Telnet shows blank screen on port 443 but TCP handshake not done 【openssl s_client -connect】

Telnet shows blank screen on port 443 but TCP handshake not done

To test please use openssl - openssl s_client -connect 172.18.164.50:443 This will initiate the TLS handshake and tell you if the port is actually accessible & listening (as well as if it's configured properly for HTTPS if it is).

 

第一个测试

$ openssl s_client -connect 172.16.163.72:443
CONNECTED(0000017C)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 293 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
write:errno=10054

 

测试博客园的

openssl s_client -connect 121.40.43.188:443
CONNECTED(00000160)
---
Certificate chain
0 s:CN = *.cnblogs.com
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption Everywhere DV TLS CA - G1
1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption Everywhere DV TLS CA - G1
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFhDCCBGygAwIBAgIQDJrAEijpHJJwMA9hjH6bXDANBgkqhkiG9w0BAQsFADBu
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS0wKwYDVQQDEyRFbmNyeXB0aW9uIEV2ZXJ5d2hlcmUg
RFYgVExTIENBIC0gRzEwHhcNMjEwMzAzMDAwMDAwWhcNMjIwMzAzMjM1OTU5WjAY
MRYwFAYDVQQDDA0qLmNuYmxvZ3MuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA4QgaL8mo/pksmq5+/noFfx1BSmwuf0wRenkwW8puZJfD/OPhd7lu
B+Igkto4iS4495xaIZmK3MkQnXazbceMGpaTYwIiWz+zs2G5mrj61/obs1UZA2ag
oCg6eKU4CuijrInGRyArvOkXpupvbx5kz0uk/9xalFLwK4j0MwqpsfirJQmZOa8t
usvUN3E4XwECl/LZrBsV/R6tHKFgx7DAj72jbC/wfAFWHJm1XW8Quopv+h0ZbJoQ
VF3PHEVLhF64r3EbtmJ/F2+4LQ2N1zJkv91V9sb3IlIGlBfRyG8t5GZL3cuZzt5n
ylFbO7P8flx5CWmE1e+WcmxFW5janigaFwIDAQABo4ICcjCCAm4wHwYDVR0jBBgw
FoAUVXRPsnJP9WC6UNHX5lFcmgGHGtcwHQYDVR0OBBYEFFKuj7Y6GElikaCJ0GxO
fr4uWWa7MCUGA1UdEQQeMByCDSouY25ibG9ncy5jb22CC2NuYmxvZ3MuY29tMA4G
A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwPgYD
VR0gBDcwNTAzBgZngQwBAgEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdp
Y2VydC5jb20vQ1BTMIGABggrBgEFBQcBAQR0MHIwJAYIKwYBBQUHMAGGGGh0dHA6
Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBKBggrBgEFBQcwAoY+aHR0cDovL2NhY2VydHMu
ZGlnaWNlcnQuY29tL0VuY3J5cHRpb25FdmVyeXdoZXJlRFZUTFNDQS1HMS5jcnQw
CQYDVR0TBAIwADCCAQYGCisGAQQB1nkCBAIEgfcEgfQA8gB3ACl5vvCeOTkh8FZz
n2Old+W+V32cYAr4+U1dJlwlXceEAAABd/dbx5MAAAQDAEgwRgIhAI3SFiEwl3wK
PZP1h8q6KvAOCzOv6SnVLfCvT7MBJIRhAiEAwJbtM02hm/U0oZiJtdfqK9wC4NNj
Gj+Hfo7qMpFi5fkAdwAiRUUHWVUkVpY/oS/x922G4CMmY63AS39dxoNcbuIPAgAA
AXf3W8fmAAAEAwBIMEYCIQCfT1TkI2XUYkV2oLbFxOy7U+UigLPhNpC/H6SCLoC5
yQIhAN8KxULOTSS74eIpIBiLDBhjI+sKtTznYWxOIlh0DFB5MA0GCSqGSIb3DQEB
CwUAA4IBAQAuo0i/Hu5Ku8a2j6SMwAMOCuCfU9Su+G7MitDXshyU4uMszKDufqdr
ayD/wGRptAPBqdWTWBf3L2HD/9WZhRk5Lc6cFl3XrQYExZ3nDlbxyJmBB7hUvAuY
XB0fn7iMTjEUq8E9OYxN9xNiI9Z8s+YSEn+LvX9gPmqTD6+HynyckFdVF/f9c6du
WrcOWbM0Nq4+Gr6Soy8Vzhka56IQbKGIeBxHagePfkA4mz2T5YiV6H4Yr2Ctkqhi
eDOkwMl+NfPkaBrUyZqhRWsklrCXuqOons56m8IHFaQoTjrBwr14dDGN9rftHn+J
C1lUomFHr8qy3IlWQ/QocyRO3J7ZpeFM
-----END CERTIFICATE-----
subject=CN = *.cnblogs.com

issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption Everywhere DV TLS CA - G1

