zealot 最近的时间轴更新 zealot 最近的时间轴更新 | zealot@chzealot 理想主义,随性 V2EX 第 16002 号会员,加入于 2012-01-26 16:52:40 +08:0016  68  |
chzealot
losthit.com
杭州
chzealot 理想主义,随性;Linux/C/C++/Java/Python/网络/架构,钉钉小二;热爱生活
| 阿里巴巴钉钉 2019 校园招聘 1 酷工作 zealot 2019-04-09 16:33:52 PM 最后回复来自 lazydog | 3 |
| 自用Confluence知识库备份工具 分享创造 zealot 2012-04-20 23:08:28 PM 最后回复来自 zealot | 16 |
| 东京节点还不算绝对的糟糕(附测试结果) Linode zealot 2012-02-06 15:13:05 PM |
zealot 最近回复了
2024-08-05 18:11:49 +08:00 回复了 ethsol 创建的主题 程序员 吐槽一下钉钉域名竟然不支持 tls1.3 |
@zong400 RSA 是很老的算法了,ECC 综合指标显著优于 RSA ,了解技术的都会在 TLS 1.3 里采用 ECC 而不是 RSA
2024-08-05 14:21:51 +08:00 回复了 ethsol 创建的主题 程序员 吐槽一下钉钉域名竟然不支持 tls1.3 |
钉钉的域名支持 TLS1.3 ;
你的检测结果中没有显示 TLS 1.3 的原因是你用的 nmap 版本比较旧( 7.6 版本的 nmap 发布时候还没有 TLS 1.3 协议),换个最新版本 nmap 就可以。
你用的这个 nmap 版本号是 7.60 ,发布日期是 2017-07-31 详见: https://svn.nmap.org/nmap-releases/nmap-7.60/CHANGELOG 。
TLS 1.3 协议是 2018 年 8 月发布的,详见 IETF 文档: https://datatracker.ietf.org/doc/html/rfc8446
nmap 在 2021 年 12 月才支持了 TLS 1.3 ,详见代码提交记录: https://github.com/mzet-/Nmap-for-Pen-Testers/commit/f55c200783af64f2ecb286244056e83098d74e97
最新的 nmap 7.95 版本检测钉钉域名是支持 TLS 1.3 的:
```
$ nmap --script ssl-enum-ciphers -p 443 oapi.dingtalk.com
Starting Nmap 7.95 ( https://nmap.org ) at 2024-08-05 14:08 CST
Nmap scan report for oapi.dingtalk.com (106.11.35.100)
Host is up (0.047s latency).
Other addresses for oapi.dingtalk.com (not scanned): 2401:b180:2000:80::d 2401:b180:2000:50::b 2401:b180:2000:60::f 2401:b180:2000:70::e
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_26_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_AKE_WITH_SM4_CCM_SM3 (ecdh_x25519) - A
| TLS_AKE_WITH_SM4_GCM_SM3 (ecdh_x25519) - A
| cipher preference: server
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 3.58 seconds
```
SSL Labs 检测结果也同样显示支持 TLS 1.3: https://www.ssllabs.com/ssltest/analyze.html?d=oapi.dingtalk.com
p.s. 这个域名还在支持 TLS 1.0 和 TLS 1.1 的原因是还有很多企业不支持更高版本的 TLS 。不过安全团队针对低版本的 TLS 的加密套件做了定制,剔除一些低版本中有重大风险的加密套件。
)
你的检测结果中没有显示 TLS 1.3 的原因是你用的 nmap 版本比较旧( 7.6 版本的 nmap 发布时候还没有 TLS 1.3 协议),换个最新版本 nmap 就可以。
你用的这个 nmap 版本号是 7.60 ,发布日期是 2017-07-31 详见: https://svn.nmap.org/nmap-releases/nmap-7.60/CHANGELOG 。
TLS 1.3 协议是 2018 年 8 月发布的,详见 IETF 文档: https://datatracker.ietf.org/doc/html/rfc8446
nmap 在 2021 年 12 月才支持了 TLS 1.3 ,详见代码提交记录: https://github.com/mzet-/Nmap-for-Pen-Testers/commit/f55c200783af64f2ecb286244056e83098d74e97
最新的 nmap 7.95 版本检测钉钉域名是支持 TLS 1.3 的:
```
$ nmap --script ssl-enum-ciphers -p 443 oapi.dingtalk.com
Starting Nmap 7.95 ( https://nmap.org ) at 2024-08-05 14:08 CST
Nmap scan report for oapi.dingtalk.com (106.11.35.100)
Host is up (0.047s latency).
