在docker容器中通过网桥时无法访问SSL IP。获取SSL\u错误\u系统调用
我在通过IP+TLS连接到任何服务器时遇到问题,但在(默认)网桥中运行时,只能从docker容器中连接。我总是在连接到W.X.Y.Z时得到在docker容器中通过网桥时无法访问SSL IP。获取SSL\u错误\u系统调用,docker,ssl,curl,openssl,Docker,Ssl,Curl,Openssl,我在通过IP+TLS连接到任何服务器时遇到问题,但在(默认)网桥中运行时,只能从docker容器中连接。我总是在连接到W.X.Y.Z时得到OpenSSL SSL\u connect:SSL\u ERROR\u SYSCALL。我试过tcpdump(在容器中)和wireshark(在主机上本地)都没有用 我的工作伙伴具有相同的OS/Docker版本,无法重现该问题。我不知道如何调试这个问题 我试过: 各种图像(ubuntu和alpine) 各种客户端(curl和wget) 各种TLS版本(1.3
OpenSSL SSL\u connect:SSL\u ERROR\u SYSCALL
。我试过tcpdump(在容器中)和wireshark(在主机上本地)都没有用
我的工作伙伴具有相同的OS/Docker版本,无法重现该问题。我不知道如何调试这个问题
我试过:
- 各种图像(ubuntu和alpine)
- 各种客户端(curl和wget)
- 各种TLS版本(1.3和1.2)
FROM ubuntu:latest
RUN apt update && apt upgrade -y && apt install -y curl tcpdump openssl wget
问题:
FROM ubuntu:latest
RUN apt update && apt upgrade -y && apt install -y curl tcpdump openssl wget
docker运行-it--rm repo/bin/bash
#在docker bash shell中,如果我尝试卷曲一个常规https主机名,一切都很好:
root@ba6f8aab182d:/#curl-vhttps://www.google.com
*正在尝试172.217.10.36:443。。。
*TCP_节点集
*已连接到www.google.com(172.217.10.36)端口443(#0)
*阿尔卑斯山,提供h2
*ALPN,提供http/1.1
*已成功设置证书验证位置:
*CAfile:/etc/ssl/certs/ca-certificates.crt
CApath:/etc/ssl/certs
*TLSv1.3(输出),TLS握手,客户端问候(1):
*TLSv1.3(IN)、TLS握手、服务器hello(2):
*TLSv1.3(IN)、TLS握手、加密扩展(8):
*TLSv1.3(IN),TLS握手,证书(11):
*TLSv1.3(IN)、TLS握手、证书验证(15):
*TLSv1.3(IN),TLS握手,完成(20):
*TLSv1.3(OUT),TLS更改密码,更改密码规范(1):
*TLSv1.3(输出),TLS握手,完成(20):
*使用TLSv1.3/TLS_AES_256_GCM_SHA384的SSL连接
*ALPN,服务器接受使用h2
*服务器证书:
* ...
#如果我再试一次,但这次使用的是ip而不是主机名
root@ba6f8aab182d:/#curl-vhttps://172.217.10.36
*正在尝试172.217.10.36:443。。。
*TCP_节点集
*连接到172.217.10.36(172.217.10.36)端口443(#0)
*阿尔卑斯山,提供h2
*ALPN,提供http/1.1
*已成功设置证书验证位置:
*CAfile:/etc/ssl/certs/ca-certificates.crt
CApath:/etc/ssl/certs
*TLSv1.3(输出),TLS握手,客户端问候(1):
*OpenSSL SSL\u连接:连接到172.217.10.36:443的SSL\u错误\u系统调用
*正在关闭连接0
curl:(35)OpenSSL SSL\u连接:连接到172.217.10.36:443的SSL\u错误\u系统调用
上述两个调用(curl HOSTNAME,然后curl MATCHINGIP)在主机上运行正常。
ubuntu容器中的其他信息:
root@ba6f8aab182d:/# openssl version
OpenSSL 1.1.1f 31 Mar 2020
root@ba6f8aab182d:/# curl --version
curl 7.68.0 (x86_64-pc-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
Release-Date: 2020-01-08
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets
来自主机的其他信息:
$ docker version
Client: Docker Engine - Community
Cloud integration: 1.0.12
Version: 20.10.5
API version: 1.41
Go version: go1.13.15
Git commit: 55c4c88
Built: Tue Mar 2 20:13:00 2021
OS/Arch: darwin/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.5
API version: 1.41 (minimum version 1.12)
Go version: go1.13.15
Git commit: 363e9a8
Built: Tue Mar 2 20:15:47 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.4.4
GitCommit: 05f951a3781f4f2c1911b05e61c160e9c30eaa8e
runc:
Version: 1.0.0-rc93
GitCommit: 12644e614e25b05da6fd08a38ffa0cfe1903fdec
docker-init:
Version: 0.19.0
GitCommit: de40ad0
$docker网络检查网桥
[
{
“名称”:“桥梁”,
