https://www.boc.cn 握手失败

31次阅读

共计 2128 个字符，预计需要花费 6 分钟才能阅读完成。

Go client 请求 https://www.boc.cn 直接遇到 remote error: tls: handshake failure. 但是 Chrome 和 curl 都能正常返回。

查了半天没看出具体什么问题。有没有人遇到过这样情况的？谢谢！

Go 直接用的 &http.Client{} 没有任何配置
中国银行用的是 DigiCert Inc 的 RSA 证书，看上去似乎也不是 CA 的问题?
不知道是不是具体的 cipher suite 不匹配？好像也不像
还能有什么可能的原因？

Chrome: The connection to this site is encrypted and authenticated using TLS
1.2, RSA, and AES_256_CBC with HMAC-SHA1.

curl: SSL connection using TLSv1.2 / ECDHE-RSA-AES128-SHA256

*   Trying 2402:93c0:20::16:443...
*   Trying 219.141.191.47:443...
* Connected to www.boc.cn (2402:93c0:20::16) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: jurisdictionC=CN; jurisdictionST=Beijing; businessCategory=Private Organization; serialNumber=911000001000013428; C=CN; ST=Beijing; O=Bank of China Limited; CN=www.boc.cn
*  start date: Nov  1 00:00:00 2023 GMT
*  expire date: Nov 27 23:59:59 2024 GMT
*  subjectAltName: host "www.boc.cn" matched cert's"www.boc.cn"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=Secure Site Pro Extended Validation CA G2
*  SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /sourcedb/whpj/index.html HTTP/1.1
> Host: www.boc.cn
> User-Agent: curl/7.81.0
> Accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse

正文完