我先获取 GitHub 的 ip:
> nslookup github.com 8.8.8.8
Server: dns.google
Address: 8.8.8.8
Name: github.com
Address: 13.229.188.59
这个 ip 是没问题的,位于新加坡的 Amazon,应该是个 CDN
然后测试证书:
$ openssl s_client -showcerts -servername github.com -connect 13.229.188.59:443
CONNECTED(00000005)
depth=1 C = CN, ST = GD, L = SZ, O = COM, OU = NSP, CN = CA, emailAddress = [email protected]
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:C = CN, ST = GD, L = SZ, O = COM, OU = NSP, CN = SERVER, emailAddress = [email protected]
i:C = CN, ST = GD, L = SZ, O = COM, OU = NSP, CN = CA, emailAddress = [email protected]
省略……
就是那个诡异的 QQ 号证书。
我再找个 cloudflare 的 ip 试试( GitHub 没有使用 cloudflare 的 CDN )
$ host v2ex.com
v2ex.com has address 104.20.9.218
v2ex.com has address 104.20.10.218
v2ex.com has IPv6 address 2606:4700:10::6814:ada
v2ex.com has IPv6 address 2606:4700:10::6814:9da
同样测试证书,SNI 为 github.com ,没有被劫持:
$ openssl s_client -showcerts -servername github.com -connect 104.20.9.218:443
CONNECTED(00000005)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Domain Validation Secure Server CA 2
verify return:1
depth=0 CN = ssl509603.cloudflaressl.com
verify return:1
---
Certificate chain
0 s:CN = ssl509603.cloudflaressl.com
i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Domain Validation Secure Server CA 2
-----BEGIN CERTIFICATE-----
省略……
各位怎么看?
1
Select Language