https SSL 握手时间过长，大于 3 秒

• 資深大佬 : jaylee4869

  看一下 conf

• 資深大佬 : jaylee4869

  curl 网站 https 地址 -vvv

• 資深大佬 : Tink

  上 cdn

• 資深大佬 : rrfeng

  估计是 CA 验证在国外导致的，nginx 配置一下 ocsp stapling 吧。

• 資深大佬 : jacklin96

  OCSP 域名被污染了，需要换证书或者客户端翻墙
  可能直接换证书最快
  加 OCSP Stapling 也不一定有效

• 主 資深大佬 : constructor

  @jaylee4869

  ### 1. ngxin.conf 配置如下

  “`conf
  user www-data;
  worker_processes auto;
  pid /run/nginx.pid;

  events {
  worker_connections 768;
  # multi_accept on;
  }

  http {

  ##
  # Basic Settings
  ##

  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  keepalive_timeout 65;
  types_hash_max_size 2048;
  # server_tokens off;

  # server_names_hash_bucket_size 64;
  # server_name_in_redirect off;

  include /etc/nginx/mime.types;
  default_type application/octet-stream;

  ##
  # SSL Settings
  ##

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
  ssl_prefer_server_ciphers on;

  ##
  # Logging Settings
  ##

  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log;

  ##
  # Gzip Settings
  ##

  gzip on;
  gzip_disable “msie6”;

  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_buffers 16 8k;
  gzip_http_version 1.1;
  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

  ##
  # Virtual Host Configs
  ##

  include /etc/nginx/conf.d/*.conf;
  include /etc/nginx/sites-enabled/*;
  }
  “`

  ### 2. 网站 dev.example.com 配置如下：

  “`conf
  server {
  listen 80;
  listen [::]:80;

  server_name dev.example.com;

  location / {
  proxy_set_header X-Forwarded-For $remote_addr;
  proxy_set_header Host $http_host;
  proxy_set_header X-Forwarded-Proto https;
  proxy_pass http://112.74.113.106:8090;
  }

  listen [::]:443 ssl; # managed by Certbot
  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
  }
  “`conf

  ### 3. curl -vvv https://dev.example.com 输出如下：

  “`conf
  * Rebuilt URL to: https://dev.example.com/
  * Trying 112.74.90.77…
  * TCP_NODELAY set
  * Connected to dev.example.com (112.74.90.77) port 443 (#0)
  * ALPN, offering h2
  * ALPN, offering http/1.1
  * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
  * successfully set certificate verify locations:
  * CAfile: /etc/ssl/cert.pem
  CApath: none
  * TLSv1.2 (OUT), TLS handshake, Client hello (1):
  * TLSv1.2 (IN), TLS handshake, Server hello (2):
  * TLSv1.2 (IN), TLS handshake, Certificate (11):
  * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  * TLSv1.2 (IN), TLS handshake, Server finished (14):
  * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
  * TLSv1.2 (OUT), TLS handshake, Finished (20):
  * TLSv1.2 (IN), TLS change cipher, Client hello (1):
  * TLSv1.2 (IN), TLS handshake, Finished (20):
  * SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
  * ALPN, server accepted to use http/1.1
  * Server certificate:
  * subject: CN=*.example.com
  * start date: Apr 29 13:04:41 2020 GMT
  * expire date: Jul 28 13:04:41 2020 GMT
  * subjectAltName: host “dev.example.com” matched cert’s “*.example.com”
  * issuer: C=US; O=Let’s Encrypt; CN=Let’s Encrypt Authority X3
  * SSL certificate verify ok.
  > GET / HTTP/1.1
  > Host: dev.example.com
  > User-Agent: curl/7.54.0
  > Accept: */*
  >
  < HTTP/1.1 200 OK
  < Server: nginx/1.14.0 (Ubuntu)
  < Date: Mon, 18 May 2020 10:38:26 GMT
  < Content-Type: text/html
  < Content-Length: 2878
  < Last-Modified: Sun, 17 May 2020 10:44:30 GMT
  < Connection: keep-alive
  < ETag: “5ec1158e-b3e”
  < Accept-Ranges: bytes
  “`

  * 域名和 IP 进行了替换，还请谅解。 *

• 主 資深大佬 : constructor

  @jacklin96
  “更换证书”是指换其他 CA 比如 Symantec 、GlobalSign 、GeoTrust 还是用 Let’s Encrypt 重新生成证书？

• 資深大佬 : n329291362

  let’s encrypt 的证书 服务端配置一下 ocsp stapling 吧
  或者买其他家的证书 就是买 Symantec 、GlobalSign 、GeoTrust 之类的

• 資深大佬 : cy476571989

  我也有同样的问题。

• 資深大佬 : lanternxx

  开一下 ocsp 装订试试 虽然我觉得可能没用 chrome 应该是不检查 ocsp 的

• 資深大佬 : xiaotianhu

  ocsp 服务器坏了

  被迫换了阿里云免费证书。

• 主 資深大佬 : constructor

  OCSP 服务器连接不上, ping ocsp.int-x3.letsencrypt.org 超时

  通过 openssl 验证超时：

  “`
  openssl ocsp -issuer fullchain.pem -cert cert.pem -text -url http://ocsp.int-x3.letsencrypt.org
  OCSP Request Data:
  Version: 1 (0x0)
  Requestor List:
  Certificate ID:
  Hash Algorithm: sha1
  Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
  Issuer Key Hash: 25AA0A105713B51AB5A49554679566211FA63FCF
  Serial Number: 03638E20AC5D648DA7DB51EA00638CFAEF33
  Request Extensions:
  OCSP Nonce:
  0410053BDB6861C216D9924BC81A9295430F
  Error connecting BIO
  Error querying OCSP responder
  4733388396:error:02FFF03C:system library:func(4095):Operation timed out:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/crypto/bio/bss_conn.c:244:host=ocsp.int-x3.letsencrypt.org:80
  4733388396:error:20FFF067:BIO routines:CRYPTO_internal:connect error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/crypto/bio/bss_conn.c:247:
  “`

• 資深大佬 : jacklin96

  @constructor 换其他 CA 就行，国内目前只能远离 Let’s Encrypt

• 資深大佬 : BitCert

  LE 现在不稳定