como fazer um pedido HTTPS para um servidor específico?

1

Eu quero verificar a integridade de servidores específicos antes de adicioná-los a um balanceador de carga. O balanceador de carga está apenas encaminhando no nível do TCP para as instâncias, as instâncias estão manipulando o handshake SSL. O problema é que não consigo fazer o handshake SSL funcionar.

Atualmente tentando a solicitação usando curl :

» curl "https://api.filestage.io/ping" --resolve "api.filestage.io:443:52.58.200.141" -v -I

* Added api.filestage.io:443:52.58.200.141 to DNS cache
* Hostname api.filestage.io was found in DNS cache
*   Trying 52.58.200.141...
* TCP_NODELAY set
* Connected to api.filestage.io (52.58.200.141) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.filestage.io:443 
* stopped the pause stream!
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.filestage.io:443

se eu tentar a solicitação no balanceador de carga (sem o sinalizador de resolução), obtenho uma resposta bem-sucedida:

» curl "https://api.filestage.io/ping" -v -I   

*   Trying 52.28.99.28...
* TCP_NODELAY set
* Connected to api.filestage.io (52.28.99.28) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: OU=Domain Control Validated; OU=PositiveSSL Wildcard; CN=*.filestage.io
*  start date: Sep  7 00:00:00 2016 GMT
*  expire date: Sep  7 23:59:59 2017 GMT
*  subjectAltName: host "api.filestage.io" matched cert's "*.filestage.io"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
> HEAD /ping HTTP/1.1
> Host: api.filestage.io
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Access-Control-Allow-Credentials: true
Access-Control-Allow-Credentials: true
< Access-Control-Allow-Origin: undefined
Access-Control-Allow-Origin: undefined
< Access-Control-Allow-Methods: GET,PUT,POST,DELETE
Access-Control-Allow-Methods: GET,PUT,POST,DELETE
< Access-Control-Allow-Headers: Content-Type, Accept
Access-Control-Allow-Headers: Content-Type, Accept
< Cache-Control: no-cache, no-store, must-revalidate
Cache-Control: no-cache, no-store, must-revalidate
< Pragma: no-cache
Pragma: no-cache
< Expires: 0
Expires: 0
< X-DNS-Prefetch-Control: off
X-DNS-Prefetch-Control: off
< X-Frame-Options: SAMEORIGIN
X-Frame-Options: SAMEORIGIN
< Strict-Transport-Security: max-age=15552000; includeSubDomains
Strict-Transport-Security: max-age=15552000; includeSubDomains
< X-Download-Options: noopen
X-Download-Options: noopen
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; mode=block
< Content-Type: application/json; charset=utf-8
Content-Type: application/json; charset=utf-8
< Content-Length: 6
Content-Length: 6
< ETag: W/"6-mjpCz9K3x3LxXfhnNpzLeg"
ETag: W/"6-mjpCz9K3x3LxXfhnNpzLeg"
< set-cookie: fstg_sid=s%3AUdiZR7MEERHtfRcNooV82ek-UrAL7XtG.sYHes4MGaaqLWdMZptF7LW%2FVplTrWkSCCZMMqOleUyY; Domain=.filestage.io; Path=/; Expires=Tue, 25 Jul 2017 10:57:42 GMT; HttpOnly; Secure
set-cookie: fstg_sid=s%3AUdiZR7MEERHtfRcNooV82ek-UrAL7XtG.sYHes4MGaaqLWdMZptF7LW%2FVplTrWkSCCZMMqOleUyY; Domain=.filestage.io; Path=/; Expires=Tue, 25 Jul 2017 10:57:42 GMT; HttpOnly; Secure
< Vary: Accept-Encoding
Vary: Accept-Encoding
< Date: Tue, 18 Jul 2017 10:57:42 GMT
Date: Tue, 18 Jul 2017 10:57:42 GMT
< Connection: keep-alive
Connection: keep-alive

< 
* Connection #0 to host api.filestage.io left intact

O erro que recebo não me dá nenhuma pista, alguma ideia de como posso obter mais informações sobre o que está errado?

    
por eliocs 18.07.2017 / 13:04

0 respostas

Tags