IIS:SSL 站点未通过 https 响应所有浏览器/设备
Posted
技术标签:
【中文标题】IIS:SSL 站点未通过 https 响应所有浏览器/设备【英文标题】:IIS: SSL Site not respond to all browsers/devices by https 【发布时间】:2014-09-20 11:39:29 【问题描述】:我已经为我的站点安装了 Geotrust 证书,该证书通过 IIS7 运行。证书已正确安装,但我得到了意外的结果。当我向http://example.com 发出请求时,它在每个浏览器/设备上都运行良好,但是当我向https://example.com 发出请求时,它只在某些浏览器/设备中响应,例如: - 在同一台 PC 上,仅在 Firefox 中响应良好,但在 IE 或 Chrome 中响应不佳。 - 在其他电脑上不响应任何浏览器。 - 最奇怪的是,在我的智能手机中,没有通过 wifi 响应,但是当我通过 3G 连接时,站点正确响应 https。 - 我也在 labtop 中测试,通过 wifi 网站没有响应,但如果我共享从智能手机到 labtop 的 3g 连接,网络可以正常工作。
EDIT:openssl 命令的结果:
Loading 'screen' into random state - done
CONNECTED(000001C4)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=ES/ST=Malaga/L=Malaga/O=domain/CN=www.domain.net/OU=domain
i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G2
1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIExjCCA66gAwIBAgIQeee0uwSySeNXOkI+BUoMMzANBgkqhkiG9w0BAQUFADBE
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UEAxMU
...
doLsKI2R6RQA/7IcuTpKkvLF5wYKvmocPxYVg9FOoFvKV0wjWo6qlwsANPAVov+7
zFzZreROa7lBj8UH0IyYjLmBrbe1yMr/Cmg=
-----END CERTIFICATE-----
subject=/C=ES/ST=Malaga/L=Malaga/O=domain/CN=www.domain.net/OU=domain
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G2
---
No client certificate CA names sent
---
SSL handshake has read 3405 bytes and written 645 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: D80B0000C341A313FBA6527E6576D1D71ACA71E680528EE880649C8166AA7C1B
Session-ID-ctx:
Master-Key: F1D5AB2E543959B3D100CC16365884DEFF06E56E3C57839A64088744FFCAEDCE
24B744836326E46828537C64884081B0
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1407168950
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
经过一些搜索和测试一些想法后,我什么都没做,我快疯了。有什么想法吗?
【问题讨论】:
客户端证书在浏览器中是一团糟。对于测试,您应该禁用它们。见Specify Whether to Use Client Certificates (IIS 7)。 【参考方案1】:这可能是因为 IP 绑定要使其正常工作,您的 HTTPS 和 HTTP 都应该绑定到 IIS 中的相同 IP 地址。
您是否尝试过重新启动 IIS?它可能会解决问题。
【讨论】:
嗨,杰克,我重新启动了 IIS,即使我重新启动服务器也没有任何结果。 你在域名中绑定了443端口吗?【参考方案2】:...但是当我向https://example.com 发出请求时,它只在某些浏览器/设备中响应...
好的,证书链看起来没问题。我从您为以下测试发布的证书中获取了您的服务器名称。您可以通过openssl x509 运行您的证书并查看CN 和SAN:
$ openssl x509 -in server-cert.pem -inform PEM -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
79:e7:b4:bb:04:b2:49:e3:57:3a:42:3e:05:4a:0c:33
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G2
Validity
Not Before: Jun 11 00:00:00 2014 GMT
Not After : Jun 11 23:59:59 2015 GMT
Subject: C=ES, ST=Malaga, L=Malaga, O=Example, CN=www.example.com, OU=Example, LLC
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a2:f6:fd:b0:30:10:91:55:3f:ec:ce:fa:d8:9e:
84:cd:60:c4:dd:a8:f0:42:37:66:a9:98:80:35:d8:
...
13:db:e9:98:c5:1a:ac:31:50:70:e1:6e:8d:1f:2a:
7d:b5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:www.example.com, DNS:example.com
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
Full Name:
URI:http://gb.symcb.com/gb.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.54
CPS: https://d.symcb.com/cps
User Notice:
Explicit Text: https://d.symcb.com/rpa
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Authority Key Identifier:
keyid:11:4A:D0:73:39:D5:5B:69:08:5C:BA:3D:BF:64:9A:A8:8B:1C:55:BC
Authority Information Access:
OCSP - URI:http://gb.symcd.com
CA Issuers - URI:http://gb.symcb.com/gb.crt
Signature Algorithm: sha1WithRSAEncryption
52:60:0e:f3:c7:fb:16:49:cf:4f:7c:91:d9:c9:b9:d5:92:62:
75:c9:05:f1:b7:cf:ea:30:53:44:5d:a7:1e:c7:eb:fd:a9:ab:
...
e4:4e:6b:b9:41:8f:c5:07:d0:8c:98:8c:b9:81:ad:b7:b5:c8:
ca:ff:0a:68
你有 两个 example.com 和 www.example.com。没关系。
一个小小的挑剔。 IETF 和 CA/浏览器论坛均不赞成将 DNS 名称放在通用名称 (CN) 中。 DNS 名称应放在使用者备用名称 (SAN) 中。在 CN 中放置一个友好的名称,因为它通常显示给用户。
问题应该不产生您遇到的问题。事实上,我将 Startcom 证书用于我的 Web 和邮件服务器,从未遇到过问题。
接下来,OpenSSL 的 “验证返回码:20(无法获得本地颁发者证书)” 投诉是因为您没有将CAfile 选项与<Equifax Secure Certificate Authority>.pem 一起使用.有兴趣的可以从GeoTrust Root Certificates下载。我将在下面使用它来确保 “验证返回码:0(ok)”。
现在,检查一下(SSLv3):
$ echo -e "GET / HTTP/1.1\n" | openssl s_client -connect example.com:443 \
-ssl3 -ign_eof -CAfile Equifax_Secure_Certificate_Authority.pem
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = GeoTrust Inc., CN = GeoTrust SSL CA - G2
verify return:1
depth=0 C = ES, ST = Malaga, L = Malaga, O = Example, LLC, CN = www.example.com, OU = Example, LLC
verify return:1
---
Certificate chain
0 s:/C=ES/ST=Malaga/L=Malaga/O=Example, LLC/CN=www.example.com/OU=Example, LLC
i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G2
1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
...
