SSL的透明代理问题 [英] Transparent Proxy Issue with SSL

问题描述

我在私有区域中有一个RHEL5服务器.我已经为端口80和443设置了透明代理.当我在443上尝试wget时，得到以下信息:

I have a RHEL5 server in a private zone. I've set up a transparent proxy for ports 80 and 443. When I try a wget on 443, I get the following:

# wget -O- https://www.google.com
  --2013-02-14 15:16:50--  https://www.google.com/
  Resolving www.google.com... 74.125.129.147, 74.125.129.104, 74.125.129.106, ...
  Connecting to www.google.com|74.125.129.147|:443... connected.
  OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
  Unable to establish SSL connection.

我认为代理有效，因为它正在连接.我不知道还有什么可能导致这种情况.

I assume the proxy works because it's connecting. I don't know what else could be causing this.

推荐答案

此OpenSSL错误表示wget发送了初始SSL ClientHello消息，但从不是SSL ServerHello的服务器(或代理)获得了意外响应.消息.

This OpenSSL error indicates that wget sent the initial SSL ClientHello message, but gets an unexpected response from the server (or proxy) which was not an SSL ServerHello message.

这可能是因为配置错误(例如，如果将端口443使用透明选项重定向到http_port而不是https_port，则代理会与客户端而不是HTTPS使用普通HTTP而不是HTTPS)，或因为它根本不支持SSL的透明代理.要进行调试，您可以尝试连接到http://www.google.com:443/以查看会发生什么.要了解发生了什么，您可能需要在连接时运行tcpdump来查看服务器的响应.还要检查透明代理的错误日志.

This can be because the proxy speaks plain HTTP with the client, instead of HTTPS, because of a configuration error (e.g. with squid if port 443 is redirected to a http_port instead of https_port with the transparent option), or because it does not support transparent proxying of SSL at all. To debug, you may try connecting to http://www.google.com:443/ to see what happens. To know what's going on, you might want to run tcpdump while connecting to see what the server responds with. Also check the error log of your transparent proxy.

没有透明的代理配置，很难说出问题所在.

Without the transparent proxy configuration it is hard to tell what the problem is.

这篇关于SSL的透明代理问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！