V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
工单节点使用指南
• 请用平和的语言准确描述你所遇到的问题
• 厂商的技术支持和你一样也是有喜怒哀乐的普通人类,尊重是相互的
• 如果是关于 V2EX 本身的问题反馈,请使用 反馈 节点
haoxingxing
V2EX  ›  全球工单系统

江苏电信宽带 知乎 ipv6 tls 连接超时

  •  
  •   haoxingxing · 2021-06-06 22:56:39 +08:00 · 1836 次点击
    这是一个创建于 1258 天前的主题,其中的信息可能已经有所发展或是发生改变。

    IPv6 访问超时

    ~$ curl https://www.zhihu.com -v --ipv6
    *   Trying 240e:978:5404:0:35:::443...
    * TCP_NODELAY set
    * Connected to www.zhihu.com (240e:978:5404:0:35::) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    *   CAfile: /etc/ssl/certs/ca-certificates.crt
      CApath: /etc/ssl/certs
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    (无响应)
    
    ~$ curl https://www.zhihu.com -v --ipv6 --tls-max 1.2
    *   Trying 240e:978:5404:0:38:::443...
    * TCP_NODELAY set
    * Connected to www.zhihu.com (240e:978:5404:0:38::) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    *   CAfile: /etc/ssl/certs/ca-certificates.crt
      CApath: /etc/ssl/certs
    * TLSv1.2 (OUT), TLS handshake, Client hello (1):
    (无响应)
    
    

    IPv4 正常

    ~$ curl https://www.zhihu.com -v --ipv4
    *   Trying 180.101.217.181:443...
    * TCP_NODELAY set
    * Connected to www.zhihu.com (180.101.217.181) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    *   CAfile: /etc/ssl/certs/ca-certificates.crt
      CApath: /etc/ssl/certs
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    * TLSv1.3 (IN), TLS handshake, Server hello (2):
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
    * TLSv1.2 (IN), TLS handshake, Server finished (14):
    * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
    * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
    * TLSv1.2 (OUT), TLS handshake, Finished (20):
    * TLSv1.2 (IN), TLS handshake, Finished (20):
    * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
    * ALPN, server accepted to use h2
    * Server certificate:
    *  subject: C=CN; ST=\U5317\U4EAC\U5E02; O=\U667A\U8005\U56DB\U6D77\UFF08\U5317\U4EAC\UFF09\U6280\U672F\U6709\U9650\U516C\U53F8; CN=*.zhihu.com
    *  start date: Nov 25 00:00:00 2020 GMT
    *  expire date: Dec 26 23:59:59 2021 GMT
    *  subjectAltName: host "www.zhihu.com" matched cert's "*.zhihu.com"
    *  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=GeoTrust CN RSA CA G1
    *  SSL certificate verify ok.
    * Using HTTP2, server supports multi-use
    * Connection state changed (HTTP/2 confirmed)
    * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
    * Using Stream ID: 1 (easy handle 0x56553628ae10)
    > GET / HTTP/2
    > Host: www.zhihu.com
    > user-agent: curl/7.68.0
    > accept: */*
    >
    * Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
    < HTTP/2 302
    < server: CLOUD ELB 1.0.0
    < date: Sun, 06 Jun 2021 14:51:06 GMT
    < content-type: text/html; charset=utf-8
    < set-cookie: _zap=<???>; path=/; expires=Tue, 06 Jun 2023 14:51:06 GMT; domain=.zhihu.com
    < location: //www.zhihu.com/signin?next=%2F
    < x-backend-response: 0.032
    < pragma: no-cache
    < vary: Accept-Encoding
    < referrer-policy: no-referrer-when-downgrade
    < x-secng-response: 0.03499<???>
    < set-cookie: _xsrf=<???>; path=/; domain=zhihu.com; expires=Thu, 23-Nov-23 14:51:06 GMT
    < x-lb-timing: 0.035
    < x-idc-id: 2
    < set-cookie: KLBRSID=<???>; Path=/
    < cache-control: private, must-revalidate, no-cache, no-store, max-age=0
    < content-length: 93
    < x-nws-log-uuid: <???>
    < x-cache-lookup: Cache Miss
    < x-edge-timing: 0.064
    < x-cdn-provider: tencent
    <
    * Connection #0 to host www.zhihu.com left intact
    Redirecting to <a href="//www.zhihu.com/signin?next=%2F">//www.zhihu.com/signin?next=%2F</a>.
    