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3258 bytes and written 386 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 61415DBA49FC19CB28A485A6E18EF96D115E427231F2D91F5AAB1E8423DA37BA
Session-ID-ctx:
Master-Key: 07AD672F0FB774B0F449C6F35A2E828B3B7EAF21F844AEA56FEB373641723194C090F5F71F6482A50FA3F4937F489524
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 63 69 6c 4c 71 61 41 71-37 5a 4a 75 38 68 4c 38 cilLqaAq7ZJu8hL8
0010 - bd cc 38 4f bf da 4c 30-c6 08 fe fc 47 46 ec a2 ..8O..L0....GF..
0020 - 0d f3 f3 3c 8a 10 fa ab-1d e4 c4 e9 7d 8a 81 5b ...<........}..[
0030 - 55 6f c7 36 89 96 4f 5c-3c a0 89 58 73 52 a0 22 Uo.6..O\<..XsR."
0040 - 37 b8 e4 f4 8b be 6d 6e-bb 27 d3 06 5b 71 24 09 7.....mn.'..[q$.
0050 - d5 df e0 bf 62 ea d3 bd-8e 0a 9d 36 37 8b c3 69 ....b......67..i
0060 - 3f c8 d0 55 e1 89 fe 68-2f fb a5 ae ed 28 b3 31 ?..U...h/....(.1
0070 - c6 9b 49 de 7e 74 5b 96-4d 98 9b 17 d9 e3 0b a4 ..I.~t[.M.......
0080 - 1b 02 22 e7 85 48 af 65-bd 68 61 7a d3 68 6a bf .."..H.e.haz.hj.
0090 - 20 13 d4 a8 ab cc 32 de-c1 9c 8d 21 7c fd 2a 21 .....2....!|.*!
00a0 - 66 45 09 13 a9 b1 10 00-5c 57 2c 0b 7d 04 6b 9a fE......\W,.}.k.

Start Time: 1631083510
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes

 

 

第三个测试

$ openssl s_client -connect test.uk.erecognition.admin.edenreduk.net:443 -state -debugCONNECTED(000001B0)
write to 0x1b5c03254b0 [0x1b5c046b630] (342 bytes => 342 (0x156))
0000 - 16 03 01 01 51 01 00 01-4d 03 03 5d 62 d9 37 c5 ....Q...M..]b.7.
0010 - f0 7e 71 bc f6 e0 9a ee-a6 de 36 10 ba a3 6f a3 .~q.......6...o.
0020 - d7 50 7d 90 ea c7 20 e4-9a 61 55 20 00 86 19 17 .P}... ..aU ....
0030 - 54 e9 ac a7 4f 9a 40 3b-fd 94 fe 84 9f 83 f8 6f T...O.@;.......o
0040 - 87 13 ae bf f8 50 88 1a-14 28 5f 03 00 3e 13 02 .....P...(_..>..
0050 - 13 03 13 01 c0 2c c0 30-00 9f cc a9 cc a8 cc aa .....,.0........
0060 - c0 2b c0 2f 00 9e c0 24-c0 28 00 6b c0 23 c0 27 .+./...$.(.k.#.'
0070 - 00 67 c0 0a c0 14 00 39-c0 09 c0 13 00 33 00 9d .g.....9.....3..
0080 - 00 9c 00 3d 00 3c 00 35-00 2f 00 ff 01 00 00 c6 ...=.<.5./......
0090 - 00 00 00 2d 00 2b 00 00-28 74 65 73 74 2e 75 6b ...-.+..(test.uk
00a0 - 2e 65 72 65 63 6f 67 6e-69 74 69 6f 6e 2e 61 64 .erecognition.ad
00b0 - 6d 69 6e 2e 65 64 65 6e-72 65 64 75 6b 2e 6e 65 min.edenreduk.ne
00c0 - 74 00 0b 00 04 03 00 01-02 00 0a 00 0c 00 0a 00 t...............
00d0 - 1d 00 17 00 1e 00 19 00-18 00 23 00 00 00 16 00 ..........#.....
00e0 - 00 00 17 00 00 00 0d 00-30 00 2e 04 03 05 03 06 ........0.......
00f0 - 03 08 07 08 08 08 09 08-0a 08 0b 08 04 08 05 08 ................
0100 - 06 04 01 05 01 06 01 03-03 02 03 03 01 02 01 03 ................
0110 - 02 02 02 04 02 05 02 06-02 00 2b 00 09 08 03 04 ..........+.....
0120 - 03 03 03 02 03 01 00 2d-00 02 01 01 00 33 00 26 .......-.....3.&
0130 - 00 24 00 1d 00 20 bf 97-20 78 2a d4 ba 30 af 0f .$... .. x*..0..
0140 - ef 01 9f 4a cf d1 b7 16-3c c8 09 f5 32 e6 e3 39 ...J....<...2..9
0150 - 70 4c a2 04 95 5e pL...^
read from 0x1b5c03254b0 [0x1b5c0379c73] (5 bytes => -1 (0xFFFFFFFF))
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 342 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
read from 0x1b5c03254b0 [0x1b5c029f150] (8192 bytes => -1 (0xFFFFFFFF))
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:error in SSLv3/TLS write client hello
write:errno=10054

 

Why my server does not respond to client's [SYN]?

Wireshark tells you what has happened, but rarely why it has happened. So you have seen that the client initiates the session by sending SYN;

the next step should be to run Wireshark or tcpdump on the server to see whether the SYN packet has arrived there.

If yes, there is a firewall on the server itself or the application (http server) either does not listen at all or it has some internal whitelist or blacklist which doesn't accept requests from the IP address of the client, or there may be a routing problem as the server may lack a route for the client address, so it may send it out using the default route which cannot deliver the response to the client, or nowhere at all if none of the existing routes on the server matches the IP address of the client.

If the SYN doesn't reach the server, there is some firewall or a plain dysfunction somewhere between the client and the server.

 

posted @ 2021-09-08 14:44  ChuckLu  阅读(48)  评论(0编辑  收藏  举报