我的 Raspberry Pi 上运行着一个 nodejs https 服务器。它响应 ajax 请求。当使用台式机/笔记本电脑或 iPhone(Safari)打开网页时,ajax 调用会返回正确的结果,返回代码为 http 200。但是,当我从 Android 手机上的 Firefox 浏览器执行相同操作时,我得到的结果为空,http 返回代码为 0。服务器端日志表明证书存在问题。
(我每次打开网页之前都会确认自己承担自签名证书的风险。)
当我在 Firefox/Android 上直接打开 nodejs 资源(而不是打开网页)时,不会发生该错误。
更新:nodeJS 服务器的事件“clientError”触发并在服务器日志中显示以下错误消息:
node[30508]: [Error: 1995487744:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 42
node[30508]: ] {
node[30508]: library: 'SSL routines',
node[30508]: function: 'ssl3_read_bytes',
node[30508]: reason: 'sslv3 alert bad certificate',
node[30508]: code: 'ERR_SSL_SSLV3_ALERT_BAD_CERTIFICATE'
node[30508]: }
但是,当我从任何其他客户端调用该网页/资源时,此错误不会发生(并且不会显示在日志文件中)。
OpenSSL 显示此诊断:
$ openssl s_client -host 192.168.1.19 -port 443
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = AT, ST = MyCity, L = MyCity, O = MyOrg, CN = rp.local
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AT, ST = MyCity, L = MyCity, O = MyOrg, CN = rp.local
verify return:1
---
Certificate chain
0 s:C = AT, ST = MyCity, L = MyCity, O = MyOrg, CN = rp.local
i:C = AT, ST = MyCity, L = MyCity, O = MyOrg, CN = rp.local
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=C = AT, ST = MyCity, L = MyCity, O = MyOrg, CN = rp.local
issuer=C = AT, ST = MyCity, L = MyCity, O = MyOrg, CN = rp.local
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1491 bytes and written 363 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: B24098C068F9ECD0BFC30EDF927E89612B44DEF4B3116A71FC91C4E864B3FB2D
Session-ID-ctx:
Resumption PSK: C48161A2239187636E97AFC01B3E4BD55147F6DFFB0F030BEF4D0FD6CE1377D6F47EE18A642E9AA53D0433F468CC1F62
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
...
Start Time: 1687557206
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 83F99A48AD8D62C89D166ABC8CC5D268B768AA4D7951FCC3AF3AA06B5BFC9239
Session-ID-ctx:
Resumption PSK: EF1B6282D0AC4F1A99275B3559ABB75E28A6D71A937FA18E2B36B09DFC90189787CB7C3B08084778191A8D719BDCC105
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
...
Start Time: 1687557206
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
closed
服务器端证书似乎也没有问题:
$ sudo openssl x509 -in /etc/path/certificate.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
63:48:70:19:2f:86:fa:04:34:9f:1c:af:d5:d4:60:60:12:c0:21:db
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = AT, ST = MyCity, L = MyCity, O = MyOrg, CN = rp.local
Validity
Not Before: Jul 29 18:42:15 2022 GMT
Not After : Aug 1 18:42:15 2032 GMT
Subject: C = AT, ST = MyCity, L = MyCity, O = MyOrg, CN = rp.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
83:35:90:AB:2E:A0:CA:8B:FA:3B:A6:CD:63:FA:9B:59:22:6E:40:CC
X509v3 Authority Key Identifier:
keyid:83:35:90:AB:2E:A0:CA:8B:FA:3B:A6:CD:63:FA:9B:59:22:6E:40:CC
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
我不知道哪里出了问题。任何可能引发该错误的帮助都将不胜感激。