zealot's recent timeline updates

zealot

@chzealot 理想主义，随性

V2EX member #16002, joined on 2012-01-26 16:52:40 +08:00

chzealot

losthit.com Geo

杭州 GitHub

chzealot

理想主义，随性；Linux/C/C++/Java/Python/网络/架构，钉钉小二；热爱生活

zealot 提问技术话题好玩工作信息交易信息城市相关

阿里巴巴钉钉 2019 校园招聘

酷工作 • zealot • Apr 9, 2019 • Lastly replied by lazydog

自用Confluence知识库备份工具

分享创造 • zealot • Apr 20, 2012 • Lastly replied by zealot

东京节点还不算绝对的糟糕(附测试结果)

Linode • zealot • Feb 6, 2012

» More topics by zealot

zealot's recent replies

Aug 5, 2024

Replied to a topic by ethsol › 程序员 › 吐槽一下钉钉域名竟然不支持 tls1.3

@zong400 RSA 是很老的算法了，ECC 综合指标显著优于 RSA ，了解技术的都会在 TLS 1.3 里采用 ECC 而不是 RSA

Aug 5, 2024

Replied to a topic by ethsol › 程序员 › 吐槽一下钉钉域名竟然不支持 tls1.3

钉钉的域名支持 TLS1.3 ；
你的检测结果中没有显示 TLS 1.3 的原因是你用的 nmap 版本比较旧（ 7.6 版本的 nmap 发布时候还没有 TLS 1.3 协议），换个最新版本 nmap 就可以。

你用的这个 nmap 版本号是 7.60 ，发布日期是 2017-07-31 详见： https://svn.nmap.org/nmap-releases/nmap-7.60/CHANGELOG 。

TLS 1.3 协议是 2018 年 8 月发布的，详见 IETF 文档： https://datatracker.ietf.org/doc/html/rfc8446

nmap 在 2021 年 12 月才支持了 TLS 1.3 ，详见代码提交记录： https://github.com/mzet-/Nmap-for-Pen-Testers/commit/f55c200783af64f2ecb286244056e83098d74e97

最新的 nmap 7.95 版本检测钉钉域名是支持 TLS 1.3 的：
```
$ nmap --script ssl-enum-ciphers -p 443 oapi.dingtalk.com
Starting Nmap 7.95 ( https://nmap.org ) at 2024-08-05 14:08 CST
Nmap scan report for oapi.dingtalk.com (106.11.35.100)
Host is up (0.047s latency).
Other addresses for oapi.dingtalk.com (not scanned): 2401:b180:2000:80::d 2401:b180:2000:50::b 2401:b180:2000:60::f 2401:b180:2000:70::e

PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_AKE_WITH_SM4_CCM_SM3 (ecdh_x25519) - A
| TLS_AKE_WITH_SM4_GCM_SM3 (ecdh_x25519) - A
| cipher preference: server
|_ least strength: A

Nmap done: 1 IP address (1 host up) scanned in 3.58 seconds
```

SSL Labs 检测结果也同样显示支持 TLS 1.3： https://www.ssllabs.com/ssltest/analyze.html?d=oapi.dingtalk.com
p.s. 这个域名还在支持 TLS 1.0 和 TLS 1.1 的原因是还有很多企业不支持更高版本的 TLS 。不过安全团队针对低版本的 TLS 的加密套件做了定制，剔除一些低版本中有重大风险的加密套件。

![](

)

Mar 16, 2023

Replied to a topic by xaviertoo › 全球工单系统 › 钉钉在 ipv6 环境下出现访问问题， h5.dingtalk.com 解析错误。

