zealot 最近的时间轴更新
zealot

zealot

@chzealot 理想主义,随性
V2EX 第 16002 号会员,加入于 2012-01-26 16:52:40 +08:00
16 S 68 B
理想主义,随性;Linux/C/C++/Java/Python/网络/架构,钉钉小二;热爱生活
阿里巴巴钉钉 2019 校园招聘
  •  1   
    酷工作  •  zealot  •  2019-04-09 16:33:52 PM  •  最后回复来自 lazydog
    3
    自用Confluence知识库备份工具
    分享创造  •  zealot  •  2012-04-20 23:08:28 PM  •  最后回复来自 zealot
    16
    zealot 最近回复了
    145 天前
    回复了 zong400 创建的主题 程序员 吐槽一下钉钉域名竟然不支持 tls1.3
    @zong400 RSA 是很老的算法了,ECC 综合指标显著优于 RSA ,了解技术的都会在 TLS 1.3 里采用 ECC 而不是 RSA
    145 天前
    回复了 zong400 创建的主题 程序员 吐槽一下钉钉域名竟然不支持 tls1.3
    钉钉的域名支持 TLS1.3 ;
    你的检测结果中没有显示 TLS 1.3 的原因是你用的 nmap 版本比较旧( 7.6 版本的 nmap 发布时候还没有 TLS 1.3 协议),换个最新版本 nmap 就可以。

    你用的这个 nmap 版本号是 7.60 ,发布日期是 2017-07-31 详见: https://svn.nmap.org/nmap-releases/nmap-7.60/CHANGELOG

    TLS 1.3 协议是 2018 年 8 月发布的,详见 IETF 文档: https://datatracker.ietf.org/doc/html/rfc8446

    nmap 在 2021 年 12 月才支持了 TLS 1.3 ,详见代码提交记录: https://github.com/mzet-/Nmap-for-Pen-Testers/commit/f55c200783af64f2ecb286244056e83098d74e97

    最新的 nmap 7.95 版本检测钉钉域名是支持 TLS 1.3 的:
    ```
    $ nmap --script ssl-enum-ciphers -p 443 oapi.dingtalk.com
    Starting Nmap 7.95 ( https://nmap.org ) at 2024-08-05 14:08 CST
    Nmap scan report for oapi.dingtalk.com (106.11.35.100)
    Host is up (0.047s latency).
    Other addresses for oapi.dingtalk.com (not scanned): 2401:b180:2000:80::d 2401:b180:2000:50::b 2401:b180:2000:60::f 2401:b180:2000:70::e

    PORT STATE SERVICE
    443/tcp open https
    | ssl-enum-ciphers:
    | TLSv1.0:
    | ciphers:
    | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
    | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
    | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
    | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
    | compressors:
    | NULL
    | cipher preference: server
    | TLSv1.1:
    | ciphers:
    | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
    | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
    | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
    | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
    | compressors:
    | NULL
    | cipher preference: server
    | TLSv1.2:
    | ciphers:
    | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
    | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
    | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
    | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
    | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
    | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
    | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
    | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
    | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
    | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
    | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
    | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
    | compressors:
    | NULL
    | cipher preference: server
    | TLSv1.3:
    | ciphers:
    | TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
    | TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
    | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
    | TLS_AKE_WITH_SM4_CCM_SM3 (ecdh_x25519) - A
    | TLS_AKE_WITH_SM4_GCM_SM3 (ecdh_x25519) - A
    | cipher preference: server
    |_ least strength: A

    Nmap done: 1 IP address (1 host up) scanned in 3.58 seconds
    ```

    SSL Labs 检测结果也同样显示支持 TLS 1.3: https://www.ssllabs.com/ssltest/analyze.html?d=oapi.dingtalk.com
    p.s. 这个域名还在支持 TLS 1.0 和 TLS 1.1 的原因是还有很多企业不支持更高版本的 TLS 。不过安全团队针对低版本的 TLS 的加密套件做了定制,剔除一些低版本中有重大风险的加密套件。

    ![]( )
    方便的话可以发一下 curl 命令输出结果,我这边实测是可以的
    (绑 IPv6 host 验证 OK:2401:b180:2000:60::f h5.dingtalk.com

