This is a good article: https://blog.cloudflare.com/a-question-of-timing/ This is my .curlrc file: --write-out "dnslookup: %{time_namelookup} | connect: %{time_connect} | appconnect: %{time_appconnect} | pretransfer: %{time_pretransfer} | starttransfer: %{time_starttransfer} | total: %{time_total} | size: %{size_download}\n" Run this curl Return:

This chart is based on the article here: https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/ It would be much clear to be able to show it in a sequence chart. The key point is in each step what client/server has to generate sessionKey. The premasterSecret is the key factor here. it got generated in the client side by using the pubic key generated in server side. In this way, client side has it’s value (since it generated in client side) and the server side can get it by using private key to decrete it. Sequence diagram source code: mTLS mutual TLS is enhanced TLS which server side needs to verify the identity on the client side…

Check SSL openssl s_client -connect poynt.frontdoor.akadns.net:443 -showcerts Routing path: poynt.net (A) => dwccpvpm8ni1x.cloudfront.net (Poynt AWS) => poynt.frontdoor.akadns.net (CNAME) => poynt.us-east-1.fd.aws.gdcld.net (Envoy Proxy) => ALB => web

今天网站忽然无法访问，显示“the site cannot be reached”. 然后试图用局域网ip直接访问，发现时可以的，当然图片无法显示，因为图片的链接都是带域名的。 查看服务器的剩余硬盘空间，内存，发现都正常。 接下来重启apache，service apache2 restart。 还是不行。 去google domain查看域名跳转，貌似也没问题。然后 ping liangqi.org, 解析的域名还是没问题。 在mac下用. traceroute liangqi.org 貌似也没啥问题。 最后试了一下 telnet liangqi.org 443 发现被reject. 试了一下其他域名是可以telnet的。于是想着是不是路由器的动态域名跳转有问题。去路由器删了端口转发，重新建了一个，发现已经可以telnet 443了。 不要问为什么路由器的端口转发忽然出问题了，我也不知道。应该就是软件bug吧。产品环境总是问题千差万别。 再重新连接网站，恢复！ 😁