Start Time: 1407401571
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 07 Aug 2014 08:52:28 GMT
Connection: close
Content-Length: 334
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Hostname</h2>
<hr><p>HTTP Error 400. The request hostname is invalid.</p>
</BODY></HTML>
read:errno=0
和(带有 SNI 的 TLS 1.0):
$ echo -e "GET / HTTP/1.1\n" | openssl s_client -connect example.com:443 \
-tls1 -servername example.com -ign_eof -CAfile Equifax_Secure_Certificate_Authority.pem
CONNECTED(00000003)
...
Start Time: 1407401898
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 07 Aug 2014 08:57:55 GMT
Connection: close
Content-Length: 334
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Hostname</h2>
<hr><p>HTTP Error 400. The request hostname is invalid.</p>
</BODY></HTML>
read:errno=0
它似乎与服务器名称指示 (SNI) 无关。我不确定 SNI 在这一点上是否受到表彰。这是 IIS 7.5 或更低版本吗? IIS 8 provides SNI,这可能有助于解决问题,因为请求将立即路由到 IIS 中的正确虚拟域。
接下来,添加主机头:
$ echo -e "GET / HTTP/1.1\nHost:example.com\n" | openssl s_client -connect example.com:443 \
-ssl3 -ign_eof -CAfile Equifax_Secure_Certificate_Authority.pem
CONNECTED(00000003)
...
Start Time: 1407402117
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
read R BLOCK
HTTP/1.1 302 Found
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Location: /Login/Login
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=310xiuzver13lqoau0il0tsu; path=/; HttpOnly
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 07 Aug 2014 09:01:34 GMT
302 重定向看起来不对。不应该是301吗?见HTTP redirect: 301 (permanent) vs. 302 (temporary)。另请查看How can I make Chrome stop caching redirects? 和“无法修复”错误。
为了完整起见,以下是重定向到 /Login/Login 后的结果:
$ echo -e "GET /Login/Login HTTP/1.1\nHost:example.com\n" | openssl s_client -connect example.com:443 \
-ssl3 -ign_eof -CAfile Equifax_Secure_Certificate_Authority.pem
CONNECTED(00000003)
...
Start Time: 1407403671
Timeout : 7200 (sec)
Verify return code: 0 (ok)
read R BLOCK
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 07 Aug 2014 09:27:29 GMT
Content-Length: 1547
<html>
<body>
<form action="/Login/Login" method="post"> <div style="height: 140px">
</div>
<table style="width: 400px; border: 1px solid #058fbe;" cellpadding="5" align="center">
<tr>
<td colspan="2" align="center" style="background-color: #058fbe">
<span style="color: #FFF; font-family: Arial, Helvetica, sans-serif;
font-weight: bold; font-size: 14pt">TERRANET. ZONA ADMINISTRACIÓN</span>
</td>
</tr>
<tr>
<td >
<img src="/Content/img/login.png" />
</td>
<td>
<span style="color: #058fbe; font-family: Arial, Helvetica, sans-serif;
font-weight: bold; font-size: 10pt">usuario</span><br />
<input type="text" style="border: 1px solid #058fbe; width: 190px" name="usuario" /><br />
<span style="color: #058fbe; font-family: Arial, Helvetica, sans-serif;
font-weight: bold; font-size: 10pt">contraseña</span><br />
<input type="password" style="border: 1px solid #058fbe; width: 190px" name="pass" /><br />
<br />
<input type="submit" value="entrar" style="background-color: #058fbe;
width: 80px; color: white; font-family: Arial, Helvetica, sans-serif;
font-weight: bold; font-size: 10pt; border: none" />
</td>
</tr>
</table>
</form>
</body>
</html>
编辑(2014 年 8 月 7 日):我看到您对 HTTP/1.1 301 Moved Permanently 的更改。
我今天进行了一些浏览器测试。我用过:
Chrome (Mac Book) Firefox (Mac Book) Safari (Mac Book)。 移动浏览器 (android) 移动 Chrome (iPhone) 移动 Safari (iPhone) Explorer(Surface Pro)大部分都按预期工作。
Surface Pro 平板电脑上的 Explorer 挂起。
Android 的浏览器 (com.android.browser) 提示输入客户端证书(这就是提示我设置 PIN 的原因):
Safari 桌面提示输入客户端证书:
您需要客户证书吗?如果是这样,那可能就是问题所在。客户端证书在浏览器中是一团糟。
如果您不需要它们,请在 IIS 中禁用它们。见Specify Whether to Use Client Certificates (IIS 7)。
【讨论】:
我已将 302 更改为 301 永久重定向。但我不太明白如何解决这个问题。您可以使用安全证书以上是关于IIS:SSL 站点未通过 https 响应所有浏览器/设备的主要内容,如果未能解决你的问题,请参考以下文章