方便的话可以发一下 curl 命令输出结果，我这边实测是可以的
（绑 IPv6 host 验证 OK：2401:b180:2000:60::f h5.dingtalk.com ）

``` $ curl -6 -v https://h5.dingtalk.com/status.taobao
* Trying [2401:b180:2000:60::f]:443...
* Connected to h5.dingtalk.com (2401:b180:2000:60::f) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server accepted h2
* Server certificate:
* subject: C=CN; ST=ZheJiang; L=HangZhou; O=Alibaba (China) Technology Co., Ltd.; CN=*.dingtalk.com
* start date: Apr 12 01:56:07 2022 GMT
* expire date: May 14 01:56:06 2023 GMT
* subjectAltName: host "h5.dingtalk.com" matched cert's "*.dingtalk.com"
* issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Organization Validation CA - SHA256 - G2
* SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* h2h3 [:method: GET]
* h2h3 [:path: /status.taobao]
* h2h3 [:scheme: https]
* h2h3 [:authority: h5.dingtalk.com]
* h2h3 [user-agent: curl/7.86.0]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x14e813400)
> GET /status.taobao HTTP/2
> Host: h5.dingtalk.com
> user-agent: curl/7.86.0
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< server: Tengine
< date: Thu, 16 Mar 2023 06:02:49 GMT
< content-length: 0
< accept-ranges: bytes
< etag: W/"0-1678781644000"
< last-modified: Tue, 14 Mar 2023 08:14:04 GMT
< cache-control: no-cache
< content-security-policy-report-only: default-src 'self';style-src 'self' 'unsafe-inline' dev.g.alicdn.com g.alicdn.com at.alicdn.com *.test.youku.com *.taobao.net webapi.amap.com;script-src 'report-sample' 'self' 'unsafe-eval' 'unsafe-inline' *.dingtalk.com *.cnzz.com *.alicdn.com market.wapa.taobao.com dev.g.alicdn.com g.alicdn.com ynuf.alipay.com log.mmstat.com s.tbcdn.cn vip.laiwang.com wswukong.laiwang.com local.alipcsec.com:6691 *.taobao.net cfd.aliyun.com restapi.amap.com webapi.amap.com tce.taobao.com cfall.aliyun.com gw.alipayobjects.com ynuf.aliapp.org;connect-src 'self' *.dingtalk.com ynuf.alipay.com dev.g.alicdn.com g.alicdn.com retcode.taobao.com dingtalk-cspase-sh.oss-cn-shanghai.aliyuncs.com dingtalk-cspase-sz.oss-cn-shenzhen.aliyuncs.com arms-retcode.aliyuncs.com arms-retcode.aliyuncs.com gm.mmstat.com ynuf.aliapp.org wss://acs.wapa.taobao.com wss://acs.m.taobao.com aliliving.alicdn.com wgo.mmstat.com dtliving.alicdn.com hd.mmstat.com uc.gre alilive.alicdn.com *.mobgslb.tbcache.com *.mmstat.com px.effirst.com;frame-src 'self' h5.m.taobao.com qiye.aliyun.com log.laiwang.com dev.g.alicdn.com g.alicdn.com login.dingtalk.com login2.dingtalk.com *.dingtalk.com mailsso.mxhichina.com wvjbscheme: alipaybridge: alipaymonitor: ynuf.aliapp.org cn-hangzhou-dap.cloud.alipay.com cn-hangzhou-cap.cloud.alipay.com auth.cloud.alipay.com;font-src 'self' at.alicdn.com dev.g.alicdn.com g.alicdn.com data: *.taobao.net i.alicdn.com;img-src 'self' data: http: fourier.taobao.com *.dingtalk.com *.aliimg.com *.alicdn.com *.mmstat.com ynuf.alipay.com arms-retcode.aliyuncs.com pin.aliyun.com fourier.alibaba.com retcode.taobao.com *.cnzz.com dingtalk-cspase-sh.oss-cn-shanghai.aliyuncs.com dingtalk-cspase-sz.oss-cn-shenzhen.aliyuncs.com restapi.amap.com landray.dingtalkapps.com restapi.amap.com image.uczzd.cn;media-src 'self' *.dingtalk.com cloud.video.taobao.com videocdn.taobao.com dev.g.alicdn.com g.alicdn.com tbm-auth.alicdn.com alilive.alicdn.com aliliving.alicdn.com blob:;worker-src 'self' blob:;report-uri https://csp.dingtalk.com/csp;
```

Apr 9, 2019

Replied to a topic by zealot › 酷工作 › 阿里巴巴钉钉 2019 校园招聘

@lazydog 可以钉钉上搜索 dingtalkkejie 加一下我，我找招聘 HR 查一下之前有无面试记录，确定一下是否可以转推荐

Oct 24, 2018

Replied to a topic by Tumblr › 全球工单系统 › 阿里钉钉英文版的语法错误望更正

谢谢大家反馈和积极给出建议，我们团队已经介入修改了。欢迎使用钉钉工作交流，也可以私信联系我

Mar 1, 2013

Replied to a topic by openroc › 分享发现 › 开源项目的代码统计网站

Ubuntu：Mostly written in C#
呵呵

Nov 22, 2012

Replied to a topic by laskuma › Python › 为什么推荐python?

我推荐学门脚本语言，不一定是Python，ruby、perl都可以。
程序员会门脚本语言的好处就不解释了