OSS SSL 访问异常

https 排查预热

oss 公有云目前已经全面覆盖了 https 协议，支持 http1.1 （后续回支持 http2 ）,以及通用的 TLS1.0 TLS 1.1 TLS 1.2 支持，下面简单说下遇到报错的几个场景。

openssl

• openssl s_client -connect taobao.com:443 -showcerts < /dev/null 2>&1

CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
verify return:1
depth=0 C = CN, ST = ZheJiang, L = HangZhou, O = "Alibaba (China) Technology Co., Ltd.", CN = *.tmall.com
verify return:1
---
Certificate chain
 0 s:/C=CN/ST=ZheJiang/L=HangZhou/O=Alibaba (China) Technology Co., Ltd./CN=*.tmall.com
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
-----BEGIN CERTIFICATE-----
MIILDjCCCfagAwIBAgIMKBLRByCqWyiycbAVMA0GCSqGSIb3DQEBCwUAMGYxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTwwOgYDVQQDEzNH
bG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g
RzIwHhcNMTcxMTIxMDUwNjAyWhcNMTgxMTIyMDUwNjAyWjB4MQswCQYDVQQGEwJD
TjERMA8GA1UECBMIWmhlSmlhbmcxETAPBgNVBAcTCEhhbmdaaG91MS0wKwYDVQQK
EyRBbGliYWJhIChDaGluYSkgVGVjaG5vbG9neSBDby4sIEx0ZC4xFDASBgNVBAMM
CyoudG1hbGwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtRkn
Wzh/4IOVSVcPMjBmTRForLgcy2+kOhJUIJvoTSYQYAg5yh6MgzI/nm42itUnKeQO
RHyKcuppMHLUVNWdPlw4DIoEWAXDgEcItr2Qj20VzTS5w/o3I/M5Z2gYpZS0L2YM
ho2PzQuz+2tuuqOcva68/jT8krb1ZUEuTul2czeePU23db8UCU5miFWOugqCp2Qs
ZGdRZ4bFnr5MoMLPNdtb2VBEqXr9t0Mqynm689MhVDAoEeI1LuuqIfTu2kh5HTnk
uz5bsImeBD+aByWVYxbbSoklqZ+UjeMzc2LpVm+6ZflwYForM/eZXSnxE3rq16Lu
6ayMLrMapZXHaYMTcQIDAQABo4IHqDCCB6QwDgYDVR0PAQH/BAQDAgWgMIGgBggr
BgEFBQcBAQSBkzCBkDBNBggrBgEFBQcwAoZBaHR0cDovL3NlY3VyZS5nbG9iYWxz
aWduLmNvbS9jYWNlcnQvZ3Nvcmdhbml6YXRpb252YWxzaGEyZzJyMS5jcnQwPwYI
KwYBBQUHMAGGM2h0dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9nc29yZ2FuaXph
dGlvbnZhbHNoYTJnMjBWBgNVHSAETzBNMEEGCSsGAQQBoDIBFDA0MDIGCCsGAQUF
BwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAIBgZn
gQwBAgIwCQYDVR0TBAIwADBJBgNVHR8EQjBAMD6gPKA6hjhodHRwOi8vY3JsLmds
b2JhbHNpZ24uY29tL2dzL2dzb3JnYW5pemF0aW9udmFsc2hhMmcyLmNybDCCA+gG
A1UdEQSCA98wggPbggsqLnRtYWxsLmNvbYIKKi4xNjg4LmNvbYIRbS5pbnRsLnRh
b2Jhby5jb22CCmZlaXpodS5jb22CDyoueWFvLjk1MDk1LmNvbYIMKi5mZWl6aHUu
Y29tgg1qdWh1YXN1YW4uY29tghAqLmNoaS50YW9iYW8uY29tghAqLmFsaWV4cHJl
c3MuY29tgg0qLmFsaXRyaXAuY29tgg8qLm0uY2Fpbmlhby5jb22CCHRtYWxsLmhr
gg8qLmp1LnRhb2Jhby5jb22CDGRvbmd0aW5nLmNvbYITKi5tLnRhb3BpYW9waWFv
LmNvbYIPKi5qdWh1YXN1YW4uY29tgglmZWl6aHUuY26CDSouYWxpYmFiYS5jb22C
EiouY2hpbmEudGFvYmFvLmNvbYIIMTY4OC5jb22CCXR0cG9kLmNvbYILYWxpYmFi
YS5jb22CDCouYWxpeXVuLmNvbYILKi5mZWl6aHUuY26CDyouamlhLnRtYWxsLmNv
bYIKYWxpeXVuLmNvbYIOYWxpZXhwcmVzcy5jb22CDCoubS4xNjg4LmNvbYIPKi5j
aGkudG1hbGwuY29tggl4aWFtaS5jb22CESoudGFvcGlhb3BpYW8uY29tghIqLmFs
aXFpbi50bWFsbC5jb22CC2NhaW5pYW8uY29tggsqLnhpYW1pLmNvbYIOKi5kaW5n
dGFsay5jb22CECouY2Fpbmlhby5jb20uY26CECouZm9vZC50bWFsbC5jb22CESou
bS55YW8uOTUwOTUuY29tgg4qLmRvbmd0aW5nLmNvbYIKZmxpZ2d5LmNvbYIMKi5t
LnRtYWxsLmhrgglmbGlnZ3kuaGuCCiouZXRhby5jb22CCSoubWVpLmNvbYIPKi5t
LmFsaXRyaXAuY29tgghldGFvLmNvbYILKi5mbGlnZ3kuaGuCB21laS5jb22CESou
dHJpcC50YW9iYW8uY29tggwqLm0uZXRhby5jb22CC2FsaXRyaXAuY29tgg4qLjNj
LnRtYWxsLmNvbYILKi50dHBvZC5jb22CDSouY2Fpbmlhby5jb22CDmNhaW5pYW8u
Y29tLmNuggxkaW5ndGFsay5jb22CCnRhb2Jhby5jb22CDCouZmxpZ2d5LmNvbYIM
Ki50YW9iYW8uY29tgg8qLm0uYWxpYmFiYS5jb22CD3Rhb3BpYW9waWFvLmNvbYIQ
Ki5qaWEudGFvYmFvLmNvbYINKi5tLnRtYWxsLmNvbYIOKi5tLnRhb2Jhby5jb22C
CioudG1hbGwuaGuCDyoubHcuYWxpaW1nLmNvbYIJdG1hbGwuY29tMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQU9Xvnpm/IaFGAeSu4zW+r
r9+dNMMwHwYDVR0jBBgwFoAUlt5h8b0cFilTHMDMfTuDAEDmGnwwggH0BgorBgEE
AdZ5AgQCBIIB5ASCAeAB3gB1AN3rHSt6DU+mIIuBrYFocH4ujp0B1VyIjT0RxM22
7L7MAAABX9z4CusAAAQDAEYwRAIgCWxoEBWigVp184YTZPMSjKjT7jekr/M7OeoR
Vo0cs9gCIGLJUWcCPRsdGdGOsLNMf6xl+6X0gOk2/ijyFDrAmShnAHUAVhQGmi/X
wuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ0N0AAAFf3PgLWwAABAMARjBEAiBjrilU
