我大概在一两个星期前就能访问该网站。最近,无论我使用什么浏览器,计算机或设备从网络内部访问dmv.ca.gov,SSL握手都会失败,并且该站点将给出空响应。我可以访问其他站点,包括ca.gov,但不能访问dmv.ca.gov。我认为握手失败,因为服务器没有响应。
当我从ubuntu框中运行openssl时,得到以下输出:
captain@HARM01NGINX01:~$ openssl s_client -state -nbio -connect dmv.ca.gov:443 -servername dmv.ca.gov
CONNECTED(00000003)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
write R BLOCK
SSL_connect:error in SSLv2/v3 read server hello A
read:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 324 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1531959808
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
但是,我期望的是以下内容(对我拥有的AWS实例使用相同的命令:
ubuntu@ip-10-0-144-141:~$ openssl s_client -state -nbio -connect dmv.ca.gov:443 -servername dmv.ca.gov
CONNECTED(00000003)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
write R BLOCK
SSL_connect:unknown state
SSL_connect:error in unknown state
SSL_connect:error in unknown state
read R BLOCK
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Organization Validation Secure Server CA
verify return:1
depth=0 C = US, postalCode = 95814, ST = CA, L = Sacramento, street = "1325 J Street, Suite 1600", O = State of California, OU = Department of Motor Vehicles, OU = Hosted by State of California, OU = Multi-Domain SSL, CN = www.dmv.ca.gov
verify return:1
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:error in unknown state
read R BLOCK
SSL_connect:error in unknown state
read R BLOCK
SSL_connect:unknown state
read R BLOCK
---
Certificate chain
0 s:/C=US/postalCode=95814/ST=CA/L=Sacramento/street=1325 J Street, Suite 1600/O=State of California/OU=Department of Motor Vehicles/OU=Hosted by State of California/OU=Multi-Domain SSL/CN=www.dmv.ca.gov
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIINzCCBx+gAwIBAgIRAJ2VHzZ23HIPwp3suYpAPogwDQYJKoZIhvcNAQELBQAw
gZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTwwOgYD
VQQDEzNDT01PRE8gUlNBIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIFNlY3VyZSBT
ZXJ2ZXIgQ0EwHhcNMTgwNDI3MDAwMDAwWhcNMjAwNDI2MjM1OTU5WjCCAQQxCzAJ
BgNVBAYTAlVTMQ4wDAYDVQQREwU5NTgxNDELMAkGA1UECBMCQ0ExEzARBgNVBAcT
ClNhY3JhbWVudG8xIjAgBgNVBAkTGTEzMjUgSiBTdHJlZXQsIFN1aXRlIDE2MDAx
HDAaBgNVBAoTE1N0YXRlIG9mIENhbGlmb3JuaWExJTAjBgNVBAsTHERlcGFydG1l
bnQgb2YgTW90b3IgVmVoaWNsZXMxJjAkBgNVBAsTHUhvc3RlZCBieSBTdGF0ZSBv
ZiBDYWxpZm9ybmlhMRkwFwYDVQQLExBNdWx0aS1Eb21haW4gU1NMMRcwFQYDVQQD
Ew53d3cuZG12LmNhLmdvdjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ANICIjcwXvW6kwMzboV0jD0eTSfH6ZXTZWRW6cDCHKV+cn2Ut4AVjLduJ++3GH3T
XzGlBFKTjccs+CB3lZJCk/8CbCr0zWuxVvIn+EQlTU5bjxK8hpZxGMk4Xqck8UOQ
k3slP/DeQ6e59bxBiNXXfDSlMIti75oVN6Q9IKMNRSY78xOtIyath8EGS0QxeHmU
AlLvtreKPsi/s1zwc9sCi6o+KLthiQOBV0tBcaMwH3O0zWU6izo4urOZnGdtcEto
3WClQIODfDey2oMtJIZg7zi9U2PjInJHX/NHLbDTT/50C6gEuTsVDUecc51tlkuX
5/PPh7qBQeffLqeACCbi0AUCAwEAAaOCBA0wggQJMB8GA1UdIwQYMBaAFJrzK9rP
rU+2L7sqSEgqErcbQsEkMB0GA1UdDgQWBBQCpbBSuY1+fz9cPVBsP2qXDy7OgzAO
BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwUAYDVR0gBEkwRzA7BgwrBgEEAbIxAQIBAwQwKzApBggrBgEF
BQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwCAYGZ4EMAQICMFoG
A1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1JT
QU9yZ2FuaXphdGlvblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYsGCCsG
AQUFBwEBBH8wfTBVBggrBgEFBQcwAoZJaHR0cDovL2NydC5jb21vZG9jYS5jb20v
Q09NT0RPUlNBT3JnYW5pemF0aW9uVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy
dDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMIHJBgNVHREE
gcEwgb6CDnd3dy5kbXYuY2EuZ292ggpkbXYuY2EuZ292gg5lZGwuZG12LmNhLmdv
doIRZWRsYXBwLmRtdi5jYS5nb3aCEXJlYWxpZC5kbXYuY2EuZ292ghFzdXJ2ZXku
ZG12LmNhLmdvdoISd3d3LmVkbC5kbXYuY2EuZ292ghV3d3cuZWRsYXBwLmRtdi5j
YS5nb3aCFXd3dy5yZWFsaWQuZG12LmNhLmdvdoIVd3d3LnN1cnZleS5kbXYuY2Eu
