CUPS/IPP 通过 HTTPS 通过 CF/Gorouter - TLS 握手错误

CUPS/IPP over HTTPS via CF/Gorouter - TLS handshake error

我想通过 CUPS/HTTPS 在 Cloud Foundry 上打印 PostScript。 它在我使用 HTTP 时工作,但使用 gorouter 日志的 HTTPS 失败:

http: TLS handshake error from ...

我的cipher_suites

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

我试图将 router.logging_level 设置为 debugdefaultinfo)但它没有任何改变...

有机会获得更多信息吗? gorouter最详细的日志级别是多少?

我解决了我的问题。 在我的例子中,在 gourouter 上启用了双向 TLS:

By default, Gorouter requests but does not require client certificates in TLS handshakes.

https://docs.cloudfoundry.org/adminguide/securing-traffic.html#gorouter_mutual_auth


正在检查是否启用了 mTLS

1。寡妇 SCHANNEL 事件记录

添加注册表项:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
EventLogging REG_DWORD = 3

https://blogs.technet.microsoft.com/kevinjustin/2017/11/08/schannel-event-logging/

现在您应该可以找到服务器要求提供客户端证书但找不到的事件日志。

2。 curl

看粗线:

curl -I -v -H "Connection: close" https://your-app.cloud
  • About to connect() to your-app.cloud port 443 (#0)
  • Connected to your-app.cloud port 443 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none
  • NSS: client certificate not found (nickname not specified)
  • SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

3。 openssl

看粗线:

openssl s_client -connect your-app.cloud:443 -state
  • CONNECTED(00000003)
  • SSL_connect:before/connect initialization
  • SSL_connect:SSLv2/v3 write client hello A
  • SSL_connect:SSLv3 read server hello A
  • ...
  • verify return:1
  • SSL_connect:SSLv3 read server certificate A
  • SSL_connect:SSLv3 read server key exchange A
  • SSL_connect:SSLv3 read server certificate request A
  • SSL_connect:SSLv3 read server done A
  • SSL_connect:SSLv3 write client certificate A
  • SSL_connect:SSLv3 write client key exchange A
  • SSL_connect:SSLv3 write change cipher spec A
  • SSL_connect:SSLv3 write finished A
  • SSL_connect:SSLv3 flush data
  • SSL_connect:SSLv3 read server session ticket A
  • SSL_connect:SSLv3 read finished A

禁用 Gorouter mTLS

使用 CF 部署清单更改 Gorouter 属性:

- name: router
  - name: gorouter
    release: routing
    properties:
      router:
        forwarded_client_cert: always_forward
        client_cert_validation: none

现在您可以检查是否再次启用了 mTLS。

请注意,这些设置不适用于路由版本 0.164.0,但对于 0.178.0 它按预期工作。