Other addresses for oapi.dingtalk.com (not scanned): 2401:b180:2000:80::d 2401:b180:2000:50::b 2401:b180:2000:60::f 2401:b180:2000:70::e
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_26_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_AKE_WITH_SM4_CCM_SM3 (ecdh_x25519) - A
| TLS_AKE_WITH_SM4_GCM_SM3 (ecdh_x25519) - A
| cipher preference: server
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 3.58 seconds
```
SSL Labs 检测结果也同样显示支持 TLS 1.3: https://www.ssllabs.com/ssltest/analyze.html?d=oapi.dingtalk.com
p.s. 这个域名还在支持 TLS 1.0 和 TLS 1.1 的原因是还有很多企业不支持更高版本的 TLS 。不过安全团队针对低版本的 TLS 的加密套件做了定制,剔除一些低版本中有重大风险的加密套件。
2023-03-16 14:04:27 +08:00 回复了 xaviertoo 创建的主题 全球工单系统 钉钉在 ipv6 环境下出现访问问题, h5.dingtalk.com 解析错误。 |
方便的话可以发一下 curl 命令输出结果,我这边实测是可以的
(绑 IPv6 host 验证 OK:2401:b180:2000:60::f h5.dingtalk.com )
``` $ curl -6 -v https://h5.dingtalk.com/status.taobao
* Trying [2401:b180:2000:60::f]:443...
* Connected to h5.dingtalk.com (2401:b180:2000:60::f) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server accepted h2
* Server certificate:
* subject: C=CN; ST=ZheJiang; L=HangZhou; O=Alibaba (China) Technology Co., Ltd.; CN=*.dingtalk.com
* start date: Apr 12 01:56:07 2022 GMT
* expire date: May 14 01:56:06 2023 GMT
* subjectAltName: host "h5.dingtalk.com" matched cert's "*.dingtalk.com"
* issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Organization Validation CA - SHA256 - G2
* SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* h2h3 [:method: GET]
* h2h3 [:path: /status.taobao]
* h2h3 [:scheme: https]
* h2h3 [:authority: h5.dingtalk.com]
* h2h3 [user-agent: curl/7.86.0]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x14e813400)
> GET /status.taobao HTTP/2
> Host: h5.dingtalk.com
> user-agent: curl/7.86.0
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< server: Tengine
< date: Thu, 16 Mar 2023 06:02:49 GMT
< content-length: 0
< accept-ranges: bytes
< etag: W/"0-1678781644000"
< last-modified: Tue, 14 Mar 2023 08:14:04 GMT
< cache-control: no-cache
< content-security-policy-report-only: default-src 'self';style-src 'self' 'unsafe-inline' dev.g.alicdn.com g.alicdn.com at.alicdn.com *.test.youku.com *.taobao.net webapi.amap.com;script-src 'report-sample' 'self' 'unsafe-eval' 'unsafe-inline' *.dingtalk.com *.cnzz.com *.alicdn.com market.wapa.taobao.com dev.g.alicdn.com g.alicdn.com ynuf.alipay.com log.mmstat.com s.tbcdn.cn vip.laiwang.com wswukong.laiwang.com local.alipcsec.com:6691 *.taobao.net cfd.aliyun.com restapi.amap.com webapi.amap.com tce.taobao.com cfall.aliyun.com gw.alipayobjects.com ynuf.aliapp.org;connect-src 'self' *.dingtalk.com ynuf.alipay.com dev.g.alicdn.com g.alicdn.com retcode.taobao.com dingtalk-cspase-sh.oss-cn-shanghai.aliyuncs.com dingtalk-cspase-sz.oss-cn-shenzhen.aliyuncs.com