Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/ssl/3.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
在docker容器中通过网桥时无法访问SSL IP。获取SSL\u错误\u系统调用_Docker_Ssl_Curl_Openssl - Fatal编程技术网
Fatal编程技术网
  • docker/
  • 在docker容器中通过网桥时无法访问SSL IP。获取SSL\u错误\u系统调用

在docker容器中通过网桥时无法访问SSL IP。获取SSL\u错误\u系统调用

docker ssl curl openssl

在docker容器中通过网桥时无法访问SSL IP。获取SSL\u错误\u系统调用,docker,ssl,curl,openssl,Docker,Ssl,Curl,Openssl,我在通过IP+TLS连接到任何服务器时遇到问题,但在(默认)网桥中运行时,只能从docker容器中连接。我总是在连接到W.X.Y.Z时得到OpenSSL SSL\u connect:SSL\u ERROR\u SYSCALL。我试过tcpdump(在容器中)和wireshark(在主机上本地)都没有用 我的工作伙伴具有相同的OS/Docker版本,无法重现该问题。我不知道如何调试这个问题 我试过: 各种图像(ubuntu和alpine) 各种客户端(curl和wget) 各种TLS版本(1.3

我在通过IP+TLS连接到任何服务器时遇到问题,但在(默认)网桥中运行时,只能从docker容器中连接。我总是在连接到W.X.Y.Z时得到
OpenSSL SSL\u connect:SSL\u ERROR\u SYSCALL
。我试过tcpdump(在容器中)和wireshark(在主机上本地)都没有用

我的工作伙伴具有相同的OS/Docker版本,无法重现该问题。我不知道如何调试这个问题

我试过:

  • 各种图像(ubuntu和alpine)
  • 各种客户端(curl和wget)
  • 各种TLS版本(1.3和1.2)
我的容器:

FROM ubuntu:latest
RUN apt update && apt upgrade -y && apt install -y curl tcpdump openssl wget
问题:

FROM ubuntu:latest
RUN apt update && apt upgrade -y && apt install -y curl tcpdump openssl wget

docker运行-it--rm repo/bin/bash
#在docker bash shell中,如果我尝试卷曲一个常规https主机名,一切都很好:
root@ba6f8aab182d:/#curl-vhttps://www.google.com
*正在尝试172.217.10.36:443。。。
*TCP_节点集
*已连接到www.google.com(172.217.10.36)端口443(#0)
*阿尔卑斯山,提供h2
*ALPN,提供http/1.1
*已成功设置证书验证位置:
*CAfile:/etc/ssl/certs/ca-certificates.crt
CApath:/etc/ssl/certs
*TLSv1.3(输出),TLS握手,客户端问候(1):
*TLSv1.3(IN)、TLS握手、服务器hello(2):
*TLSv1.3(IN)、TLS握手、加密扩展(8):
*TLSv1.3(IN),TLS握手,证书(11):
*TLSv1.3(IN)、TLS握手、证书验证(15):
*TLSv1.3(IN),TLS握手,完成(20):
*TLSv1.3(OUT),TLS更改密码,更改密码规范(1):
*TLSv1.3(输出),TLS握手,完成(20):
*使用TLSv1.3/TLS_AES_256_GCM_SHA384的SSL连接
*ALPN,服务器接受使用h2
*服务器证书:
*  ...
#如果我再试一次,但这次使用的是ip而不是主机名
root@ba6f8aab182d:/#curl-vhttps://172.217.10.36
*正在尝试172.217.10.36:443。。。
*TCP_节点集
*连接到172.217.10.36(172.217.10.36)端口443(#0)
*阿尔卑斯山,提供h2
*ALPN,提供http/1.1
*已成功设置证书验证位置:
*CAfile:/etc/ssl/certs/ca-certificates.crt
CApath:/etc/ssl/certs
*TLSv1.3(输出),TLS握手,客户端问候(1):
*OpenSSL SSL\u连接:连接到172.217.10.36:443的SSL\u错误\u系统调用
*正在关闭连接0
curl:(35)OpenSSL SSL\u连接:连接到172.217.10.36:443的SSL\u错误\u系统调用
上述两个调用(curl HOSTNAME,然后curl MATCHINGIP)在主机上运行正常。

ubuntu容器中的其他信息:

root@ba6f8aab182d:/# openssl version
OpenSSL 1.1.1f  31 Mar 2020
root@ba6f8aab182d:/# curl --version
curl 7.68.0 (x86_64-pc-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
Release-Date: 2020-01-08
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets
来自主机的其他信息:

