我有一個 dovecot/postfix/fail2ban 設定運行得很好,直到幾天前:當我從外部連接(例如我的本地主機)時,我得到
CONNECTED(000002F8)
write:errno=10054
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 326 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1569483184
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
但是當我本地連線時
me@example:/etc/dovecot/conf.d$ openssl s_client localhost:995
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = example.com
verify return:1
---
Certificate chain
0 s:CN = example.com
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
bla
-----END CERTIFICATE-----
subject=CN = example.com
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 3274 bytes and written 767 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: bla
Session-ID-ctx:
Resumption PSK: bla
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
bla
Start Time: 1569483321
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: bla
Session-ID-ctx:
Resumption PSK: bla
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
bla
Start Time: 1569483321
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
+OK Dovecot (Ubuntu) ready.
我搜尋了日誌,沒有發現任何可疑的東西。畢竟,它清楚地表明我可以在本地主機上連接並獲得證書。然而,從外部我可以連接(CONNECTED(000002F8)),但我沒有獲得證書。
我需要去哪裡看..?什麼可能會導致這樣的問題?
謝謝!
答案1
write:errno=10054
...
SSL 握手已讀取 0 位元組並寫入 326 位元組
雖然您可以先連接,但連接會重設(10054 是 WSAECONNRESET - 連接由對等方重設)。造成這種情況的可能原因是客戶端和伺服器之間存在深度檢查防火牆,當它看到 TLS 握手並且不允許使用此協定時,它會阻止連線。這會導致沒有從伺服器讀取資料(“...已讀取 0 個位元組”),因此也沒有憑證或 TLS 握手的任何其他伺服器端部分。