swiftg
有人试过 zerossl 的 ip 证书了吗,免费的,有效期三个月
takeshima
你下次再碰到这个情况,改 host 把 apple.com 指向你的服务器,然后用浏览器访问你的网站试试
jasonselin
建议 x-ray 的 SS 开双向 ivcheck
sadan9
这个就算签了正式的证书,理论上安全性和自签差不多吧,或者更低点。毕竟域名的持有者理论上可以再签一个用于中间人。
docx
我也开了一个自签证书,暂时没发现断流什么的,楼主要不再看看?
jsq2627
细思极恐,要是真的对自签名证书搞中间人攻击,因为有很多人并不搭配自签 CA 使用,直接开了允许证书不安全,那就神不知鬼不觉地被嗅探了
datocp
哈哈完全不懂在说什么,看看专业的 stunnel 是怎么服务器端验证客户端证书再通讯,目前也仅会配置 level 2 。这个软件很多参数有些超前包括 qqmail 都不能支持 tls1.3
verify = LEVEL
verify the peer certificate
This option is obsolete and should be replaced with the verifyChain and verifyPeer options.
level 0
Request and ignore the peer certificate.
level 1
Verify the peer certificate if present.
level 2
Verify the peer certificate.
level 3
Verify the peer against a locally installed certificate.
level 4
Ignore the chain and only verify the peer certificate.
default
No verify.
verifyChain = yes | no
verify the peer certificate chain starting from the root CA
For server certificate verification it is essential to also require a specific certificate with checkHost or checkIP.
The self-signed root CA certificate needs to be stored either in the file specified with CAfile, or in the directory specified with CApath.
default: no
verifyPeer = yes | no
verify the peer certificate
The peer certificate needs to be stored either in the file specified with CAfile, or in the directory specified with CApath.
default: n
wowawesome
昨天用上面说的迅雷那个 CDN 绑定 IP, 今天被人 DDOS 了.
我这小鸡两年一直以来都没发生过这种事情, 不知道啥情况.