证书有效期是多久啊？最近两次断网后，转发突然失效了

[geekli]

Expected Behavior

Current Behavior

client端断网后（断电重启，或者断网）， 转发会断掉 server端日志提示 tls handshake fail from client外网IP:31363, write tcp server端内网ip:33080->client外网IP:31363: write: connection reset by peer

Possible Solution

Steps to Reproduce

1. client断网或者断电重启
2. 转发失效，日志提示如上
3. 重启 server 或者client 都不行
4. 重新生成proxy.crt proxy.key, 然后重启server和client 才可以
5. 过段时间不超过1个月 ，若client断网了（重启？）又会出问题了

Context (Environment)

1. proxy version is : free_11.2

2. full command is :

3. client /usr/local/bin/goproxy client --k gxweb -P "xxxx.com:33080" -C /etc/goproxy/proxy.crt -K /etc/goproxy/proxy.key

4. server /usr/local/bin/goproxy bridge -p ":33080" -C /etc/goproxy/proxy.crt -K /etc/goproxy/proxy.key

5. server /usr/local/bin/goproxy server --k gxweb -P "127.0.0.1:33080" -C /etc/goproxy/proxy.crt -K /etc/goproxy/proxy.key -r "tcp://127.0.0.1:8088@:8088"

6. system is : Ubuntu Server

7. full log is: ?

2021/11/18 13:32:01.628573 WARN tls handshake fail from 【clientip】:28192, write tcp 10.15.0.242:33080->【clientip】:28192: write: connection reset by peer
2021/11/18 13:32:01.628610 WARN attacking access 【clientip】:28192 <--> 10.15.0.242:33080
2021/11/18 13:32:01.675112 WARN tls handshake fail from 【clientip】:31197, write tcp 10.15.0.242:33080->【clientip】:31197: write: connection reset by peer
2021/11/18 13:32:01.675223 WARN attacking access 【clientip】:31197 <--> 10.15.0.242:33080
2021/11/18 13:32:01.675112 WARN tls handshake fail from 【clientip】:28194, write tcp 10.15.0.242:33080->【clientip】:28194: write: connection reset by peer
2021/11/18 13:32:01.675260 WARN attacking access 【clientip】:28194 <--> 10.15.0.242:33080
2021/11/18 13:32:02.307119 WARN client gxweb session not exists for server stream ac19b02a8aa65ecdd9f3cbeeaf79d07d7aa81855, retrying...
2021/11/18 13:32:02.420367 WARN client gxweb session not exists for server stream ac19b02a8aa65ecdd9f3cbeeaf79d07d7aa81855, retrying...
2021/11/18 13:32:02.550287 WARN client gxweb session not exists for server stream ac19b02a8aa65ecdd9f3cbeeaf79d07d7aa81855, retrying...
2021/11/18 13:32:02.600531 WARN tls handshake fail from 【clientip】:31186, write tcp 10.15.0.242:33080->【clientip】:31186: write: connection reset by peer
2021/11/18 13:32:02.600605 WARN attacking access 【clientip】:31186 <--> 10.15.0.242:33080

Detailed Description

Possible Implementation

[snail007]

证书有效期默认365天，可以自己指定参数修改。

[geekli]

但是我这两次转发失效 ，证书生成时间都在一个月内 第一次是client端服务器断电重启后， 第二次是client端服务器断网了， 重启client和server也不行

[geekli]

今天断网后又出现同样的问题了

[snail007]

贴出来，三个端的日志。

[geekli]

昨天又重新生成了证书，直接运行的看不到日志了 我又用昨天的证书新开的server和client（在相同的服务器上一个公网，一个内网） 以下是三端的日志 ##Bridge 日志

/usr/local/bin/goproxy bridge -p :33080 -C /etc/goproxy/proxy.crt -K /etc/goproxy/proxy.key --debug --trace

