Github pages 的 HTTPS 是不是出问题了？

littleylv

2020-03-26 14:43:09 +08:00

亲测，不番羽确实那样，番羽了只后不会

Livid

2020-03-26 14:45:12 +08:00

@WoodenRobot 那么 curl 加了 -k 之后能加载出来你网站上本来的内容么？

WoodenRobot

2020-03-26 14:46:31 +08:00

@Livid sorry, 代码块有问题
不能每个回复都有外链，我把下面我的域名用 xxxx 代替了
$ curl -k -v xxxx
* Rebuilt URL to: xxxx
* Trying 185.199.108.153...
* TCP_NODELAY set
* Connected to xxxx (185.199.108.153) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=CN; ST=GD; L=SZ; O=COM; OU=NSP; CN=SERVER; emailAddress=346608453@qq.com
* start date: Sep 26 09:33:13 2019 GMT
* expire date: Sep 23 09:33:13 2029 GMT
* issuer: C=CN; ST=GD; L=SZ; O=COM; OU=NSP; CN=CA; emailAddress=346608453@qq.com
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET / HTTP/1.1
> Host: xxxx
> User-Agent: curl/7.54.0
> Accept: */*

xg4

2020-03-26 14:47:02 +08:00

+1 刚刚访问提示网站风险，还以为输错了地址，看了下证书，发现有个 qq 号的邮箱，google qq 号找到这个

liut2016

2020-03-26 14:47:24 +08:00

@Livid #22 可以加载

Windelight

2020-03-26 14:47:33 +08:00

pi@raspberrypi:~ $ curl -k -v https://zongsoft.github.io
* Expire in 0 ms for 6 (transfer 0x1a44770)
-------- Something Similar --------
* Expire in 200 ms for 1 (transfer 0x1a44770)
* Trying 185.199.111.153...
* TCP_NODELAY set
* Expire in 148365 ms for 3 (transfer 0x1a44770)
* Expire in 200 ms for 4 (transfer 0x1a44770)
* Connected to zongsoft.github.io (185.199.111.153) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=CN; ST=GD; L=SZ; O=COM; OU=NSP; CN=SERVER; emailAddress=346608453@qq.com
* start date: Sep 26 09:33:13 2019 GMT
* expire date: Sep 23 09:33:13 2029 GMT
* issuer: C=CN; ST=GD; L=SZ; O=COM; OU=NSP; CN=CA; emailAddress=346608453@qq.com
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET / HTTP/1.1
> Host: zongsoft.github.io
> User-Agent: curl/7.64.0
> Accept: */*
>

奇怪的是不能加载出任何内容

lovedebug

2020-03-26 14:47:35 +08:00

江苏电信测试结果也是重定向到 185.199.111.153

WoodenRobot

2020-03-26 14:49:01 +08:00

@Livid 国内访问加载不全，只能加载一部分就出现下面内容中断了，国外访问没问题

* LibreSSL SSL_read: SSL_ERROR_SYSCALL, errno 54
* stopped the pause stream!
* Closing connection 0
curl: (56) LibreSSL SSL_read: SSL_ERROR_SYSCALL, errno 54

WoodenRobot

2020-03-26 14:51:21 +08:00

@lovedebug
185.199.108.153
185.199.109.153
185.199.110.153
185.199.111.153

上面这些地址都是 GitHub pages 的服务器

AoTmmy

2020-03-26 14:51:24 +08:00

联通复现

caola

2020-03-26 14:54:01 +08:00

我的好几个域名都这样，造成无法访问，持续了大半天时间

hooon

2020-03-26 14:55:50 +08:00

@twoyuan https://i.loli.net/2020/03/25/82TVeI4WkrjS95A.png
我昨天看自己的网站，也发现了这个人的 QQ 邮箱

mcone

2020-03-26 14:57:11 +08:00

怎么感觉是中间人公鸡

LaTero

2020-03-26 14:57:51 +08:00

dns 没问题的，海外 curl --resolve xxx:443:185.199.108.153 xxxps://xxx 可以正常访问。

jiejiss

2020-03-26 14:57:53 +08:00

移动没有复现

TL;DR
issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3;
issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA

* Rebuilt URL to: https://woodenrobot.me/
* Trying 185.199.108.153...
* TCP_NODELAY set
* Connected to woodenrobot.me (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* // ... ...
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=woodenrobot.me
* start date: Feb 2 09:35:52 2020 GMT
* expire date: May 2 09:35:52 2020 GMT
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fa13b004400)
> GET / HTTP/2
> Host: woodenrobot.me
> User-Agent: curl/7.54.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
^C

* Rebuilt URL to: https://zongsoft.github.io/
* Trying 185.199.111.153...
* TCP_NODELAY set
* Connected to zongsoft.github.io (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* // ... ...
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=www.github.com
* start date: Jun 27 00:00:00 2018 GMT
* expire date: Jun 20 12:00:00 2020 GMT
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7feb0b000000)
> GET / HTTP/2
> Host: zongsoft.github.io
> User-Agent: curl/7.54.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
^C

Windelight

2020-03-26 14:58:19 +08:00

这个 ip 地址的确是连接到了 Github 的服务器，美国 GitHub#Fastly，纯真查的，然后这个证书信息有个大概的地址写的是 CN GD SZ COM NSP，QQ 号 346608453，一个哈尔滨大哥

Tomotoes

2020-03-26 15:00:58 +08:00

没有代理时遇到了同样的问题.
错误是:" FetchEvent.respondWith received an error TypeError: 此服务器的证书无效. 您可能正在连接到一个伪装成"网址"的服务器.

嗯, 提示很明显了.

上了代理就正常了.

hah, 这件事终于要发生了嘛...

xiri

2020-03-26 15:03:26 +08:00

上面你们发的那几个地址加上代理就没有问题，国内直接访问确实证书都存在问题，有人在大范围劫持？中间人攻击？

gz911122

2020-03-26 15:06:15 +08:00

我的也是这样 ,从 google 搜到了这个帖子

SomeBottle

2020-03-26 15:09:38 +08:00

博客上了亚太 cdn 倒是没问题，大陆访问直接就证书错误了...那个 QQ 号看上去也像是顶锅的