| View previous topic :: View next topic |
| Author |
Message |
Bialy
Guru
Joined: 20 Mar 2006
Posts: 486
|
 Posted: Tue Jun 05, 2012 7:51 pm Post subject: [Dziwny]Problem z otwieraniem stron https |
 |
|
Występuje u mnie prześlicznie-dziwny problem z otwieraniem stron https.
Jednak od początku:
Gentoo używam jako serwera/routera. Zainstalowany Squid i Iptables.
HTTP przekierowywane do Squid:
| Code: | [I] net-proxy/squid
Available versions: 2.7.9 3.1.15 3.1.16 ~3.1.18 3.1.19 {caps ecap elibc_uclibc +epoll icap-client ipf-transparent ipv6 kerberos kernel_linux kqueue ldap logrotate mysql nis pam pf-transparent postgres radius samba sasl selinux snmp sqlite ssl test tproxy zero-penalty-hit}
Installed versions: 3.1.19(10:35:30 10.05.2012)(epoll kernel_linux logrotate pam sqlite ssl -caps -ecap -elibc_uclibc -icap-client -ipf-transparent -ipv6 -kerberos -kqueue -ldap -mysql -nis -pf-transparent -postgres -radius -samba -sasl -selinux -snmp -test -tproxy -zero-penalty-hit)
cat /etc/squid/squid.conf
http_port 8080 transparent
maximum_object_size 1024 MB
cache_dir ufs /home/squid 1024 32 256
visible_hostname cos.tam.pl
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl siec src 000.111.222.333/24
http_access allow manager localhost
http_access deny manager
http_access allow siec
http_access deny all
[I] net-firewall/iptables
Available versions: 1.4.6 1.4.10 ~1.4.10-r1 1.4.11.1-r2 ~1.4.12 1.4.12.1 ~1.4.12.1-r1 1.4.13 ~1.4.13-r1 {ipv6 netlink static-libs}
Installed versions: 1.4.13(10:10:14 10.05.2012)(-ipv6 -netlink -static-libs)
iptables -t nat -A PREROUTING -i $LAN -p tcp --dport 80 -j REDIRECT -d $LAN_IP --to 8080 |
Problem obiawia się tym, iż nie mogę wejść na strony https://facebook.com oraz https://www.hotmail.com
Inne strony http oraz https działają bez zarzutu.
Facebook działa tak jak bym go widział pod likns (wyświetla się bez tła, obrazków itp.), a hotmail nie ładuje się w ogóle.
Problem występuje na wszystkich komputerach w sieci i na wszystkich przeglądarkach.
Przestała działać nawet dedykowana aplikacja do facebook'a na Androidzie.
Ze względu na zasięg występowania problemu podejrzewam, że za całą sprawą stoi Gentoo.
Może ktoś mnie nakierować co może być problemem? |
|
| Back to top |
|
 |
SlashBeast
Retired Dev
Joined: 23 May 2006
Posts: 2922
|
| Posted: Tue Jun 05, 2012 9:02 pm Post subject: |
|
|
| Transparent to nie jest dobry pomysl anyway ale wykonujesz to tez dla 443? Curlem z verbose sprawdz. |
|
| Back to top |
|
|
Bialy
Guru
Joined: 20 Mar 2006
Posts: 486
|
| Posted: Tue Jun 05, 2012 10:29 pm Post subject: |
|
|
| SlashBeast wrote: | | Transparent to nie jest dobry pomysl anyway ale wykonujesz to tez dla 443? Curlem z verbose sprawdz. |
Dla 443 nie mam żadnej regułki Itpables
--EDIT--
Dziwne 
| Code: | curl -v https://hotmail.com
* About to connect() to hotmail.com port 443 (#0)
* Trying 65.55.72.151... connected
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. |
Jest to wynik z klienta Win64.