2021/11/25 10:27:53.236330 server/server.go:109 WARN tls handshake fail from 【clientIP】:28632, write tcp 10.15.0.242:33080->【clientIP】:28632: write: connection reset by peer 2021/11/25 10:27:53.236382 server/server.go:59 WARN attacking access 【clientIP】:28632 <--> 10.15.0.242:33080 2021/11/25 10:27:53.239338 server/server.go:109 WARN tls handshake fail from 【clientIP】:30760, write tcp 10.15.0.242:33080->【clientIP】:30760: write: connection reset by peer 2021/11/25 10:27:53.239381 server/server.go:59 WARN attacking access 【clientIP】:30760 <--> 10.15.0.242:33080 2021/11/25 10:27:53.242182 server/server.go:109 WARN tls handshake fail from 【clientIP】:30759, write tcp 10.15.0.242:33080->【clientIP】:30759: write: connection reset by peer 2021/11/25 10:27:53.242220 server/server.go:59 WARN attacking access 【clientIP】:30759 <--> 10.15.0.242:33080 2021/11/25 10:27:53.244850 server/server.go:109 WARN tls handshake fail from 【clientIP】:28630, write tcp 10.15.0.242:33080->【clientIP】:28630: write: connection reset by peer 2021/11/25 10:27:53.244883 server/server.go:59 WARN attacking access 【clientIP】:28630 <--> 10.15.0.242:33080 2021/11/25 10:27:53.247551 server/server.go:109 WARN tls handshake fail from 【clientIP】:30761, write tcp 10.15.0.242:33080->【clientIP】:30761: write: connection reset by peer 2021/11/25 10:27:53.247586 server/server.go:59 WARN attacking access 【clientIP】:30761 <--> 10.15.0.242:33080 2021/11/25 10:27:53.251170 server/server.go:109 WARN tls handshake fail from 【clientIP】:28631, write tcp 10.15.0.242:33080->【clientIP】:28631: write: connection reset by peer 2021/11/25 10:27:53.251227 server/server.go:59 WARN attacking access 【clientIP】:28631 <--> 10.15.0.242:33080 2021/11/25 10:27:53.251797 server/server.go:109 WARN tls handshake fail from 【clientIP】:30763, write tcp 10.15.0.242:33080->【clientIP】:30763: write: connection reset by peer 2021/11/25 10:27:53.251962 server/server.go:59 WARN attacking access 【clientIP】:30763 <--> 10.15.0.242:33080 2021/11/25 10:27:53.255252 server/server.go:109 WARN tls handshake fail from 【clientIP】:28628, write tcp 10.15.0.242:33080->【clientIP】:28628: write: connection reset by peer 2021/11/25 10:27:53.255305 server/server.go:59 WARN attacking access 【clientIP】:28628 <--> 10.15.0.242:33080 2021/11/25 10:27:53.256394 server/server.go:109 WARN tls handshake fail from 【clientIP】:30762, write tcp 10.15.0.242:33080->【clientIP】:30762: write: connection reset by peer 2021/11/25 10:27:53.256555 server/server.go:59 WARN attacking access 【clientIP】:30762 <--> 10.15.0.242:33080 2021/11/25 10:27:53.258289 server/server.go:109 WARN tls handshake fail from 【clientIP】:28629, write tcp 10.15.0.242:33080->【clientIP】:28629: write: connection reset by peer

##client 日志

goproxy client --k gx210 -P "xxx.com:33080" -C /etc/goproxy/proxy.crt -K /etc/goproxy/proxy.key

