IIS:SSL站点不通过https响应所有浏览器/设备
我为我的网站安装了Geotrust证书,该证书在IIS7上运行。证书已正确安装,但我收到了意外的结果。当我向http://example.com发出请求时,它在每个浏览器/设备上运行良好,但当我向https://example.com发出请求时,它仅在某些浏览器/设备中响应,例如:
- 在同一台PC上只能在Firefox中响应,但不能在IE或Chrome中响应
- 在其他PC上不响应任何浏览器
- 最奇怪的是,在我的智能手机中,没有通过wifi响应,但当我通过3G连接时,该网站正确响应https。
- 我也在labtop中测试,通过wifi网站不响应,但如果我分享从智能手机到labtop的3g连接,网络正常工作。
编辑:openssl命令的结果:
Loading 'screen' into random state - done
CONNECTED(000001C4)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=ES/ST=Malaga/L=Malaga/O=domain/CN=www.domain.net/OU=domain
i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G2
1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIExjCCA66gAwIBAgIQeee0uwSySeNXOkI+BUoMMzANBgkqhkiG9w0BAQUFADBE
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UEAxMU
...
doLsKI2R6RQA/7IcuTpKkvLF5wYKvmocPxYVg9FOoFvKV0wjWo6qlwsANPAVov+7
zFzZreROa7lBj8UH0IyYjLmBrbe1yMr/Cmg=
-----END CERTIFICATE-----
subject=/C=ES/ST=Malaga/L=Malaga/O=domain/CN=www.domain.net/OU=domain
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G2
---
No client certificate CA names sent
---
SSL handshake has read 3405 bytes and written 645 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: D80B0000C341A313FBA6527E6576D1D71ACA71E680528EE880649C8166AA7C1B
Session-ID-ctx:
Master-Key: F1D5AB2E543959B3D100CC16365884DEFF06E56E3C57839A64088744FFCAEDCE
24B744836326E46828537C64884081B0
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1407168950
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
在搜索和测试一些想法后,我没有做任何事情,我会发疯。有什么想法吗?
2 个答案:
答案 0 :(得分:3)
...但是当我向https://example.com发出请求时,它只会在某些浏览器/设备中响应...
好的,证书链看起来不错。我从您为以下测试发布的证书中抓取了您的服务器名称。您可以通过openssl x509运行证书并查看CN和SAN:
$ openssl x509 -in server-cert.pem -inform PEM -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
79:e7:b4:bb:04:b2:49:e3:57:3a:42:3e:05:4a:0c:33
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G2
Validity
Not Before: Jun 11 00:00:00 2014 GMT
Not After : Jun 11 23:59:59 2015 GMT
Subject: C=ES, ST=Malaga, L=Malaga, O=Example, CN=www.example.com, OU=Example, LLC
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a2:f6:fd:b0:30:10:91:55:3f:ec:ce:fa:d8:9e:
84:cd:60:c4:dd:a8:f0:42:37:66:a9:98:80:35:d8:
...
13:db:e9:98:c5:1a:ac:31:50:70:e1:6e:8d:1f:2a:
7d:b5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:www.example.com, DNS:example.com
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
Full Name:
URI:http://gb.symcb.com/gb.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.54
CPS: https://d.symcb.com/cps
User Notice:
Explicit Text: https://d.symcb.com/rpa
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Authority Key Identifier:
keyid:11:4A:D0:73:39:D5:5B:69:08:5C:BA:3D:BF:64:9A:A8:8B:1C:55:BC
Authority Information Access:
OCSP - URI:http://gb.symcd.com
CA Issuers - URI:http://gb.symcb.com/gb.crt
Signature Algorithm: sha1WithRSAEncryption
52:60:0e:f3:c7:fb:16:49:cf:4f:7c:91:d9:c9:b9:d5:92:62:
75:c9:05:f1:b7:cf:ea:30:53:44:5d:a7:1e:c7:eb:fd:a9:ab:
...
e4:4e:6b:b9:41:8f:c5:07:d0:8c:98:8c:b9:81:ad:b7:b5:c8:
ca:ff:0a:68
您 example.com和www.example.com 。没关系。
一个小小的挑剔。 IETF和CA / Browser论坛都不推荐在公共名称(CN)中放置DNS名称。 DNS名称应放置在主题备用名称(SAN)中。在CN中添加友好名称,因为它通常显示给用户。
问题不会产生您遇到的问题。事实上,我为我的网络和邮件服务器使用Startcom证书,从未遇到过问题。
接下来,OpenSSL的&#34;验证返回代码:20(无法获得本地颁发者证书)&#34; 投诉是因为您不对CAfile使用<Equifax Secure Certificate Authority>.pem选项。如果有兴趣,可以从GeoTrust Root Certificates下载。我将在下面使用它来确保&#34;验证返回代码:0(确定)&#34; 。
现在,检查一下(SSLv3):
$ echo -e "GET / HTTP/1.1\n" | openssl s_client -connect example.com:443 \
-ssl3 -ign_eof -CAfile Equifax_Secure_Certificate_Authority.pem
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = GeoTrust Inc., CN = GeoTrust SSL CA - G2
verify return:1
depth=0 C = ES, ST = Malaga, L = Malaga, O = Example, LLC, CN = www.example.com, OU = Example, LLC
verify return:1
---
Certificate chain
0 s:/C=ES/ST=Malaga/L=Malaga/O=Example, LLC/CN=www.example.com/OU=Example, LLC
i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G2
1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
...