CdkCGWOPjkGRDE1S4D9wMpTiP9QMGB+9mCN2CAIgCI/WXqpHX0jfJwc01SAIhsaF
0W6j4yMKl7la2t/lJogAdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3c
EAAAAV/c+A4AAAAEAwBHMEUCIQDJtUhBIjeb4yxpKpHG7mi0dUGY9Kw8NnX2u/YZ
tFG9PgIgCrZ8mwLg20Fa4ewXjzVzXYWlJ+db3QYdMeIA3c/NDckAdgDuS723dc5g
uuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAV/c+BDOAAAEAwBHMEUCIHaeLgS9
+iPHxgBLwHdxu0RBnT69MzkPkEFXkXCHDT4vAiEAwGxAOWWczjuOMRkthlkyKVEX
Ept4VLpy00Bf5haaek0wDQYJKoZIhvcNAQELBQADggEBAH789VsS7gJAFlNatdAB
XBhONWcPBQnY0H7GwwXIZA0/P4DKN2t8FuICCnnN6L3/ekIoonmCAaoOksLCJFO6
ZStL0CzLx5VIg5uOTqQdx0arEiz9vxZeiKo2mnrtfnZHCRcwJ21nEGJQdu6b94ND
doB8TEeDItB57KfnXsng8QmHE1IbI5FuTZYiTgTbJibdH0yQqkS/3N6QXFEDBM6f
ZTz13mA0GD01FxEkjWPzKpYWhhRi2MNB2wbB3qjSH9SZnSzjvzLeRc+XkmnCasQQ
DPBGDlfjCI3hhCKiscEkvThSYQG8Ztas5mJdF6OXN0XdGXfSJsxPg63e7RjKdudq
Bt4=
-----END CERTIFICATE-----
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
-----BEGIN CERTIFICATE-----
MIIEaTCCA1GgAwIBAgILBAAAAAABRE7wQkcwDQYJKoZIhvcNAQELBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAw
MDBaFw0yNDAyMjAxMDAwMDBaMGYxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMTwwOgYDVQQDEzNHbG9iYWxTaWduIE9yZ2FuaXphdGlvbiBW
YWxpZGF0aW9uIENBIC0gU0hBMjU2IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDHDmw/I5N/zHClnSDDDlM/fsBOwphJykfVI+8DNIV0yKMCLkZc
C33JiJ1Pi/D4nGyMVTXbv/Kz6vvjVudKRtkTIso21ZvBqOOWQ5PyDLzm+ebomchj
SHh/VzZpGhkdWtHUfcKc1H/hgBKueuqI6lfYygoKOhJJomIZeg0k9zfrtHOSewUj
mxK1zusp36QUArkBpdSmnENkiN74fv7j9R7l/tyjqORmMdlMJekYuYlZCa7pnRxt
Nw9KHjUgKOKv1CGLAcRFrW4rY6uSa2EKTSDtc7p8zv4WtdufgPDWi2zZCHlKT3hl
2pK8vjX5s8T5J4BO/5ZS5gIg4Qdz6V0rvbLxAgMBAAGjggElMIIBITAOBgNVHQ8B
Af8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUlt5h8b0cFilT
HMDMfTuDAEDmGnwwRwYDVR0gBEAwPjA8BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0
dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMDMGA1UdHwQsMCow
KKAmoCSGImh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5uZXQvcm9vdC5jcmwwPQYIKwYB
BQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNv
bS9yb290cjEwHwYDVR0jBBgwFoAUYHtmGkUNl8qJUC99BM00qP/8/UswDQYJKoZI
hvcNAQELBQADggEBAEYq7l69rgFgNzERhnF0tkZJyBAW/i9iIxerH4f4gu3K3w4s
32R1juUYcqeMOovJrKV3UPfvnqTgoI8UV6MqX+x+bRDmuo2wCId2Dkyy2VG7EQLy
XN0cvfNVlg/UBsD84iOKJHDTu/B5GqdhcIOKrwbFINihY9Bsrk8y1658GEV1BSl3
30JAZGSGvip2CTFvHST0mdCF/vIhCPnG9vHQWe3WVjwIKANnuvD58ZAWR65n5ryA
SOlCdjSXVWkkDoPWoC209fN5ikkodBpBocLTJIg1MGCUF7ThBCIxPTsvFwayuJ2G
K1pp74P1S8SqtCr4fKGxhZSM9AyHDPSsQPhZSZg=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=CN/ST=ZheJiang/L=HangZhou/O=Alibaba (China) Technology Co., Ltd./CN=*.tmall.com
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4629 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 103D65403DBE021AE03C0D58F837426C48B1C95B362C06051A77BA23A878116D
    Session-ID-ctx: 
    Master-Key: 053C6176196EF283754A73B4C158D7803930B66FA8363AF549EF14A97C9B0C2261E249A4E786D256D4D4775D53994799
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 60 82 b6 11 a6 b3 fb 36-5e cc a5 be b7 4a 09 db   `......6^....J..
    0010 - 3c 9f 84 13 4c 9e 38 d7-aa cd d0 e7 9b 7d a9 ff   <...L.8......}..
    0020 - 29 85 f9 b8 76 e9 14 e3-ec f5 be 65 75 0d 2f b1   )...v......eu./.
    0030 - a0 4c 91 e0 c5 c7 8b 28-b9 7c 0e 57 3a a5 69 b9   .L.....(.|.W:.i.
    0040 - ca 52 21 3b 01 47 60 7f-32 94 82 48 19 19 55 c7   .R!;.G`.2..H..U.
    0050 - 48 37 fc 00 ed 3b 8a 39-72 d2 51 60 01 c8 d7 7d   H7...;.9r.Q`...}
    0060 - 03 99 2e 7d ea 14 88 4e-85 6b 4b 92 84 5c 72 0a   ...}...N.kK..\r.
    0070 - 71 49 4e 86 73 81 46 fd-92 b1 4d 59 0c 26 de 4f   qIN.s.F...MY.&.O
    0080 - 2b 46 97 1a e6 a5 75 40-d7 18 49 87 8a e7 8b b1   +F....u@..I.....
    0090 - 88 b1 50 85 2f d8 c7 e3-cc eb 34 2a 60 d6 4a 0d   ..P./.....4*`.J.

