Можно конечно и обновить, но думается что с правилами ipfw тоже нужно разобраться.
Почему у него по нулям число пакетов?
Пример коннекта приведенный мной выше имеет лохматую дату корневых сертификатов.
Код: Выделить всё
ls /usr/local/share/certs/ca-root-nss.crt
-rw-r--r-- 1 root wheel 931926 Jul 20 2016 /usr/local/share/certs/ca-root-nss.crt
И работает. Правда машинка тоже лохматая (9.3). Но вот попробовал на 11.2 которая стоит "за" ipfw внутри сетки
Код: Выделить всё
curl -v https://acme-v02.api.letsencrypt.org/
* Trying 172.65.32.248...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /usr/local/share/certs/ca-root-nss.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=acme-v01.api.letsencrypt.org
* start date: Sep 13 17:57:16 2019 GMT
* expire date: Dec 12 17:57:16 2019 GMT
* subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/7.57.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx
< Date: Thu, 31 Oct 2019 08:01:45 GMT
< Content-Type: text/html
< Content-Length: 2174
< Last-Modified: Mon, 25 Feb 2019 20:15:27 GMT
< Connection: keep-alive
< ETag: "5c744cdf-87e"
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=604800
< Accept-Ranges: bytes
<
<!DOCTYPE html>
<html lang="en">
<head>
Интересно, различие в строках с ТС
Reken писал(а): ↑2019-10-31 8:51:44
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443
* Closing connection 0
и моих
Код: Выделить всё
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
Речь о третьей строке, в данном случае. Жаль что ТС не полный протокол связи процитировал, хотябы до "get" или до "HTTP/1.1 200 OK" посмотреть-бы. Но нужно разобраться с нулями пакетов, тут наверное tcpdump в руки нужно брать. Должна быть какая-то причина по которой не ловятся пакеты в ipfw, либо они улетают в дефолтное правило (на нам эти моменты не озвучены, аллов, дени в 65535 руле), либо в каком другом правиле. Пакеты, обычно, исчезнуть не могут, значит их нужно разыскать. и убедиться в корректности написанных правил. Есть еще вариант теста (это на 11.2)
Код: Выделить всё
# echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443
Код: Выделить всё
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = acme-v01.api.letsencrypt.org
verify return:1
---
Certificate chain
0 s:/CN=acme-v01.api.letsencrypt.org
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIG1DCCBbygAwIBAgISAzKEt6yP1yVfX0M3Rp6s4O7WMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA5MTMxNzU3MTZaFw0x
OTEyMTIxNzU3MTZaMCcxJTAjBgNVBAMTHGFjbWUtdjAxLmFwaS5sZXRzZW5jcnlw
dC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+yd/GgtohYjgU
idTNoJMCv8Pz97PfPYceCg4WYAkMb6jZ73ruPmJr3AuPclzHdJbAQz7dkkPwnhce
qk/ALrkn4I8iXBzgDhor7iuOBUOiQo3nI3n45McvTuk8C3rvRwN0kznvAcwLRBMZ
LjANmSsVmLPVoiEK9XK1YtlOTLtKFV/8d2U75M/wc//4xCYR166YJquZuJ26wZJA
5FeySxGpDT5kZof+unM7BS994iCxJcDyv/gYjYqnwQy+Ksys5DIVoL2sVm7NpWLG
PCleYDToG/2vuAcdvrTExHcLSnbGoTgRaGP6tK+P//IV1/0qZYkO1nZZJWxtVfIS
eXt1FhypAgMBAAGjggPVMIID0TAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFAi111sz
WIMzLhb7rAPBFqvcVJOOMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyh
MG8GCCsGAQUFBwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgz
LmxldHNlbmNyeXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgz
LmxldHNlbmNyeXB0Lm9yZy8wggGJBgNVHREEggGAMIIBfIIeYWNtZS12MDEtMS5h
cGkubGV0c2VuY3J5cHQub3Jngh5hY21lLXYwMS0yLmFwaS5sZXRzZW5jcnlwdC5v
cmeCHmFjbWUtdjAxLTMuYXBpLmxldHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDEtNC5h
cGkubGV0c2VuY3J5cHQub3Jngh5hY21lLXYwMS01LmFwaS5sZXRzZW5jcnlwdC5v
cmeCHGFjbWUtdjAxLmFwaS5sZXRzZW5jcnlwdC5vcmeCHmFjbWUtdjAyLTEuYXBp
LmxldHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDItMi5hcGkubGV0c2VuY3J5cHQub3Jn
gh5hY21lLXYwMi0zLmFwaS5sZXRzZW5jcnlwdC5vcmeCHmFjbWUtdjAyLTQuYXBp
LmxldHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDItNS5hcGkubGV0c2VuY3J5cHQub3Jn
ghxhY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnMEwGA1UdIARFMEMwCAYGZ4EM
AQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0
c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYA4mlLribo6UAJ
6IYbtjuD1D7n/nSI+6SPKJMBnd3x2/4AAAFtK/yTawAABAMARzBFAiAmT0CZ5ff5
kp/CBRWawfX5qwj1FgyRqDxsKew6dKgPRgIhALawUK/wuryKtaWkrDzau1FKaZ4G
B9hmqXzgWSpDkKZIAHYAY/Lbzeg7zCzPC3KEJ1drM6SNYXePvXWmOLHHaFRL2I0A
AAFtK/yThwAABAMARzBFAiEAsjDJQ2tfNdm3fVnNU5m9yvMTR85taCSpY877ubZ8
diwCIFBL+Ww6ukV9tH8jJTivMMHHibWWG9O4KYEIvkni3VaQMA0GCSqGSIb3DQEB
CwUAA4IBAQBGF7IH58J0xBywHgdXDUcggGN4r9QgFcNoA/Hy5QA5zUQ/It3Ow/eE
3EwJPdB1At1cYIQ7hWfy4XXxcsH5rT8wgqfeLqxnCmNEzJL0GtZjpi2rtdiwpLFc
dDYshZLSeuctTb5BOcN7Qd1fGs/qJbE1JJiEGkIZ8JMpRi0feN60RW88EVZx0b4w
OnpUpwH3fbGF2X+l12ckUaAZzKQIMiozYFLIjMXKq6mC7UzxEUxnpf5Zr0/VviyN
SUQWZ7Ghl7RGWaLqVttQKnbonYQp7GDQUcRl6nXz5QzhD3rmiGOaoQU7QCmlj9gO
9UKkcygubib+lMhs8j3xPUjattHfkCpM
-----END CERTIFICATE-----
subject=/CN=acme-v01.api.letsencrypt.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3441 bytes and written 433 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: C23813918F1766D897A486F715B801CEC6F396954621C45D0A8D7483722B3341
Session-ID-ctx:
Master-Key: 86E058EDF8C0203BADAAA36FD7D7249D97DDDE997C3EFA2B2CD67F14FCBDEC3A1AED90FE14FF54EB4447BB1C71D2DC14
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1572509644
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
DONE
#
При этом корневые:
Код: Выделить всё
ls /usr/local/share/certs/ca-root-nss.crt
-rw-r--r-- 1 root wheel 821046 8 янв. 2018 /usr/local/share/certs/ca-root-nss.crt