如何通过 curl 解决 SSL 超时问题?
How can I troubleshoot SSL timeouts via curl?
我在尝试通过 PHP + Curl 使用 UPS 的在线工具 API 时遇到超时。今天早上开始出现这个问题。我可以直接在 bash 的 Ubuntu 14.04 上使用 Curl 重现该问题。但是,在 Ubuntu 16.04 上,我可以毫无问题地连接。
UPS 支持不是特别有用:
Which of these servers that have been completed to the TLS 1.2 migration is not known. It is suggested to make sure that your security protocol is enabled for TLS 1.0, 1.1 and 1.2 for the time being. Though having the full stack, should minimized problems, as negotiation will utilizes highest agreed upon supported protocol by both parties.
这是 14.04 的详细输出:
root@ubuntu14-nyc2-01:/etc/ssl/certs# curl https://onlinetools.ups.com -v
* Rebuilt URL to: https://onlinetools.ups.com/
* Hostname was NOT found in DNS cache
* Trying 153.2.228.76...
* connect to 153.2.228.76 port 443 failed: Connection timed out
* Trying 153.2.224.76...
* After 86387ms connect time, move on!
* connect to 153.2.224.76 port 443 failed: Connection timed out
* Failed to connect to onlinetools.ups.com port 443: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to onlinetools.ups.com port 443: Connection timed out
如果我只是尝试通过 OpenSSL 连接,它也会超时:
root@ubuntu14-nyc2-01:/etc/ssl/certs# openssl s_client -connect onlinetools.ups.com:443
知道问题出在哪里吗?有关故障排除的指示? Ubuntu 14.04 的 UPS API 是否也有问题?
相关库的版本如下:
- Curl:尝试了 7.50,OpenSSL/1.0.2h; 7.35,有OpenSSL/1.0.1f
- OpenSSL:尝试了 1.0.2h 和 1.0.1f
我尝试从 haxx.se 中提取 cacerts 并使用 --cacerts arg 将 Curl 指向它,但没有成功。
我在这里几乎不知所措......我错过了什么?
连接超时是 TCP 级别的问题,而不是 SSL/TLS 问题。很简单,它无法连接到主机。在这种情况下,您甚至无法设法将 telnet 或 netcat 连接到对等点。根据受问题影响的目标数量,它可能是目标端的防火墙或路由器问题(即只有此目标受影响)或您端的一些一般网络问题(即大多数主机不工作)。
这不是问题的答案,但搜索 ups + SSL/TLS 问题的某些人可能会感兴趣...深埋在 UPS 网站中:
Important: 2017 Implementation Update
UPS will be making changes beginning September 1, 2017 through
December 31, 2017 to support enhancing our security. During this time,
you may see intermittent failures for transactions using TLS1.0 or
earlier.
Effective 12/31/2017, UPS will only accept TLS 1.1 and TLS 1.2
security protocols. It is highly recommended that the most current
version, TLS 1.2, be implemented. After that date, any communication
requests submitted to UPS using older protocols (TLS 1.0 or earlier)
will fail.
https://www.ups.com/us/en/help-center/technology-support/data-security.page
我在尝试通过 PHP + Curl 使用 UPS 的在线工具 API 时遇到超时。今天早上开始出现这个问题。我可以直接在 bash 的 Ubuntu 14.04 上使用 Curl 重现该问题。但是,在 Ubuntu 16.04 上,我可以毫无问题地连接。
UPS 支持不是特别有用:
Which of these servers that have been completed to the TLS 1.2 migration is not known. It is suggested to make sure that your security protocol is enabled for TLS 1.0, 1.1 and 1.2 for the time being. Though having the full stack, should minimized problems, as negotiation will utilizes highest agreed upon supported protocol by both parties.
这是 14.04 的详细输出:
root@ubuntu14-nyc2-01:/etc/ssl/certs# curl https://onlinetools.ups.com -v
* Rebuilt URL to: https://onlinetools.ups.com/
* Hostname was NOT found in DNS cache
* Trying 153.2.228.76...
* connect to 153.2.228.76 port 443 failed: Connection timed out
* Trying 153.2.224.76...
* After 86387ms connect time, move on!
* connect to 153.2.224.76 port 443 failed: Connection timed out
* Failed to connect to onlinetools.ups.com port 443: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to onlinetools.ups.com port 443: Connection timed out
如果我只是尝试通过 OpenSSL 连接,它也会超时:
root@ubuntu14-nyc2-01:/etc/ssl/certs# openssl s_client -connect onlinetools.ups.com:443
知道问题出在哪里吗?有关故障排除的指示? Ubuntu 14.04 的 UPS API 是否也有问题?
相关库的版本如下:
- Curl:尝试了 7.50,OpenSSL/1.0.2h; 7.35,有OpenSSL/1.0.1f
- OpenSSL:尝试了 1.0.2h 和 1.0.1f
我尝试从 haxx.se 中提取 cacerts 并使用 --cacerts arg 将 Curl 指向它,但没有成功。
我在这里几乎不知所措......我错过了什么?
连接超时是 TCP 级别的问题,而不是 SSL/TLS 问题。很简单,它无法连接到主机。在这种情况下,您甚至无法设法将 telnet 或 netcat 连接到对等点。根据受问题影响的目标数量,它可能是目标端的防火墙或路由器问题(即只有此目标受影响)或您端的一些一般网络问题(即大多数主机不工作)。
这不是问题的答案,但搜索 ups + SSL/TLS 问题的某些人可能会感兴趣...深埋在 UPS 网站中:
Important: 2017 Implementation Update
UPS will be making changes beginning September 1, 2017 through December 31, 2017 to support enhancing our security. During this time, you may see intermittent failures for transactions using TLS1.0 or earlier.
Effective 12/31/2017, UPS will only accept TLS 1.1 and TLS 1.2 security protocols. It is highly recommended that the most current version, TLS 1.2, be implemented. After that date, any communication requests submitted to UPS using older protocols (TLS 1.0 or earlier) will fail.
https://www.ups.com/us/en/help-center/technology-support/data-security.page