Start Time: 1407401571
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 07 Aug 2014 08:52:28 GMT
Connection: close
Content-Length: 334
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Hostname</h2>
<hr><p>HTTP Error 400. The request hostname is invalid.</p>
</BODY></HTML>
read:errno=0
和(SNS的TLS 1.0):
$ echo -e "GET / HTTP/1.1\n" | openssl s_client -connect example.com:443 \
-tls1 -servername example.com -ign_eof -CAfile Equifax_Secure_Certificate_Authority.pem
CONNECTED(00000003)
...
Start Time: 1407401898
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 07 Aug 2014 08:57:55 GMT
Connection: close
Content-Length: 334
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Hostname</h2>
<hr><p>HTTP Error 400. The request hostname is invalid.</p>
</BODY></HTML>
read:errno=0
它似乎与服务器名称指示(SNI)无关。我不确定SNI在这一点上是否受到尊重。这是IIS 7.5还是以下? IIS 8 provides SNI,这可能有助于解决问题,因为请求将立即路由到IIS中的正确虚拟域。
接下来,添加主机标头:
$ echo -e "GET / HTTP/1.1\nHost:example.com\n" | openssl s_client -connect example.com:443 \
-ssl3 -ign_eof -CAfile Equifax_Secure_Certificate_Authority.pem
CONNECTED(00000003)
...
Start Time: 1407402117
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
read R BLOCK
HTTP/1.1 302 Found
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Location: /Login/Login
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=310xiuzver13lqoau0il0tsu; path=/; HttpOnly
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 07 Aug 2014 09:01:34 GMT
302重定向看起来不对。 301不应该是301吗?见HTTP redirect: 301 (permanent) vs. 302 (temporary)。另请查看How can I make Chrome stop caching redirects?以及&#34;赢得修复&#34;错误。
为了完整性,请点击重定向到/Login/Login后的结果:
$ echo -e "GET /Login/Login HTTP/1.1\nHost:example.com\n" | openssl s_client -connect example.com:443 \
-ssl3 -ign_eof -CAfile Equifax_Secure_Certificate_Authority.pem
CONNECTED(00000003)
...
Start Time: 1407403671
Timeout : 7200 (sec)
Verify return code: 0 (ok)
read R BLOCK
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 07 Aug 2014 09:27:29 GMT
Content-Length: 1547
<html>
<body>
<form action="/Login/Login" method="post"> <div style="height: 140px">
</div>
<table style="width: 400px; border: 1px solid #058fbe;" cellpadding="5" align="center">
<tr>
<td colspan="2" align="center" style="background-color: #058fbe">
<span style="color: #FFF; font-family: Arial, Helvetica, sans-serif;
font-weight: bold; font-size: 14pt">TERRANET. ZONA ADMINISTRACIÓN</span>
</td>
</tr>
<tr>
<td width="150px">
<img src="/Content/img/login.png" width="150px" />
</td>
<td>
<span style="color: #058fbe; font-family: Arial, Helvetica, sans-serif;
font-weight: bold; font-size: 10pt">usuario</span><br />
<input type="text" style="border: 1px solid #058fbe; width: 190px" name="usuario" /><br />
<span style="color: #058fbe; font-family: Arial, Helvetica, sans-serif;
font-weight: bold; font-size: 10pt">contraseña</span><br />
<input type="password" style="border: 1px solid #058fbe; width: 190px" name="pass" /><br />
<br />
<input type="submit" value="entrar" style="background-color: #058fbe;
width: 80px; color: white; font-family: Arial, Helvetica, sans-serif;
font-weight: bold; font-size: 10pt; border: none" />
</td>
</tr>
</table>
</form>
</body>
</html>
编辑(2014年8月7日):我看到您对HTTP/1.1 301 Moved Permanently的更改。
我今天进行了一些浏览器测试。我用过:
- Chrome(Mac Book)
- Firefox(Mac Book)
- Safari(Mac Book)。
- 移动浏览器(Android)
- 移动Chrome(iPhone)
- Mobile Safari(iPhone)
- 资源管理器(Surface Pro)
大部分都按预期工作。
Surface Pro平板电脑上的资源管理器挂起。
Android的浏览器(com.android.browser)提示输入客户端证书(这就是我被提示设置PIN码的原因):
Safari桌面提示输入客户端证书:
您需要客户证书吗?如果是这样,那可能就是问题所在。客户端证书在浏览器中很乱。
如果您不需要它们,请在IIS中禁用它们。请参阅Specify Whether to Use Client Certificates (IIS 7)。
答案 1 :(得分:2)
这可能是因为IP绑定使其正常工作您的HTTPS和HTTP都应该绑定到IIS中的相同IP地址。
您是否尝试过重启IIS?它可以解决问题。
相关问题
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?