 
< HTTP/1.1 200 OK
< Server: nginx/1.16.1
< Date: Mon, 27 Jan 2020 18:07:02 GMT
< Content-Type: text/html;charset=UTF-8
< Content-Length: 1394
< Connection: keep-alive
< accept-ranges: bytes
< cache-control: public, max-age=86400
< last-modified: Mon, 27 Jan 2020 16:05:19 GMT
< 
<!-- HTML for static distribution bundle build -->

我错过了什么?

答案1

正如对该问题的评论所指出的:

  1. 您的应用服务器正在使用 Java 8 JSSE

  2. 它已TLSv1.3在可能的 TLS 协议中进行配置。

所述问题是由于缺乏对 TLSv1.3 的支持在 Java 的标准 SSLContext 实现中。因此:

  • curl建议TLS版本 1.3
  • 服务器接受,然后阻塞

评论:如果您使用的是 Tomcat,则底层本机库OpenSSLImplementation支持该功能。TLSv1.3

相关内容