    ``` $ curl -6 -v https://h5.dingtalk.com/status.taobao
    * Trying [2401:b180:2000:60::f]:443...
    * Connected to h5.dingtalk.com (2401:b180:2000:60::f) port 443 (#0)
    * ALPN: offers h2
    * ALPN: offers http/1.1
    * CAfile: /etc/ssl/cert.pem
    * CApath: none
    * (304) (OUT), TLS handshake, Client hello (1):
    * (304) (IN), TLS handshake, Server hello (2):
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
    * TLSv1.2 (IN), TLS handshake, Server finished (14):
    * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
    * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
    * TLSv1.2 (OUT), TLS handshake, Finished (20):
    * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
    * TLSv1.2 (IN), TLS handshake, Finished (20):
    * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
    * ALPN: server accepted h2
    * Server certificate:
    * subject: C=CN; ST=ZheJiang; L=HangZhou; O=Alibaba (China) Technology Co., Ltd.; CN=*.dingtalk.com
    * start date: Apr 12 01:56:07 2022 GMT
    * expire date: May 14 01:56:06 2023 GMT
    * subjectAltName: host "h5.dingtalk.com" matched cert's "*.dingtalk.com"
    * issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Organization Validation CA - SHA256 - G2
    * SSL certificate verify ok.
    * Using HTTP2, server supports multiplexing
    * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
    * h2h3 [:method: GET]
    * h2h3 [:path: /status.taobao]
    * h2h3 [:scheme: https]
    * h2h3 [:authority: h5.dingtalk.com]
    * h2h3 [user-agent: curl/7.86.0]
    * h2h3 [accept: */*]
    * Using Stream ID: 1 (easy handle 0x14e813400)
    > GET /status.taobao HTTP/2
    > Host: h5.dingtalk.com
    > user-agent: curl/7.86.0
    > accept: */*
    >
    * Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
    < HTTP/2 200
    < server: Tengine
    < date: Thu, 16 Mar 2023 06:02:49 GMT
    < content-length: 0
    < accept-ranges: bytes
    < etag: W/"0-1678781644000"
    < last-modified: Tue, 14 Mar 2023 08:14:04 GMT
    < cache-control: no-cache
    < content-security-policy-report-only: default-src 'self';style-src 'self' 'unsafe-inline' dev.g.alicdn.com g.alicdn.com at.alicdn.com *.test.youku.com *.taobao.net webapi.amap.com;script-src 'report-sample' 'self' 'unsafe-eval' 'unsafe-inline' *.dingtalk.com *.cnzz.com *.alicdn.com market.wapa.taobao.com dev.g.alicdn.com g.alicdn.com ynuf.alipay.com log.mmstat.com s.tbcdn.cn vip.laiwang.com wswukong.laiwang.com local.alipcsec.com:6691 *.taobao.net cfd.aliyun.com restapi.amap.com webapi.amap.com tce.taobao.com cfall.aliyun.com gw.alipayobjects.com ynuf.aliapp.org;connect-src 'self' *.dingtalk.com ynuf.alipay.com dev.g.alicdn.com g.alicdn.com retcode.taobao.com dingtalk-cspase-sh.oss-cn-shanghai.aliyuncs.com dingtalk-cspase-sz.oss-cn-shenzhen.aliyuncs.com arms-retcode.aliyuncs.com arms-retcode.aliyuncs.com gm.mmstat.com ynuf.aliapp.org wss://acs.wapa.taobao.com wss://acs.m.taobao.com aliliving.alicdn.com wgo.mmstat.com dtliving.alicdn.com hd.mmstat.com uc.gre alilive.alicdn.com *.mobgslb.tbcache.com *.mmstat.com px.effirst.com;frame-src 'self' h5.m.taobao.com qiye.aliyun.com log.laiwang.com dev.g.alicdn.com g.alicdn.com login.dingtalk.com login2.dingtalk.com *.dingtalk.com mailsso.mxhichina.com wvjbscheme: alipaybridge: alipaymonitor: ynuf.aliapp.org cn-hangzhou-dap.cloud.alipay.com cn-hangzhou-cap.cloud.alipay.com auth.cloud.alipay.com;font-src 'self' at.alicdn.com dev.g.alicdn.com g.alicdn.com data: *.taobao.net i.alicdn.com;img-src 'self' data: http: fourier.taobao.com *.dingtalk.com *.aliimg.com *.alicdn.com *.mmstat.com ynuf.alipay.com arms-retcode.aliyuncs.com pin.aliyun.com fourier.alibaba.com retcode.taobao.com *.cnzz.com dingtalk-cspase-sh.oss-cn-shanghai.aliyuncs.com dingtalk-cspase-sz.oss-cn-shenzhen.aliyuncs.com restapi.amap.com landray.dingtalkapps.com restapi.amap.com image.uczzd.cn;media-src 'self' *.dingtalk.com cloud.video.taobao.com videocdn.taobao.com dev.g.alicdn.com g.alicdn.com tbm-auth.alicdn.com alilive.alicdn.com aliliving.alicdn.com blob:;worker-src 'self' blob:;report-uri https://csp.dingtalk.com/csp;
    ```
    2019-04-09 10:40:29 +08:00
    回复了 zealot 创建的主题 酷工作 阿里巴巴钉钉 2019 校园招聘
    @lazydog 可以钉钉上搜索 dingtalkkejie 加一下我,我找招聘 HR 查一下之前有无面试记录,确定一下是否可以转推荐
    2018-10-24 23:40:21 +08:00
    回复了 Tumblr 创建的主题 全球工单系统 阿里钉钉英文版的语法错误望更正
    谢谢大家反馈和积极给出建议,我们团队已经介入修改了。欢迎使用钉钉工作交流,也可以私信联系我
    2013-03-01 09:55:03 +08:00
    回复了 openroc 创建的主题 分享发现 开源项目的代码统计网站
    Ubuntu:Mostly written in C#
    呵呵
    2012-11-22 20:17:26 +08:00
    回复了 laskuma 创建的主题 Python 为什么推荐python?
    我推荐学门脚本语言,不一定是Python,ruby、perl都可以。
    程序员会门脚本语言的好处就不解释了
    2012-10-25 21:01:05 +08:00
    回复了 jerommix 创建的主题 问与答 发现你的第十三天.
    每天送冰激凌,有天她不吃的话,就改送暖宝宝、好好伺候着
    软件测试的艺术,1979
    Hacker's Delight, 2002,刚好十年
    2012-09-21 00:19:10 +08:00
    回复了 kingwkb 创建的主题 设计师 现在的人都怎么了,招人就这免不容易
    小公司尽量少招新手
    大公司可以招新手慢慢培养,工作中,专业技能永远是最容易学的,面试时反而不用过于关注这方面。给公司和候选人一次机会。
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   2658 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 16ms · UTC 12:03 · PVG 20:03 · LAX 04:03 · JFK 07:03
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.