2021/11/25 10:27:42.136387 INFO use tls parent xxx.com:33080 2021/11/25 10:27:42.136459 INFO client started 2021/11/25 10:27:42.136464 INFO session worker[1] started 2021/11/25 10:27:42.136472 INFO session worker[2] started 2021/11/25 10:27:42.136475 INFO session worker[3] started 2021/11/25 10:27:42.136479 INFO session worker[4] started 2021/11/25 10:27:42.136483 INFO session worker[5] started 2021/11/25 10:27:42.136486 INFO session worker[6] started 2021/11/25 10:27:42.136489 INFO session worker[7] started 2021/11/25 10:27:42.136492 INFO session worker[8] started 2021/11/25 10:27:42.136495 INFO session worker[9] started 2021/11/25 10:27:42.136498 INFO session worker[10] started 2021/11/25 10:27:44.137268 WARN connection err: dial tcp: i/o timeout, retrying... 2021/11/25 10:27:44.137314 WARN connection err: dial tcp: i/o timeout, retrying... 2021/11/25 10:27:44.137401 WARN connection err: dial tcp: i/o timeout, retrying... 2021/11/25 10:27:44.137345 WARN connection err: dial tcp: i/o timeout, retrying... 2021/11/25 10:27:44.137301 WARN connection err: dial tcp: i/o timeout, retrying... 2021/11/25 10:27:44.137338 WARN connection err: dial tcp: i/o timeout, retrying... 2021/11/25 10:27:44.137375 WARN connection err: dial tcp: i/o timeout, retrying... 2021/11/25 10:27:44.137403 WARN connection err: dial tcp: i/o timeout, retrying... 2021/11/25 10:27:44.137442 WARN connection err: dial tcp: i/o timeout, retrying... 2021/11/25 10:27:44.137272 WARN connection err: dial tcp: i/o timeout, retrying... 2021/11/25 10:27:47.189976 WARN connection err: read tcp 10.10.2.251:43224->【bridgeIP】:33080: read: connection reset by peer, retrying... 2021/11/25 10:27:47.190117 WARN connection err: read tcp 10.10.2.251:43226->【bridgeIP】:33080: read: connection reset by peer, retrying... 2021/11/25 10:27:47.190549 WARN connection err: read tcp 10.10.2.251:43228->【bridgeIP】:33080: read: connection reset by peer, retrying... 2021/11/25 10:27:47.190750 WARN connection err: read tcp 10.10.2.251:43230->【bridgeIP】:33080: read: connection reset by peer, retrying... 2021/11/25 10:27:47.190932 WARN connection err: read tcp 10.10.2.251:43220->【bridgeIP】:33080: read: connection reset by peer, retrying... 2021/11/25 10:27:47.192425 WARN connection err: read tcp 10.10.2.251:43232->【bridgeIP】:33080: read: connection reset by peer, retrying... 2021/11/25 10:27:47.193655 WARN connection err: read tcp 10.10.2.251:43218->【bridgeIP】:33080: read: connection reset by peer, retrying... 2021/11/25 10:27:47.193745 WARN connection err: read tcp 10.10.2.251:43216->【bridgeIP】:33080: read: connection reset by peer, retrying... 2021/11/25 10:27:47.194773 WARN connection err: read tcp 10.10.2.251:43214->【bridgeIP】:33080: read: connection reset by peer, retrying... 2021/11/25 10:27:47.195723 WARN connection err: read tcp 10.10.2.251:43222->【bridgeIP】:33080: read: connection reset by peer, retrying... 2021/11/25 10:27:50.210704 WARN connection err: read tcp 10.10.2.251:43238->【bridgeIP】:33080: read: connection reset by peer, retrying... 2021/11/25 10:27:50.210809 WARN connection err: read tcp 10.10.2.251:43240->【bridgeIP】:33080: read: connection reset by peer, retrying... 2021/11/25 10:27:50.212211 WARN connection err: read tcp 10.10.2.251:43250->【bridgeIP】:33080: read: connection reset by peer, retrying... 2021/11/25 10:27:50.214270 WARN connection err: read tcp 10.10.2.251:43254->【bridgeIP】:33080: read: connection reset by peer, retrying... 2021/11/25 10:27:50.214329 WARN connection err: read tcp 10.10.2.251:43242->【bridgeIP】:33080: read: connection reset by peer, retrying... 2021/11/25 10:27:50.215935 WARN connection err: read tcp 10.10.2.251:43256->【bridgeIP】:33080: read: connection reset by peer, retrying... 2021/11/25 10:27:50.215988 WARN connection err: read tcp 10.10.2.251:43248->【bridgeIP】:33080: read: connection reset by peer, retrying... 2021/11/25 10:27:50.216956 WARN connection err: read tcp 10.10.2.251:43258->【bridgeIP】:33080: read: connection reset by peer, retrying... 2021/11/25 10:27:50.218422 WARN connection err: read tcp 10.10.2.251:43252->【bridgeIP】:33080: read: connection reset by peer, retrying... 2021/11/25 10:27:50.221246 WARN connection err: read tcp 10.10.2.251:43246->【bridgeIP】:33080: read: connection reset by peer, retrying... 2021/11/25 10:27:53.231350 WARN connection err: read tcp 10.10.2.251:43260->【bridgeIP】:33080: read: connection reset by peer, retrying... 2021/11/25 10:27:53.231463 WARN connection err: read tcp 10.10.2.251:43262->【bridgeIP】:33080: read: connection reset by peer, retrying... 2021/11/25 10:27:53.232991 WARN connection err: read tcp 10.10.2.251:43264->【bridgeIP】:33080: read: connection reset by peer, retrying... 2021/11/25 10:27:53.234602 WARN connection err: read tcp 10.10.2.251:43266->【bridgeIP】:33080: read: connection reset by peer, retrying... 2021/11/25 10:27:53.234946 WARN connection err: read tcp 10.10.2.251:43268->【bridgeIP】:33080: read: connection reset by peer, retrying... 2021/11/25 10:27:53.238318 WARN connection err: read tcp 10.10.2.251:43276->【bridgeIP】:33080: read: connection reset by peer, retrying... 2021/11/25 10:27:53.240013 WARN connection err: read tcp 10.10.2.251:43270->【bridgeIP】:33080: read: connection reset by peer, retrying... 2021/11/25 10:27:53.241832 WARN connection err: read tcp 10.10.2.251:43272->【bridgeIP】:33080: read: connection reset by peer, retrying...

