spacewander commented on issue #3037: URL: https://github.com/apache/apisix/issues/3037#issuecomment-746009306
> > > @nic-chen @spacewander > the packet capture is : > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes > 17:06:39.007429 IP 192.168.198.124.42534 > 192.168.199.232.tungsten-https: Flags [S], seq 885285712, win 29200, options [mss 1460,sackOK,TS val 97301020 ecr 0,nop,wscale 7], length 0 > 17:06:39.007764 IP 192.168.199.232.tungsten-https > 192.168.198.124.42534: Flags [S.], seq 2085634511, ack 885285713, win 28960, options [mss 1460,sackOK,TS val 2941101919 ecr 97301020,nop,wscale 7], length 0 > 17:06:39.008478 IP 192.168.198.124.42534 > 192.168.199.232.tungsten-https: Flags [.], ack 1, win 229, options [nop,nop,TS val 97301021 ecr 2941101919], length 0 > 17:06:39.187906 IP 192.168.198.124.42534 > 192.168.199.232.tungsten-https: Flags [P.], seq 1:172, ack 1, win 229, options [nop,nop,TS val 97301200 ecr 2941101919], length 171 > 17:06:39.188150 IP 192.168.199.232.tungsten-https > 192.168.198.124.42534: Flags [.], ack 172, win 235, options [nop,nop,TS val 2941102099 ecr 97301200], length 0 > 17:06:39.188991 IP 192.168.199.232.tungsten-https > 192.168.198.124.42534: Flags [P.], seq 1:8, ack 172, win 235, options [nop,nop,TS val 2941102100 ecr 97301200], length 7 > 17:06:39.189161 IP 192.168.199.232.tungsten-https > 192.168.198.124.42534: Flags [F.], seq 8, ack 172, win 235, options [nop,nop,TS val 2941102100 ecr 97301200], length 0 > 17:06:39.189433 IP 192.168.198.124.42534 > 192.168.199.232.tungsten-https: Flags [.], ack 8, win 229, options [nop,nop,TS val 97301202 ecr 2941102100], length 0 > 17:06:39.190444 IP 192.168.198.124.42534 > 192.168.199.232.tungsten-https: Flags [F.], seq 172, ack 9, win 229, options [nop,nop,TS val 97301203 ecr 2941102100], length 0 > 17:06:39.190547 IP 192.168.199.232.tungsten-https > 192.168.198.124.42534: Flags [.], ack 173, win 235, options [nop,nop,TS val 2941102102 ecr 97301203], length 0 > > config.yaml is below: > ssl: > enable: true # ssl is disabled by default > # enable it to use your own cert and key > enable_http2: true > listen_port: 9443 > ssl_trusted_certificate: /usr/local/apisix/conf/cert/ca.pem # Specifies a file path with trusted CA certificates in the PEM format > # used to verify the certificate when APISIX needs to do SSL/TLS handshaking > # with external services (e.g. etcd) > ssl_cert: /usr/local/apisix/conf/cert/server.pem > ssl_cert_key: /usr/local/apisix/conf/cert/server.key > ssl_protocols: "TLSv1.2 TLSv1.3" > ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" > ssl_session_tickets: false # disable ssl_session_tickets by default for 'ssl_session_tickets' would make Perfect Forward Secrecy useless. > # ref: [mozilla/server-side-tls#135](https://github.com/mozilla/server-side-tls/issues/135) > key_encrypt_salt: "edd1c9f0985e76a2" # If not set, will save origin ssl key into etcd. > # If set this, must be a string of length 16. And it will encrypt ssl key with AES-128-CBC > # !!! So do not change it after saving your ssl, it can't decrypt the ssl keys have be saved if you change !! This is not a packet capture file. This is a summary of each packet. You should use `tcpdump -w $filename` to get the capture file. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
