search

whyour / qinglong

支持 Python3、JavaScript、Shell、Typescript 的定时任务管理平台(Timed task management platform supporting Python3, JavaScript, Shell, Typescript)
http://demo.ninesix.cc:4433
Apache License 2.0
15.19k stars 2.86k forks source link

搞了个小Demo再现部分脚本报错ssl问题 #2420

Closed sstakill closed 2 weeks ago

sstakill commented 2 weeks ago

Qinglong version

青龙 2.17.7 是目前检测到的最新可用版本了。

Steps to reproduce

又抽空看了下:

问题大概就是openssl版本过高导致dh参数太短会报错,因为有的服务器dh参数就设置了1024。

最新版青龙用的是OpenSSL 3.3.1 4 运行会报错DH太短。但是青龙低版本例如3.1.4版本,用的OpenSSL为3.1.4,版本就不会报错。建议用tls版本吧。

下面这js脚本访问的中国-电信的某个接口,用nmap看了下dh参数是1024。

const got = require("got");

class HttpRequester {
  constructor() {
    this.index = 1; // 示例用户索引
    this.name = "TestUser";
    this.userCount = 1;
    const headers = { Connection: "keep-alive" };
    const retryOptions = { retries: 0, retryDelay: 1000 };
    const timeout = 5000; // 超时时间为 5 秒
    this.got = got.extend({
      headers,
      retry: retryOptions,
      timeout,
      followRedirect: false,
      ignoreInvalidCookies: true,
      https: {
        rejectUnauthorized: false, // 不验证SSL证书
        minVersion: "TLSv1.2", // 设置最低TLS版本
        //ciphers:"ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!MD5",
        ciphers: "AES128-SHA", // 强制使用较弱的加密算法以触发错误
      },
    });
  }

  log(message) {
    console.log(`[${this.name}] ${message}`);
  }

  async request(options) {
    let response;
    try {
      response = await this.got(options);
      return response;
    } catch (error) {
      if (error.code === "EPROTO") {
        this.log(`请求错误 [EPROTO] [RequestError] ${error.message}`);
      } else {
        this.log(`请求错误 ${error.message}`);
      }
      return null;
    }
  }

  async getSign(params = {}) {
    let sign = false;
    try {
      const url = "https://wapside.189.cn:9001/jt-sign/ssoHomLogin"; 
      const options = {
        method: "GET",
        url,
        searchParams: params,
        responseType: "json",
      };
      const response = await this.request(options);
      const { body, statusCode } = response || {};
      const resultCode = body?.resoultCode || statusCode;

      if (resultCode === 0) {
        sign = body?.sign;
        this.sign = sign;
        this.got = this.got.extend({ headers: { sign } });
      } else {
        this.log(`获取sign失败[${resultCode}]: ${JSON.stringify(body)}`);
      }
    } catch (error) {
      console.log(error);
    } finally {
      return sign;
    }
  }
}

// 示例运行
(async () => {
  const requester = new HttpRequester();
  const params = { ticket: "your_ticket" }; // 实际的ticket,这里为了实现问题随意填。
  const sign = await requester.getSign(params);
  if (sign) {
    console.log("Sign:", sign);
  } else {
    console.log("未能获取sign。");
  }
})();

What is expected?

这是本机能获取到请求。 {"resoultCode":"1","resoultMsg":"请求失败"}

image

What is actually happening?

青龙最新版本

image

System Info

No response

Any additional comments?

No response

whyour commented 2 weeks ago
  1. 修改任务执行前参数:增加 export NODE_OPTIONS="${NODE_OPTIONS} --tls-cipher-list=DEFAULT@SECLEVEL=0"
  2. 换 debian 版本镜像 whyour/qinglong:debian
  3. extra.sh 修改 openssl.conf 文件,系统系统后自动运行
xmoxmo commented 2 weeks ago

您好,这三条需要全部满足吗,还是只修改第一条加一个变量就可以了?

whyour commented 2 weeks ago

@xmoxmo 一个就行

xmoxmo commented 2 weeks ago

@xmoxmo 一个就行

收到,谢谢