Cudując, czyli z okcją '-k': | Code: | curl -v -k https://hotmail.com
* About to connect() to hotmail.com port 443 (#0)
* Trying 65.55.72.151... connected
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES128-SHA
* Server certificate:
* subject: C=US; ST=WA; L=Redmond; O=Microsoft; OU=WindowsLive; CN=mail.live.com
* start date: 2011-04-26 18:32:44 GMT
* expire date: 2013-04-25 18:32:44 GMT
* subjectAltName: hotmail.com matched
* issuer: DC=com; DC=microsoft; DC=corp; DC=redmond; CN=Microsoft Secure Server Authority
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET / HTTP/1.1
> User-Agent: curl/7.23.1 (x86_64-pc-win32) libcurl/7.23.1 OpenSSL/0.9.8r zlib/1.2.5
> Host: hotmail.com
> Accept: */*
>
< HTTP/1.1 302 Found
< Cache-Control: no-cache, no-store, must-revalidate, no-transform
< Pragma: no-cache
< Content-Type: text/html; charset=utf-8
< Expires: -1
< Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1338936266&rver=6.1.6206.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-US&cbcxt=mai
< Server: Microsoft-IIS/7.5
< xxn: 16
< P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
< Set-Cookie: KVC=16.2.7030.0523; domain=.mail.live.com; path=/
< Set-Cookie: KVC=16.2.7030.0523; domain=.mail.live.com; path=/
< Set-Cookie: KSC=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/
< Set-Cookie: kr=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/
< Set-Cookie: bsc=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/
< Set-Cookie: rru=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/
< Set-Cookie: prc=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/
< Set-Cookie: mt=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/
< Set-Cookie: DWN=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/
< MSNSERVER: H: SNT132-W16 V: 16.2.7030.523 D: 2012-05-24T04:59:29
< Date: Tue, 05 Jun 2012 22:44:25 GMT
< Content-Length: 341
<
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1338936266&rver=6.1.6206.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-US&cbcxt=mai">here</a>.</h2>
</body></html>
* Connection #0 to host hotmail.com left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1): |
Na serwerze niby śmiga:
| Code: | curl -v https://hotmail.com
* About to connect() to hotmail.com port 443 (#0)
* Trying 65.55.72.167...
* connected
* Connected to hotmail.com (65.55.72.167) port 443 (#0)
* found 165 certificates in /etc/ssl/certs/ca-certificates.crt
* server certificate verification OK
* common name: mail.live.com (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: C=US,ST=WA,L=Redmond,O=Microsoft,OU=WindowsLive,CN=mail.live.com
* start date: Tue, 26 Apr 2011 18:32:44 GMT
* expire date: Thu, 25 Apr 2013 18:32:44 GMT
* issuer: DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority
* compression: NULL
* cipher: AES-128-CBC
* MAC: SHA1
> GET / HTTP/1.1
> User-Agent: curl/7.24.0 (x86_64-pc-linux-gnu) libcurl/7.24.0 GnuTLS/2.12.18 zlib/1.2.5.1
> Host: hotmail.com
> Accept: */*
>
< HTTP/1.1 302 Found
< Cache-Control: no-cache, no-store, must-revalidate, no-transform
< Pragma: no-cache
< Content-Type: text/html; charset=utf-8
< Expires: -1
< Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1338935663&rver=6.1.6206.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-US&cbcxt=mai
< Server: Microsoft-IIS/7.5
< xxn: 58
< P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
< Set-Cookie: KVC=16.2.7030.0523; domain=.mail.live.com; path=/
< Set-Cookie: KVC=16.2.7030.0523; domain=.mail.live.com; path=/
< Set-Cookie: KSC=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/
< Set-Cookie: kr=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/
< Set-Cookie: bsc=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/
< Set-Cookie: rru=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/
< Set-Cookie: prc=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/
< Set-Cookie: mt=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/
< Set-Cookie: DWN=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/
< MSNSERVER: H: SNT133-W58 V: 16.2.7030.523 D: 2012-05-24T04:59:29
< Date: Tue, 05 Jun 2012 22:34:23 GMT
< Content-Length: 341
<
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1338935663&rver=6.1.6206.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-US&cbcxt=mai">here</a>.</h2>
</body></html>
* Connection #0 to host hotmail.com left intact
* Closing connection #0 |
--EDIT2--
Masakracja...
HTTPS facebook'a zaczął działać (nawet na Androidzie).
Jednak na hotmail nadal nie mogę się dostać (wyświetla się tylko pusta, biała strona).
Po prostu tego nie ogarniam 
--EDIT3--
I znów przestało działać  |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Polskie forum (Polish)
