我无法通过 HTTPS 访问我的 Synology DSM918 (NAS(,该路由器位于具有公共静态 IPv4 地址且域指向它的路由器后面。网络拓扑如图所示。
问题是,每当我尝试从连接到无线网桥的计算机 (PC2( 访问 NAS 时,一切都按预期工作。 但是,当我尝试从直接连接到路由器的计算机(PC1_访问 NAS 时,我无法使用域名访问它(我只能通过本地 IP 地址连接(。
我试图调查这个问题,发现以下内容:
curl https://<domain-name> -v
* Rebuilt URL to: https://<domain-name>
* Trying <ipv4-address>...
* TCP_NODELAY set
* Connected to <domain-name> (<ipv4-address>) port <port> (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to <domain-name>:<port>
* stopped the pause stream!
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to <domain-name>:<port>
openssl s_client -connect <domain-name>:<port> -msg -showcerts
CONNECTED(00000005)
>>> TLS 1.2 Handshake [length 00c3], ClientHello
...
<<< TLS 1.2 Handshake [length 0059], ServerHello
...
<<< TLS 1.2 Handshake [length 09fc], Certificate
...
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = <domain-name>
verify return:1
<<< TLS 1.2 Handshake [length 014d], ServerKeyExchange
...
>>> TLS 1.2 Handshake [length 0046], ClientKeyExchange
...
>>> TLS 1.2 ChangeCipherSpec [length 0001]
01
>>> TLS 1.2 Handshake [length 0010], Finished
14 00 00 0c 18 f1 a3 91 fe 6d 91 a2 86 62 fd 81
4711933548:error:1401E0E5:SSL routines:CONNECT_CR_FINISHED:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/ssl/ssl_pkt.c:585:
---
...
...
...
---
SSL handshake has read 3002 bytes and written 126 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: ACCB7A7AACFD5A838382B467FBFE26766E0D6147CAAE3A51FEE5A7B39BD84004
Session-ID-ctx:
Master-Key: 015E73F4347EF4954DA9FE58F5F34D73A662EDDEE9F7B4F8650977756EE2778DFB80F0C22ABF608B8CE55721578A9CA4
Start Time: 1577712963
Timeout : 7200 (sec)
Verify return code: 0 (ok)
谁能帮助我并指出正确的方向?对我来说,路由器似乎以某种方式使SSL握手畸形。
提前非常感谢!
我怀疑 Synology 在 TLS 方面存在普遍问题。我无法在同一邮件服务器(Mail Plus,端口 587(上通过 TLS 接收从 Acronis 发送的邮件。我什至尝试配置"旧的TLS兼容性",但它不起作用。我不得不坚持使用端口 25 上的未加密邮件。
除此之外:似乎对相关目录的访问权限并不总是正确设置。在过去的几天里,我设置了一个 Git 服务器,并且不得不浏览各种说明和帖子,直到我得到正确的配置。