仅部分 WiFi 网络出现 SSL/TLS 错误

tag-icon tag-icon ssl firewall
仅部分 WiFi 网络出现 SSL/TLS 错误

当我使用某些公共 wifi 网络时,SSL 握手无法完成,这给我带来了问题。当访问我的应用程序的所有端点时,就会出现这个问题,因此在某些网络上,应用程序根本无法运行。我曾使用 openssl 尝试测试,但即使是这样,它也只能选择性地工作。当我连接到不安全的网络时,此命令不起作用,而当我使用蜂窝数据时,它确实可以工作。

openssl s_client -connect my_server_address.com:443

以下是在我的手机上运行该命令的输出:

CONNECTED(00000007)
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, CN = Amazon RSA 2048 M03
verify return:1
depth=0 CN = my_server_address.com
verify return:1
---
Certificate chain
 0 s:CN = my_server_address.com
   i:C = US, O = Amazon, CN = Amazon RSA 2048 M03
 1 s:C = US, O = Amazon, CN = Amazon RSA 2048 M03
   i:C = US, O = Amazon, CN = Amazon Root CA 1
 2 s:C = US, O = Amazon, CN = Amazon Root CA 1
   i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
 3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
   i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----

...

A big long body of certificate

...

-----END CERTIFICATE-----
subject=CN = my_server_address.com

issuer=C = US, O = Amazon, CN = Amazon RSA 2048 M03

---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5448 bytes and written 446 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: ---------------------Redacted----------------------
    Session-ID-ctx: 
    Master-Key: ---------------------Redacted----------------------
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1707868579
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

在公共 wifi 上:

CONNECTED(00000007)
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 320 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

我正在寻找能够为我指明正确方向的人,告诉我需要做什么才能使我的服务器可以从这个公共 wifi 网络访问。其他网站在这里可以正常工作,其他应用程序在这里也可以正常运行(尽管可能会稍微增加一些延迟)。我注意到,我测试的所有其他应用程序都已锁定证书,因此我无法使用我的 Proxyman 查看他们的请求,以了解他们做了什么来使他们的请求正常工作。

感谢您的帮助。

我使用 Proxyman 尝试调查有效的请求和无效的请求。

我真的很困惑,因为服务器几乎在所有网络上都能正常连接。

该问题最初是在 iPhone 上发现的,但使用此命令显示这不是 ATS 的问题:

/usr/bin/nscurl --ats-diagnostics --verbose https://my_server_address.com

相关内容