无法在我的系统中正确利用客户端 SNI
[英]Unable to properly utilize client-side SNI across my system
问题描述
This question is closely related to my other question: Python `urllib3`: sudden "certificate verify failed: certificate has expired" error .
这个问题与我的另一个问题密切相关: Python `urllib3`:突然的“证书验证失败:证书已过期”错误。
For some reason it seems like my attempts at provide the correct hostname for SNI do not succeed.出于某种原因,我为 SNI 提供正确主机名的尝试似乎没有成功。 This manifested first in the proxy in the linked question, as without properly working SNI it can't successfully validate certificates.这首先体现在链接问题的代理中,因为如果没有正常工作的 SNI,它就无法成功验证证书。 Then as I went onto debugging the issue using an installation of OpenSSL (separate from Python and the system) it also displays the same signs.然后,当我使用安装 OpenSSL(与 Python 和系统分开)调试问题时,它也显示相同的标志。 I decided to see if at least Node.js correctly works with SNI using this script, but no luck:我决定使用此脚本查看至少 Node.js 是否与 SNI 正确配合,但没有运气:
fs = require('fs/promises');
tls = require('tls');
const [,, host, port, file] = process.argv;
const socket = tls.connect({
host, port,
servername: host,
rejectUnauthorized: false,
}, async () => {
const cert = socket.getPeerCertificate(false);
result = tls.checkServerIdentity(host, cert) ? 'No.' : 'Yes.';
console.log('Valid for', cert.subjectaltname + '?', result);
//await fs.writeFile(file, cert.raw)
socket.destroy()
});
I think this output does a good job showcasing the issue:我认为这个 output 很好地展示了这个问题:
> node .\sni-helper.js i.stack.imgur.com 443 test.tmp
Valid for DNS:*.imgur.com, DNS:imgur.com? No.
A dozen of other hostnames likewise do not seem to be properly reflected in the provided certificates.许多其他主机名似乎也没有正确反映在提供的证书中。
My configuration:我的配置:
- Windows 10 x64 fully up to date as of writing this. Windows 10 x64 在撰写本文时完全是最新的。
- Python 3.9.1. Python 3.9.1。
- Node.js v15.5.1. Node.js v15.5.1。
- OpenSSL 1.1.1i 8 Dec 2020. OpenSSL 1.1.1i 2020 年 12 月 8 日。
Did anybody else have this problem?其他人有这个问题吗? I have no idea where to go with this, other than maybe filing an issue in the OpenSSL repo, but I may simply failed at correctly setting my clients up overlooking something blatantly obvious, so I'd like to check with you guys first.除了可能在 OpenSSL 存储库中提交问题外,我不知道 go 的位置在哪里,但我可能只是无法正确设置我的客户而忽略了一些明显的事情,所以我想先和你们核实一下。
1 个解决方案
解决方案1
0 已采纳 2021-04-21 12:49:59
Turned out NetLimiter 4 is to blame.原来 NetLimiter 4 是罪魁祸首。 When weeding out the causes I did initially suspect it, but the problem persisted through a brief time I turned the system service off, so I figured it must be something else.在排除原因时,我最初确实怀疑它,但问题持续了一段时间,我关闭了系统服务,所以我认为它一定是别的东西。 But I didn't know back then it also installs a driver that keeps working independently of the service.但我当时不知道它还安装了一个独立于服务工作的驱动程序。 Once I realized that (took me a long time admittedly) I fully uninstalled the program and now the problem is gone.一旦我意识到(诚然花了我很长时间)我完全卸载了该程序,现在问题就消失了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.