如何调试 TLS/SSL 连接
How to debug for TLS/SSL connection
首先我用这些做了三个文件。
$ openssl genrsa 2048 > server.key
$ openssl req -new -key server.key > server.csr
$ openssl x509 -days 3650 -req -signkey server.key < server.csr > server.crt
然后,我通过 docker-compose 制作了注册表容器,其中包括 server.key server.crt 并且端口 5000 是开放的。
version: '3'
services:
registry:
container_name: registry
image: registry:2
restart: always
ports:
- '5000:5000'
volumes:
- /home/ubuntu/docker/data:/var/lib/registry
- /home/ubuntu/docker/certs:/certs
- /etc/localtime:/etc/localtime
environment:
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/server.crt
REGISTRY_HTTP_TLS_KEY: /certs/server.key
然后在本地主机中我将 server.crt 重命名为 ca.crt 并放置密钥 /etc/docker/certs.d/docker.mysite.jp\:5000/ca.crt.
然后我尝试卷曲但徒劳无功。
$curl https://docker.mysite.jp:5000/v2/ --cacert /etc/docker/certs.d/docker.mysite.jp\:5000/ca.crt
/etc/docker/certs.d/docker.mysite.jp\:5000/ca.crt
curl: (60) SSL: unable to obtain common name from peer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
好的,我发现 tls/ssl
有问题
但是我该如何调试从哪里开始呢??
$curl https://docker.mysite.jp:5000/v2/ --cacert /etc/docker/certs.d/docker.mysite.jp\:5000/ca.crt -vvv
这是日志
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x7f89b4800000)
* Connected to docker.mysite.jp (135.132.179.73) port 5000 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/docker/certs.d/docker.mysite.jp:5000/ca.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
* start date: Mar 24 16:55:37 2020 GMT
* expire date: Feb 29 16:55:37 2120 GMT
* SSL: unable to obtain common name from peer certificate
* Closing connection 0
curl: (60) SSL: unable to obtain common name from peer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
我为crt文件设置了SQDN。然后错误信息改变了。
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x7fb4de806c00)
* Connected to docker.mysite.jp (135.132.179.73) port 5000 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/docker/certs.d/docker.mysite.jp:5000/ca.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
但是,然后我用 docker-compose down & docker-compose up 重新启动,它修复了!!!
使用 -vvv 选项执行 curl 以查看所有步骤。另外,你可以试试
tcpdump
和
wireshark
查看每个网络操作,包括网络级别 4。
首先我用这些做了三个文件。
$ openssl genrsa 2048 > server.key
$ openssl req -new -key server.key > server.csr
$ openssl x509 -days 3650 -req -signkey server.key < server.csr > server.crt
然后,我通过 docker-compose 制作了注册表容器,其中包括 server.key server.crt 并且端口 5000 是开放的。
version: '3'
services:
registry:
container_name: registry
image: registry:2
restart: always
ports:
- '5000:5000'
volumes:
- /home/ubuntu/docker/data:/var/lib/registry
- /home/ubuntu/docker/certs:/certs
- /etc/localtime:/etc/localtime
environment:
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/server.crt
REGISTRY_HTTP_TLS_KEY: /certs/server.key
然后在本地主机中我将 server.crt 重命名为 ca.crt 并放置密钥 /etc/docker/certs.d/docker.mysite.jp\:5000/ca.crt.
然后我尝试卷曲但徒劳无功。
$curl https://docker.mysite.jp:5000/v2/ --cacert /etc/docker/certs.d/docker.mysite.jp\:5000/ca.crt
/etc/docker/certs.d/docker.mysite.jp\:5000/ca.crt
curl: (60) SSL: unable to obtain common name from peer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
好的,我发现 tls/ssl
但是我该如何调试从哪里开始呢??
$curl https://docker.mysite.jp:5000/v2/ --cacert /etc/docker/certs.d/docker.mysite.jp\:5000/ca.crt -vvv
这是日志
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x7f89b4800000)
* Connected to docker.mysite.jp (135.132.179.73) port 5000 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/docker/certs.d/docker.mysite.jp:5000/ca.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
* start date: Mar 24 16:55:37 2020 GMT
* expire date: Feb 29 16:55:37 2120 GMT
* SSL: unable to obtain common name from peer certificate
* Closing connection 0
curl: (60) SSL: unable to obtain common name from peer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
我为crt文件设置了SQDN。然后错误信息改变了。
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x7fb4de806c00)
* Connected to docker.mysite.jp (135.132.179.73) port 5000 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/docker/certs.d/docker.mysite.jp:5000/ca.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
但是,然后我用 docker-compose down & docker-compose up 重新启动,它修复了!!!
使用 -vvv 选项执行 curl 以查看所有步骤。另外,你可以试试
tcpdump
和
wireshark
查看每个网络操作,包括网络级别 4。