“Id”:“4b8797bccccd628a6280199eb5c0372cd08d521a88a29243b174718569e9cc7e”,
“已创建”:“2021-04-15T17:24:33.631745871Z”,
“范围”:“本地”,
“司机”:“驾驶台”,
“EnableIPv6”:false,
“IPAM”:{
“驱动程序”:“默认值”,
“选项”:空,
“配置”:[
{
“子网”:“172.17.0.0/16”,
“网关”:“172.17.0.1”
}
]
},
“内部”:错误,
“可附加”:错误,
“入口”:假,
“配置自”:{
“网络”:”
},
“仅配置”:false,
“容器”:{
“ba6f8aab182daebd4f0b0dc449929585637cd46bc532f61991bfa28c40e09ceb”:{
“名称”:“华丽的朱可夫斯基”,
“端点ID”:“E29407BAF0EB8AC069416A8F77794B548D31F05BF9FB6C223FB58C935AFF24C”,
“MacAddress”:“02:42:ac:11:00:02”,
“IPV4地址”:“172.17.0.2/16”,
“IPV6地址”:”
}
},
“选择”:{
“com.docker.network.bridge.default_bridge”:“true”,
“com.docker.network.bridge.enable_icc”:“true”,
“com.docker.network.bridge.enable_ip_伪装”:“true”,
“com.docker.network.bridge.host\u binding\u ipv4”:“0.0.0.0”,
“com.docker.network.bridge.name”:“docker0”,
“com.docker.network.driver.mtu”:“1500”
},
“标签”:{}
}
]
编辑
在容器中尝试openssl s_client-cipher ALL-servername 172.217.10.36:443-connect 172.217.10.36:443
,我得到:
root@ba6f8aab182d:/# openssl s_client -cipher ALL -servername 172.217.10.36:443 -connect 172.217.10.36:443
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 403 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
在主机上时,我得到:
openssl s_client -cipher ALL -servername 172.217.10.36:443 -connect 172.217.10.36:443
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
i:/C=US/O=Google Trust Services/CN=GTS CA 1O1
1 s:/C=US/O=Google Trust Services/CN=GTS CA 1O1
i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
[... certificate was here ...]
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
issuer=/C=US/O=Google Trust Services/CN=GTS CA 1O1
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 3206 bytes and written 339 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-CHACHA20-POLY1305
Session-ID: 052A69E409C0705AEAB8A180228C3F8E91A530504EFB06BA9214365F6B99DCAC
Session-ID-ctx:
Master-Key: A4EAC218352BBEAF3A43AB625266304DCF495FFE8A916C638679473AD20DC01B508158B8C0AA39A97003FEC5B8ABD7EC
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
[... a lot of stuff here ...]
Start Time: 1618514134
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
问题似乎出在Mac 3.3.0和3.3.1的Docker上 解决方案是降级到3.2.2,即使docker引擎是相同的
请参阅使用then openssl工具时发生的情况:
openssl s_client-cipher ALL-servernamehttps://172.217.10.36 -连接https://172.217.10.36
您可能还想尝试使用“启用弱ssl密码”配置OpenSSL本文提供了更多信息:我必须将您的命令修改为openssl s_client-cipher ALL-servername 172.217.10.36:443-connect 172.217.10.36:443
,才能让它执行某些操作。我将在主机和容器上用此命令的答案修改我的帖子。@user4426017+SNI(-servername)的唯一正确值是DNS名称(FQDN),而不是IP地址,也不是端口或方案或其他任何内容;见rfc6066。但是OpenSSL并没有强制执行这一点,而且谷歌足够大,他们忽略了SNI。不管怎样,主机和docker之间没有什么不同。OP:tcpdump和wireshark“无效”是什么意思?这个问题,或者至少是症状,肯定是网络层面的问题。你看到ClientHello退出了吗?如果接下来在TCP级别发生什么事情呢?在IP级别?在ICMP级别?容器内外是否相同?主机上的@dave_thompson_085 tcpdump在尝试从容器内部卷曲到IP时,不会显示任何内容,但在使用DNS名称卷曲(再次从容器内部卷曲)时,会正确显示所有内容。在这种情况下,我怀疑docker桥出了问题,但我不知道如何调试它。docker 3.3.3已退出,此问题现已修复。(也相关)