Z292MIIBgAYKKwYBBAHWeQIEAgSCAXAEggFsAWoAdwDuS723dc5guuFCaR+r4Z5m
ow9+X7By2IMAxHuJeqj9ywAAAWMJf5JMAAAEAwBIMEYCIQClJmCF9j3SuP7g9By5
MtBXlmWmJkyVbdWi6kke6bhWcwIhAJwe9WqgMawyVYZ832Kf9av6pqqdTG/gSlM+
c3XXkeWaAHcAXqdz+d9WwOe1Nkh90EngMnqRmgyEoRIShBh1loFxRVgAAAFjCX+U
YgAABAMASDBGAiEA1icqpmdKyGl4Wj1iYjxzt52uDsVlKR7m8VqEnd5ke4wCIQCp
9zFllGV53sreB5FvPv8R51l91/JSlup21Sf3me+ugQB2AFWB1MIWkDYBSuoLm1c8
U/DA5Dh4cCUIFy+jqh0HE9MMAAABYwl/kmwAAAQDAEcwRQIgfYoeUJVqJm6+hVwT
IJIxsIuOrBHOT9qCALxHknWXRqoCIQCZStG+T0f+FTPhbhmpmSTRv5cccuuxHEIh
iVo/R+hHMzANBgkqhkiG9w0BAQsFAAOCAQEAYzW4ZehiSJGiEAd+yg3pvYlzD3E7
WYbU8zzBXzo6CoPlpV5Ev4XHUXqawZ5tQO9H03yFHhoSjymLsnIa5URhday0z81s
yIasFymBYGwyccRgzX4Qd6V3tiArY7zDY9Hf00/yp9SSJe6a4KX/aCibsGnX/DIq
91RJNdGfOjd/94jMz9X/umrlvLWJ9ZqVMZYycLO9hkgGdYJQjYDf0wFd+jQ+c+b5
BjVOuO0HHWMfkE+CprcwNSJFzcKHuRUX0gn7EmiYebOLf2P5sRpMN51NQBD0RCSg
ZPOqG1ImhxRaWREfMm4uXJIYZeFU+Xt1NS+gCw752lm4tibJnn3wG1lVYg==
-----END CERTIFICATE-----
subject=/C=US/postalCode=95814/ST=CA/L=Sacramento/street=1325 J Street, Suite 1600/O=State of California/OU=Department of Motor Vehicles/OU=Hosted by State of California/OU=Multi-Domain SSL/CN=www.dmv.ca.gov
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5576 bytes and written 450 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 789084EE893DD466F4A9A06493691CAF46BCFC14728AF6FBB2A5D6AFEFAEE9CE
Session-ID-ctx:
Master-Key: F88F1EF27749B19B08AC56049072A8C69534D0157E0642CB73952DA1A1F66371C3C32C05AEA248A9272D16D6766483CB
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1531959941
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
read:errno=104
DIG给我相同的dns记录,所以我知道我正在连接到正确的服务器。
在这一点上,我的想法不多了。所以,我问大家,我接下来可以看什么或进行测试?
我有Verizon提供的actiontec路由器,我需要检查该设备上是否有任何设置。
编辑:使用tls和curl和wget:
captain@HARM01NGINX01:~$ openssl s_client -state -nbio -connect dmv.ca.gov:443 -servername dmv.ca.gov -tls1_2
CONNECTED(00000003)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:unknown state
SSL_connect:error in unknown state
write R BLOCK
SSL_connect:error in unknown state
read:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1532398652
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
captain@HARM01NGINX01:~$ openssl s_client -state -nbio -connect dmv.ca.gov:443 -servername dmv.ca.gov -tls1
CONNECTED(00000003)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:unknown state
SSL_connect:error in unknown state
write R BLOCK
SSL_connect:error in unknown state
read:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1532398670
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
captain@HARM01NGINX01:~$ curl dmv.ca.gov
curl: (56) Recv failure: Connection reset by peer
captain@HARM01NGINX01:~$ wget dmv.ca.gov
--2018-07-23 19:18:52-- http://dmv.ca.gov/
Resolving dmv.ca.gov (dmv.ca.gov)... 107.162.129.29
Connecting to dmv.ca.gov (dmv.ca.gov)|107.162.129.29|:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.
--2018-07-23 19:18:57-- (try: 2) http://dmv.ca.gov/
Connecting to dmv.ca.gov (dmv.ca.gov)|107.162.129.29|:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.
--2018-07-23 19:19:03-- (try: 3) http://dmv.ca.gov/
Connecting to dmv.ca.gov (dmv.ca.gov)|107.162.129.29|:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.
--2018-07-23 19:19:10-- (try: 4) http://dmv.ca.gov/
Connecting to dmv.ca.gov (dmv.ca.gov)|107.162.129.29|:80... connected.
HTTP request sent, awaiting response... ^C
captain@HARM01NGINX01:~$ wget https://dmv.ca.gov
--2018-07-23 19:19:21-- https://dmv.ca.gov/
Resolving dmv.ca.gov (dmv.ca.gov)... 107.162.129.29
Connecting to dmv.ca.gov (dmv.ca.gov)|107.162.129.29|:443... connected.
Unable to establish SSL connection.