arms-retcode.aliyuncs.com arms-retcode.aliyuncs.com gm.mmstat.com ynuf.aliapp.org wss://acs.wapa.taobao.com wss://acs.m.taobao.com aliliving.alicdn.com wgo.mmstat.com dtliving.alicdn.com hd.mmstat.com uc.gre alilive.alicdn.com *.mobgslb.tbcache.com *.mmstat.com px.effirst.com;frame-src 'self' h5.m.taobao.com qiye.aliyun.com log.laiwang.com dev.g.alicdn.com g.alicdn.com login.dingtalk.com login2.dingtalk.com *.dingtalk.com mailsso.mxhichina.com wvjbscheme: alipaybridge: alipaymonitor: ynuf.aliapp.org cn-hangzhou-dap.cloud.alipay.com cn-hangzhou-cap.cloud.alipay.com auth.cloud.alipay.com;font-src 'self' at.alicdn.com dev.g.alicdn.com g.alicdn.com data: *.taobao.net i.alicdn.com;img-src 'self' data: http: fourier.taobao.com *.dingtalk.com *.aliimg.com *.alicdn.com *.mmstat.com ynuf.alipay.com arms-retcode.aliyuncs.com pin.aliyun.com fourier.alibaba.com retcode.taobao.com *.cnzz.com dingtalk-cspase-sh.oss-cn-shanghai.aliyuncs.com dingtalk-cspase-sz.oss-cn-shenzhen.aliyuncs.com restapi.amap.com landray.dingtalkapps.com restapi.amap.com image.uczzd.cn;media-src 'self' *.dingtalk.com cloud.video.taobao.com videocdn.taobao.com dev.g.alicdn.com g.alicdn.com tbm-auth.alicdn.com alilive.alicdn.com aliliving.alicdn.com blob:;worker-src 'self' blob:;report-uri https://csp.dingtalk.com/csp;
```
(绑 IPv6 host 验证 OK:2401:b180:2000:60::f h5.dingtalk.com )
``` $ curl -6 -v https://h5.dingtalk.com/status.taobao
* Trying [2401:b180:2000:60::f]:443...
* Connected to h5.dingtalk.com (2401:b180:2000:60::f) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server accepted h2
* Server certificate:
* subject: C=CN; ST=ZheJiang; L=HangZhou; O=Alibaba (China) Technology Co., Ltd.; CN=*.dingtalk.com
* start date: Apr 12 01:56:07 2022 GMT
* expire date: May 14 01:56:06 2023 GMT
* subjectAltName: host "h5.dingtalk.com" matched cert's "*.dingtalk.com"
* issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Organization Validation CA - SHA256 - G2
* SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* h2h3 [:method: GET]
* h2h3 [:path: /status.taobao]
* h2h3 [:scheme: https]
* h2h3 [:authority: h5.dingtalk.com]
* h2h3 [user-agent: curl/7.86.0]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x14e813400)
> GET /status.taobao HTTP/2
> Host: h5.dingtalk.com
> user-agent: curl/7.86.0
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< server: Tengine
< date: Thu, 16 Mar 2023 06:02:49 GMT
< content-length: 0
< accept-ranges: bytes
< etag: W/"0-1678781644000"
< last-modified: Tue, 14 Mar 2023 08:14:04 GMT
< cache-control: no-cache