#server 貌似是因为没有连接成功，这里没有日志

/usr/local/bin/goproxy server --k gx210 -P 127.0.0.1:33080 -C /etc/goproxy/proxy.crt -K /etc/goproxy/proxy.key -r tcp://127.0.0.1:8099@:80

2021/11/25 10:06:38.372368 INFO use tls parent 127.0.0.1:33080 2021/11/25 10:06:38.372423 INFO server id: 5da3356e49fa7a31d91e5548265cafbe61ff73cc 2021/11/25 10:06:38.372534 INFO server on 127.0.0.1:8099

[snail007]

基本确定是中间tls通讯被阻断，应该是client到bridge有网络审查存在。

[geekli]

那就奇怪了，client 和 bridge 都在国内， bridge 是aliyun 服务器，最近几个月才出现这种情况 之前稳定运行一两年了没出现过

[geekli]

另外 今天貌似没有出现断网情况（也可能断了没感觉到，起码没长时间断网） 又出现同样的问题

[iambus]

和我这几天遇到的问题一样，证书有限期十年。很奇怪的是重新生成一下证书就好了。然后第二天又不行了。

[iambus]

怀疑是阿里云盾的问题。设置了IP白名单，卸载了客户端，都不解决问题。暂时没有别的办法，再更换一次证书，明天再看看。这几天每天都要换一次证书。

[devsvc]

同样的问题，aliyun，现在重新生成证书就只能撑个十几二十分钟了

[devsvc]

日志里没有什么有用的信息，试着抓包看了一下，对协议不太了解，看起来可能有点奇怪的地方 两次尝试连接的包里面这个时间跳的有点随心所欲啊 不知道是不是设计如此， 希望能提供些许帮助

[snail007]

这是在客户端抓的，还是服务端？

[devsvc]

这是在客户端抓的，还是服务端？

服务端

[snail007]

那就可以证明是阿里云搞鬼了，它的手段是修改tls握手包的时间戳字段，达到导致握手失败的目的，阻断它认为不应该允许的tls链接。

[devsvc]

根据网上查到的一些信息， 云盾会检查证书当中的域名，如果域名没有备案就会被阻断。 来源：https://developer.aliyun.com/article/708243

重新生成证书，并使用-n参数指定域名，目前看起来果然就可以了，具体可能得再运行一段时间看。（没有指定之前，基本上连不上，就算连上连接只要断开一次后面就连不上了）

因为我们恰好有个域名已备案，并且指向的就是这台服务器，所以不清楚如果域名和服务器没有对应的情况下是否也有用，有兴趣的可以尝试一下。

以上供其他遇到类似问题的同学参考

[dadigang]

重新生成证书，并使用-n参数指定域名 ok