search

quininer / tokio-rustls

Asynchronous TLS/SSL streams for Tokio using Rustls.
142 stars 38 forks source link

Failed to connect dc.services.visualstudio.com:443 #66

Closed zonyitoo closed 4 years ago

zonyitoo commented 4 years ago

Test code:

use std::sync::Arc;
use std::net::SocketAddr;

use webpki::DNSNameRef;
use tokio_rustls::{ TlsConnector, rustls::ClientConfig };
use tokio::net::TcpStream;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let mut config = ClientConfig::new();
    config.root_store.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
    let config = TlsConnector::from(Arc::new(config));
    let dnsname = DNSNameRef::try_from_ascii_str("dc.services.visualstudio.com").unwrap();

    let stream = TcpStream::connect(("dc.services.visualstudio.com", 443)).await?;
    let mut stream = config.connect(dnsname, stream).await?;

    Ok(())
}

This is a minimal test case, which tries to connect dc.services.visualstudio.com:443. It will get an error:

Error: Os { code: 54, kind: ConnectionReset, message: "Connection reset by peer" }

Remote server aborted connection while handshaking.

Couldn't be reproduced by tokio-tls.

zonyitoo commented 4 years ago 
$ curl 'https://dc.services.visualstudio.com/api/profiles/AIF-d9b70cd4-b9f9-4d70-929b-a071c400b217/appId' -v
*   Trying 52.231.18.241...
* TCP_NODELAY set
* Connected to dc.services.visualstudio.com (52.231.18.241) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=in.applicationinsights.azure.com
*  start date: Apr 30 18:18:23 2020 GMT
*  expire date: Apr 30 18:18:23 2022 GMT
*  subjectAltName: host "dc.services.visualstudio.com" matched cert's "dc.services.visualstudio.com"
*  issuer: C=US; ST=Washington; L=Redmond; O=Microsoft Corporation; OU=Microsoft IT; CN=Microsoft IT TLS CA 4
*  SSL certificate verify ok.
> GET /api/profiles/AIF-d9b70cd4-b9f9-4d70-929b-a071c400b217/appId HTTP/1.1
> Host: dc.services.visualstudio.com
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Content-Type: text/plain
< x-ms-session-id: B89B2ACC-F73B-4D3E-BF10-11490B062D91
< Strict-Transport-Security: max-age=31536000
< Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Name, Content-Type, Accept, Sdk-Context
< Access-Control-Allow-Origin: *
< Access-Control-Max-Age: 3600
< X-Content-Type-Options: nosniff
< Date: Tue, 05 May 2020 15:03:55 GMT
< Content-Length: 17
<
* Connection #0 to host dc.services.visualstudio.com left intact
Profile Not Found* Closing connection 0
quininer commented 4 years ago

The server does not support any modern cipher suites supported by rustls. I suggest you report this problem to M$.

https://www.ssllabs.com/ssltest/analyze.html?d=dc.services.visualstudio.com#tableSubHead

zonyitoo commented 4 years ago

LOL. That's sxxt.