我有一个运行多个网站的服务器,每个都有SSL。
其中一个网站现在拒绝通过SSL连接。 这是以前工作,我正在寻求帮助,以确定已经发生了什么变化。
情况如下:
http://site1.com/ – 作品
https://site1.com/ – 工作
http://site2.com/ – 作品
https://site2.com/ – 不起作用(但之前做过)
两个站点都在同一台服务器上(Win Server 2003 SP2 – IIS6)
这两个站点使用来自相同权限的证书,并且都是有效的(根据IIS)。
据我所知,两个站点在IIS中都有相同的证书configuration。 (通过手动/视觉检查属性,并排)
通过使用OpenSSL,我可以看到使用https尝试连接到site2时出现“ssl握手失败”。
这可能是什么原因?
我如何进一步调查?
如果没有SSL连接可供本网站使用,用户将无法login或注册。 🙁
免责声明:我不是一个服务器pipe理员,不负责的框。 是的,这里有更广泛的问题,但我需要再次得到这个工作。
编辑
通过查看WireShark日志,我发现在发送Client Hello时,Internet协议数据中存在校验和错误:
No. Time Source Destination Protocol Info 119 5.734139 10.0.0.16 94.236.90.219 SSL Client Hello Frame 119: 112 bytes on wire (896 bits), 112 bytes captured (896 bits) Arrival Time: Jan 6, 2011 13:00:30.550690000 GMT Standard Time Epoch Time: 1294318830.550690000 seconds [Time delta from previous captured frame: 0.000460000 seconds] [Time delta from previous displayed frame: 0.000460000 seconds] [Time since reference or first frame: 5.734139000 seconds] Frame Number: 119 Frame Length: 112 bytes (896 bits) Capture Length: 112 bytes (896 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ssl] [Coloring Rule Name: Checksum Errors] [Coloring Rule String: cdp.checksum_bad==1 || edp.checksum_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1 || mstp.checksum_bad==1] Ethernet II, Src: Dell_ad:44:31 (b8:ac:6f:ad:44:31), Dst: Draytek_c5:c4:44 (00:50:7f:c5:c4:44) Destination: Draytek_c5:c4:44 (00:50:7f:c5:c4:44) Address: Draytek_c5:c4:44 (00:50:7f:c5:c4:44) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Source: Dell_ad:44:31 (b8:ac:6f:ad:44:31) Address: Dell_ad:44:31 (b8:ac:6f:ad:44:31) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Type: IP (0x0800) Internet Protocol, Src: 10.0.0.16 (10.0.0.16), Dst: 94.236.90.219 (94.236.90.219) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 98 Identification: 0x0a94 (2708) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x0000 [incorrect, should be 0x2c2b] [Good: False] [Bad: True] [Expert Info (Error/Checksum): Bad checksum] [Message: Bad checksum] [Severity level: Error] [Group: Checksum] Source: 10.0.0.16 (10.0.0.16) Destination: 94.236.90.219 (94.236.90.219) Transmission Control Protocol, Src Port: 50108 (50108), Dst Port: https (443), Seq: 1, Ack: 1, Len: 58 Secure Socket Layer SSL Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: SSL 3.0 (0x0300) Length: 53 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 49 Version: SSL 3.0 (0x0300) Random gmt_unix_time: Jan 6, 2011 13:00:33.000000000 GMT Standard Time random_bytes: 8b4a18cdfc3836100a7251faf181e09e8eea795c9df0b267... Session ID Length: 0 Cipher Suites Length: 10 Cipher Suites (5 suites) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Cipher Suite: Unknown (0x00ff) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0)
答案是:
No. Time Source Destination Protocol Info 122 5.756401 94.236.90.219 10.0.0.16 TCP https > 50108 [FIN, ACK] Seq=1 Ack=59 Win=65477 Len=0 Frame 122: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) Arrival Time: Jan 6, 2011 13:00:30.572952000 GMT Standard Time Epoch Time: 1294318830.572952000 seconds [Time delta from previous captured frame: 0.009587000 seconds] [Time delta from previous displayed frame: 0.022262000 seconds] [Time since reference or first frame: 5.756401000 seconds] Frame Number: 122 Frame Length: 60 bytes (480 bits) Capture Length: 60 bytes (480 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp] [Coloring Rule Name: TCP SYN/FIN] [Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1] Ethernet II, Src: Draytek_c5:c4:44 (00:50:7f:c5:c4:44), Dst: Dell_ad:44:31 (b8:ac:6f:ad:44:31) Destination: Dell_ad:44:31 (b8:ac:6f:ad:44:31) Address: Dell_ad:44:31 (b8:ac:6f:ad:44:31) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Source: Draytek_c5:c4:44 (00:50:7f:c5:c4:44) Address: Draytek_c5:c4:44 (00:50:7f:c5:c4:44) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Type: IP (0x0800) Trailer: 000000000000 Internet Protocol, Src: 94.236.90.219 (94.236.90.219), Dst: 10.0.0.16 (10.0.0.16) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 40 Identification: 0x13f2 (5106) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 115 Protocol: TCP (6) Header checksum: 0x3007 [correct] [Good: True] [Bad: False] Source: 94.236.90.219 (94.236.90.219) Destination: 10.0.0.16 (10.0.0.16) Transmission Control Protocol, Src Port: https (443), Dst Port: 50108 (50108), Seq: 1, Ack: 59, Len: 0
编辑2
没有任何东西被IISlogging,因为它没有那么远。 这是一个TCP级别的错误。
尝试比较wirehark结果与良好网站的数据。 我不确定校验和错误是否正常。
有些事情要尝试: