Application Version: Firefox Developer Edition v101
Issue Description: The Weibo homepage can be accessed normally, but when clicking on the search or hot search links, the following prompt is displayed:
Failed to establish a secure connection
An error occurred while connecting to s.weibo.com.
The page you want to view cannot be displayed because it cannot be verified if the received data is trustworthy.
It is recommended to report this issue to the administrator of this website.
Learn more…
By repeatedly comparing with the command "curl -v "URL"", it was found that there was an encryption negotiation being rejected by the "Weibo Account Authentication Gateway Server" when accessing Weibo hot searches.
Specific test instructions:
Using
curl -v "https://s.weibo.com/weibo?q=%23%E7%A5%9D%E8%9E%8D%E5%8F%B7%E5%87%86%E5%A4%87%E5%9C%A8%E7%81%AB%E6%98%9F%E8%B6%8A%E5%86%AC%23&topic_ad="
to obtain the 302 redirect request link
Continue with
curl -v "https://passport.weibo.com/visitor/visitor?entry=miniblog&a=enter&url=https%3A%2F%2Fs.weibo.com%2Fweibo%3Fq%3D%2523%25E7%25A5%259D%25E8%259E%258D%25E5%258F%25B7%25E5%2587%2586%25E5%25A4%2587%25E5%259C%25A8%25E7%2581%25AB%25E6%2598%259F%25E8%25B6%258A%25E5%2586%25AC%2523%26topic_ad%3D&domain=.weibo.com&sudaref=&ua=php-sso_sdk_client-0.6.29&_rand=1651842429.1375"
Returns
……
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=CN; ST=Beijing; O=Sina.com Technology(China)Co.,ltd; CN=sina.com
……
Pay attention to this prompt:
ALPN, server did not agree to a protocol
ALPN#
ALPN (Application-Layer Protocol Negotiation): Application-Layer Protocol Negotiation is an extension of TLS, which avoids additional round-trip communication overhead during the negotiation of encryption protocols.
ALPN supports negotiation of any application-layer protocol, and currently the most commonly used application is the negotiation of HTTP/2. The current mainstream browsers only support HTTP/2 deployed based on HTTPS, because browsers use the ALPN protocol to determine whether the server supports the HTTP/2 protocol.
Browser Negotiation Principle#
The process of ALPN negotiation protocol interaction can be analyzed through packet capture using WireShark.
* When the browser establishes an SSL connection and sends the first Client Hello packet, it carries the browser's supported versions in the extension field.
* When the server returns the Server Hello packet, if the server supports HTTP/2, it will return h2. If it does not support HTTP/2, it will select a protocol it supports from the client's supported protocol list, usually HTTP/1.1.
The support of ALPN negotiation by both the browser and the server is a prerequisite for using HTTP/2.
Most web servers rely on the OpenSSL library to provide HTTPS services, and whether ALPN is supported depends entirely on the version of OpenSSL used. ALPN support only started with OpenSSL version 1.0.2.
Disabling ALPN in Firefox#
Enter the following in the address bar:
about:config
Confirm the risk prompt.
Enter "ALPN".
Switch the value of
security.ssl.enable_alpn
to false.
Reference:
ALPN