    DNS 查询

    ~$ dig www.zhihu.com aaaa @240e:5a::6666
    
    ; <<>> DiG 9.16.1-Ubuntu <<>> www.zhihu.com aaaa @240e:5a::6666
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57073
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;www.zhihu.com.                 IN      AAAA
    
    ;; ANSWER SECTION:
    www.zhihu.com.          8       IN      CNAME   www.zhihu.com.ipv6.dsa.dnsv1.com.
    www.zhihu.com.ipv6.dsa.dnsv1.com. 135 IN CNAME  1595096.sched.d0-dk.tdnsv5.com.
    1595096.sched.d0-dk.tdnsv5.com. 8 IN    AAAA    240e:978:5404:0:35::
    1595096.sched.d0-dk.tdnsv5.com. 8 IN    AAAA    240e:978:5404:0:33::
    1595096.sched.d0-dk.tdnsv5.com. 8 IN    AAAA    240e:978:5404:0:3b::
    1595096.sched.d0-dk.tdnsv5.com. 8 IN    AAAA    240e:978:30a:7:2d::
    1595096.sched.d0-dk.tdnsv5.com. 8 IN    AAAA    240e:978:5404:0:39::
    1595096.sched.d0-dk.tdnsv5.com. 8 IN    AAAA    240e:978:5404:0:38::
    1595096.sched.d0-dk.tdnsv5.com. 8 IN    AAAA    240e:978:a08:2:3b::
    1595096.sched.d0-dk.tdnsv5.com. 8 IN    AAAA    240e:978:a08:2:2a::
    1595096.sched.d0-dk.tdnsv5.com. 8 IN    AAAA    240e:978:5404:0:36::
    
    ;; Query time: 8 msec
    ;; SERVER: 240e:5a::6666#53(240e:5a::6666)
    ;; WHEN: Sun Jun 06 14:54:26 UTC 2021
    ;; MSG SIZE  rcvd: 367
    
    12 条回复    2023-03-10 23:54:33 +08:00
    wdlth
        1
    wdlth  
       2021-06-06 23:52:36 +08:00
    可以看看路由器的 MTU 是不是 1280,有时候电信宽带用 IPv6 访问一些 CDN 的服务器也不通,然后静态资源出不来……
    haoxingxing
        2
    haoxingxing  
    OP
       2021-06-07 08:23:47 +08:00
    yangyang
        3
    yangyang  
       2021-06-07 08:37:05 +08:00
    我前段时间发现无法访问知乎,IPv6 关了就行了,大概也是这问题。

    提交 bug 给知乎他们没理我,那就算了
    xiaoyeziyuan
        4
    xiaoyeziyuan  
       2021-06-07 11:43:29 +08:00
    大佬们,跟动静态加速云厂商沟通修复了下,再看下还有问题么?
    tankren
        5
    tankren  
       2021-06-07 14:09:48 +08:00
    MSS 设置在哪
    tankren
        6
    tankren  
       2021-06-07 14:14:22 +08:00
    我这边的 CDN 是 2408:873c:8010:3:3e:::443, 你改一下 hosts 试试什么反应, 有可能是节点的问题
    haoxingxing
        7
    haoxingxing  
    OP
       2021-06-09 17:43:43 +08:00
    @xiaoyeziyuan 问题仍然存在,没有变化
    EGOISTK21
        8
    EGOISTK21  
       2021-06-27 17:59:05 +08:00 via iPhone
    @haoxingxing #2
    @yangyang #3
    杭州电信也是这个问题,同样是 ROS,MTU 是 1480,你们现在是怎么解决的
    EGOISTK21
        9
    EGOISTK21  
       2021-07-03 17:22:30 +08:00 via iPhone
    杭州电信,已恢复
    haoxingxing
        10
    haoxingxing  
    OP
       2021-07-13 17:27:41 +08:00
    haoxingxing
        11
    haoxingxing  
    OP
       2021-07-13 17:32:09 +08:00
    /ipv6 nd set mtu=1492 0
    tingshow163
        12
    tingshow163  
       2023-03-10 23:54:33 +08:00
    PPPOE 环境下(通常指家宽),ROS 需求在 IPv6 防火墙上修改 mss 为 1432 (通常都是这样,详细的可以看 https://lyincc.com/tech/access-to-ipv6/)。

    命令如下( ROSv7 ):
    /ipv6/firewall/mangle/add chain=forward action=change-mss new-mss=1432 passthrough=yes protocol=tcp tcp-flags=syn out-interface=pppoe-out1 log=no log-prefix=""

    out-interface 选择 pppoe 拨号的虚拟网卡,默认情况下都是 pppoe-out1
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   2904 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 37ms · UTC 07:28 · PVG 15:28 · LAX 23:28 · JFK 02:28
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.