< content-security-policy-report-only: default-src 'self';style-src 'self' 'unsafe-inline' dev.g.alicdn.com g.alicdn.com at.alicdn.com *.test.youku.com *.taobao.net webapi.amap.com;script-src 'report-sample' 'self' 'unsafe-eval' 'unsafe-inline' *.dingtalk.com *.cnzz.com *.alicdn.com market.wapa.taobao.com dev.g.alicdn.com g.alicdn.com ynuf.alipay.com log.mmstat.com s.tbcdn.cn vip.laiwang.com wswukong.laiwang.com local.alipcsec.com:6691 *.taobao.net cfd.aliyun.com restapi.amap.com webapi.amap.com tce.taobao.com cfall.aliyun.com gw.alipayobjects.com ynuf.aliapp.org;connect-src 'self' *.dingtalk.com ynuf.alipay.com dev.g.alicdn.com g.alicdn.com retcode.taobao.com dingtalk-cspase-sh.oss-cn-shanghai.aliyuncs.com dingtalk-cspase-sz.oss-cn-shenzhen.aliyuncs.com arms-retcode.aliyuncs.com arms-retcode.aliyuncs.com gm.mmstat.com ynuf.aliapp.org wss://acs.wapa.taobao.com wss://acs.m.taobao.com aliliving.alicdn.com wgo.mmstat.com dtliving.alicdn.com hd.mmstat.com uc.gre alilive.alicdn.com *.mobgslb.tbcache.com *.mmstat.com px.effirst.com;frame-src 'self' h5.m.taobao.com qiye.aliyun.com log.laiwang.com dev.g.alicdn.com g.alicdn.com login.dingtalk.com login2.dingtalk.com *.dingtalk.com mailsso.mxhichina.com wvjbscheme: alipaybridge: alipaymonitor: ynuf.aliapp.org cn-hangzhou-dap.cloud.alipay.com cn-hangzhou-cap.cloud.alipay.com auth.cloud.alipay.com;font-src 'self' at.alicdn.com dev.g.alicdn.com g.alicdn.com data: *.taobao.net i.alicdn.com;img-src 'self' data: http: fourier.taobao.com *.dingtalk.com *.aliimg.com *.alicdn.com *.mmstat.com ynuf.alipay.com arms-retcode.aliyuncs.com pin.aliyun.com fourier.alibaba.com retcode.taobao.com *.cnzz.com dingtalk-cspase-sh.oss-cn-shanghai.aliyuncs.com dingtalk-cspase-sz.oss-cn-shenzhen.aliyuncs.com restapi.amap.com landray.dingtalkapps.com restapi.amap.com image.uczzd.cn;media-src 'self' *.dingtalk.com cloud.video.taobao.com videocdn.taobao.com dev.g.alicdn.com g.alicdn.com tbm-auth.alicdn.com alilive.alicdn.com aliliving.alicdn.com blob:;worker-src 'self' blob:;report-uri https://csp.dingtalk.com/csp;
```
2019-04-09 10:40:29 +08:00 回复了 zealot 创建的主题 酷工作 阿里巴巴钉钉 2019 校园招聘 |
@lazydog 可以钉钉上搜索 dingtalkkejie 加一下我,我找招聘 HR 查一下之前有无面试记录,确定一下是否可以转推荐
2018-10-24 23:40:21 +08:00 回复了 Tumblr 创建的主题 全球工单系统 阿里钉钉英文版的语法错误望更正 |
谢谢大家反馈和积极给出建议,我们团队已经介入修改了。欢迎使用钉钉工作交流,也可以私信联系我
2013-03-01 09:55:03 +08:00 回复了 openroc 创建的主题 分享发现 开源项目的代码统计网站 |
Ubuntu:Mostly written in C#
呵呵
呵呵
2012-11-22 20:17:26 +08:00 回复了 laskuma 创建的主题 Python 为什么推荐python? |
我推荐学门脚本语言,不一定是Python,ruby、perl都可以。
程序员会门脚本语言的好处就不解释了
程序员会门脚本语言的好处就不解释了
每天送冰激凌,有天她不吃的话,就改送暖宝宝、好好伺候着
2012-09-24 09:43:23 +08:00 回复了 cgduan 创建的主题 程序员 计算机科学方面,有多少书能在出版十年、二十年之后仍然不过时? |
软件测试的艺术,1979
Hacker's Delight, 2002,刚好十年
Hacker's Delight, 2002,刚好十年
2012-09-21 00:19:10 +08:00 回复了 kingwkb 创建的主题 设计师 现在的人都怎么了,招人就这免不容易 |
小公司尽量少招新手
大公司可以招新手慢慢培养,工作中,专业技能永远是最容易学的,面试时反而不用过于关注这方面。给公司和候选人一次机会。
大公司可以招新手慢慢培养,工作中,专业技能永远是最容易学的,面试时反而不用过于关注这方面。给公司和候选人一次机会。
Select Language