$ docker version
Client: Docker Engine - Community
 Cloud integration: 1.0.12
 Version:           20.10.5
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        55c4c88
 Built:             Tue Mar  2 20:13:00 2021
 OS/Arch:           darwin/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.5
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       363e9a8
  Built:            Tue Mar  2 20:15:47 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.4
  GitCommit:        05f951a3781f4f2c1911b05e61c160e9c30eaa8e
 runc:
  Version:          1.0.0-rc93
  GitCommit:        12644e614e25b05da6fd08a38ffa0cfe1903fdec
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

$docker网络检查网桥
[
{
“名称”:“桥梁”,
“Id”:“4b8797bccccd628a6280199eb5c0372cd08d521a88a29243b174718569e9cc7e”,
“已创建”:“2021-04-15T17:24:33.631745871Z”,
“范围”:“本地”,
“司机”:“驾驶台”,
“EnableIPv6”:false,
“IPAM”:{
“驱动程序”:“默认值”,
“选项”:空,
“配置”:[
{
“子网”:“172.17.0.0/16”,
“网关”:“172.17.0.1”
}
]
},
“内部”:错误,
“可附加”:错误,
“入口”:假,
“配置自”:{
“网络”:”
},
“仅配置”:false,
“容器”:{
“ba6f8aab182daebd4f0b0dc449929585637cd46bc532f61991bfa28c40e09ceb”:{
“名称”:“华丽的朱可夫斯基”,
“端点ID”:“E29407BAF0EB8AC069416A8F77794B548D31F05BF9FB6C223FB58C935AFF24C”,
“MacAddress”:“02:42:ac:11:00:02”,
“IPV4地址”:“172.17.0.2/16”,
“IPV6地址”:”
}
},
“选择”:{
“com.docker.network.bridge.default_bridge”:“true”,
“com.docker.network.bridge.enable_icc”:“true”,
“com.docker.network.bridge.enable_ip_伪装”:“true”,
“com.docker.network.bridge.host\u binding\u ipv4”:“0.0.0.0”,
“com.docker.network.bridge.name”:“docker0”,
“com.docker.network.driver.mtu”:“1500”
},
“标签”:{}
}
]
编辑

在容器中尝试
openssl s_client-cipher ALL-servername 172.217.10.36:443-connect 172.217.10.36:443
,我得到:

root@ba6f8aab182d:/# openssl s_client -cipher ALL -servername 172.217.10.36:443 -connect 172.217.10.36:443
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 403 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
在主机上时,我得到:

openssl s_client -cipher ALL -servername 172.217.10.36:443 -connect 172.217.10.36:443
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
   i:/C=US/O=Google Trust Services/CN=GTS CA 1O1
 1 s:/C=US/O=Google Trust Services/CN=GTS CA 1O1
   i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
[... certificate was here ...]
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
issuer=/C=US/O=Google Trust Services/CN=GTS CA 1O1
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 3206 bytes and written 339 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: 052A69E409C0705AEAB8A180228C3F8E91A530504EFB06BA9214365F6B99DCAC
    Session-ID-ctx:
    Master-Key: A4EAC218352BBEAF3A43AB625266304DCF495FFE8A916C638679473AD20DC01B508158B8C0AA39A97003FEC5B8ABD7EC
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    [... a lot of stuff here ...]
    Start Time: 1618514134
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
问题似乎出在Mac 3.3.0和3.3.1的Docker上

解决方案是降级到3.2.2,即使docker引擎是相同的

请参阅使用then openssl工具时发生的情况:
openssl s_client-cipher ALL-servernamehttps://172.217.10.36 -连接https://172.217.10.36
您可能还想尝试使用“启用弱ssl密码”配置OpenSSL本文提供了更多信息:我必须将您的命令修改为
openssl s_client-cipher ALL-servername 172.217.10.36:443-connect 172.217.10.36:443
,才能让它执行某些操作。我将在主机和容器上用此命令的答案修改我的帖子。@user4426017+SNI(-servername)的唯一正确值是DNS名称(FQDN),而不是IP地址,也不是端口或方案或其他任何内容;见rfc6066。但是OpenSSL并没有强制执行这一点,而且谷歌足够大,他们忽略了SNI。不管怎样,主机和docker之间没有什么不同。OP:tcpdump和wireshark“无效”是什么意思?这个问题,或者至少是症状,肯定是网络层面的问题。你看到ClientHello退出了吗?如果接下来在TCP级别发生什么事情呢?在IP级别?在ICMP级别?容器内外是否相同?主机上的@dave_thompson_085 tcpdump在尝试从容器内部卷曲到IP时,不会显示任何内容,但在使用DNS名称卷曲(再次从容器内部卷曲)时,会正确显示所有内容。在这种情况下,我怀疑docker桥出了问题,但我不知道如何调试它。docker 3.3.3已退出,此问题现已修复。(也相关)