    Start Time: 1542113320
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE

• 出现握手错误时可以优先使用 openssl 的命令验证下证书的问题，先确认下是否有明显的报错，证书过期，证书链不完整等基础问题。
• oss 目前主要就是根证书和站点证书，根就是 CA 授权的证书，站点就是 web 服务器上存放的证书。

具体的 https 远离就不介绍了，我们就讲一些案例

案例：SSL 握手失败

国外 akamai cdn 到 OSS 的访问出现证书错误

test.oss-ap-southeast-1.aliyuncs.com/066ce724b5c410acc6716373633c35fe/5be7aa09/v1/bdd88e4986ad4e94afaaeee2603a5381 
GET 0 0 0.38 
ERR_FWD_SSL_HANDSHAKE err_conn_strict_cert:ssl1408f10b:1:0::: 

• 先通过之前的 openssl 命令验证目标 server 的证书链是否完整，是否有明显报错。
• 其次 cdn 上是否有针对证书做缓存的优化， oss 是不定期更新，避免对证书进行缓存。
• 终极手段就是通过抓包来分析下 https 的握手了。

案例：证书授权不匹配

OSS 提示证书非法？

当然不是，该案例，用户有一个 CDN 域名 www.zhang.mobi ，在阿里云配置 CDN 加速，开启 https 后将 OSS 的证书拿下来放到了 CDN 上使用，提示证书非法。

• 用户的域名和 OSS 证书授权的域名根本不是一下，既不满足泛域名，也不满足单个域名的授权，所以访问 CDN 域名时就会报证书非法。
• 但这个错误并不是因为回原访问到 OSS 出现的错误，证书的报错都是浏览器去 CA 验签时返回的错误，不是 OSS 返回。
• 正确的做法应该是在 CDN 上申请和域名匹配的免费站点证书。