如何使用 Chrome 和 Firefox 与 Ruby 服务器建立安全的 HTTP/2 连接?
How to make a secure HTTP/2 connection to Ruby server with Chrome and Firefox?
以下服务器代码与 curl 和 Safari 建立 SSL 连接,但不适用于 Firefox 或 Chrome。保存证书异常后在 Safari 上工作。
server = TCPServer.new( 8080 )
ctx = OpenSSL::SSL::SSLContext.new
ctx.cert = OpenSSL::X509::Certificate.new(File.open('lib/keys/server.crt'))
ctx.key = OpenSSL::PKey::RSA.new(File.open('lib/keys/server.key'))
ctx.ssl_version = :TLSv1_2
ctx.options = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options]
ctx.ciphers = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers]
server = OpenSSL::SSL::SSLServer.new(server, ctx)
我尝试将证书添加到 Firefox 和钥匙串 (OSX),但我仍然得到
The webpage at https://localhost:8080/ might be temporarily down or it may have moved permanently to a new web address.
ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY
谷歌搜索表明密码存在问题,但以下内容没有区别:
ctx.ciphers = 'AESGCM:HIGH:!aNULL:!MD5'
ctx.ciphers = 'EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES'
ctx.ciphers = 'TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5'
注释掉 ctx.ciphers
也没有帮助。
在 Firefox 上,连接挂起。没有找到解决错误的好方法。
使用 Chrome 53、Firefox 46 和 OpenSSL 1.0.2j。
什么可能导致此错误?
似乎 Chrome 坚持为 HTTP/2 使用临时 ECDH 密钥交换,要使其正常工作,您需要设置 tmp_ecdh_callback
:
ctx.tmp_ecdh_callback = lambda do |*args|
OpenSSL::PKey::EC.new 'prime256v1'
end
我是基于 example code from the Ruby http-2 gem, which I think is where you’ve got your code from too. Note that in that code it uses lambda do |_args|
, (with the underscore but no *
) and this causes problems because the number of args is wrong and lambda
is strict about passing the right number, so you get errors. I’ve changed it back to the original *args
here, it appears to have been changed to fix Rubocop warnings。由于您似乎在该回购中很活跃,因此您可能希望将其更改为 |*_args|
.
之类的内容
以下服务器代码与 curl 和 Safari 建立 SSL 连接,但不适用于 Firefox 或 Chrome。保存证书异常后在 Safari 上工作。
server = TCPServer.new( 8080 )
ctx = OpenSSL::SSL::SSLContext.new
ctx.cert = OpenSSL::X509::Certificate.new(File.open('lib/keys/server.crt'))
ctx.key = OpenSSL::PKey::RSA.new(File.open('lib/keys/server.key'))
ctx.ssl_version = :TLSv1_2
ctx.options = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options]
ctx.ciphers = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers]
server = OpenSSL::SSL::SSLServer.new(server, ctx)
我尝试将证书添加到 Firefox 和钥匙串 (OSX),但我仍然得到
The webpage at https://localhost:8080/ might be temporarily down or it may have moved permanently to a new web address.
ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY
谷歌搜索表明密码存在问题,但以下内容没有区别:
ctx.ciphers = 'AESGCM:HIGH:!aNULL:!MD5'
ctx.ciphers = 'EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES'
ctx.ciphers = 'TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5'
注释掉 ctx.ciphers
也没有帮助。
在 Firefox 上,连接挂起。没有找到解决错误的好方法。
使用 Chrome 53、Firefox 46 和 OpenSSL 1.0.2j。
什么可能导致此错误?
似乎 Chrome 坚持为 HTTP/2 使用临时 ECDH 密钥交换,要使其正常工作,您需要设置 tmp_ecdh_callback
:
ctx.tmp_ecdh_callback = lambda do |*args|
OpenSSL::PKey::EC.new 'prime256v1'
end
我是基于 example code from the Ruby http-2 gem, which I think is where you’ve got your code from too. Note that in that code it uses lambda do |_args|
, (with the underscore but no *
) and this causes problems because the number of args is wrong and lambda
is strict about passing the right number, so you get errors. I’ve changed it back to the original *args
here, it appears to have been changed to fix Rubocop warnings。由于您似乎在该回购中很活跃,因此您可能希望将其更改为 |*_args|
.