[Bug] internet ip request *.hoyoverse.com ssl handshake failed

[scmu1]

Describe the bug
EN: Use internet ip request *.hoyoverse.com ssl handshake failed, intranet subnet can success, another SNI host such as mihoyo.com can hankshake and get response.
CN: 使用公网IP访问所有hoyoverse.com后缀的域名都会SSL建立链接失败，但是内网可以成功，其它的域名如mihoyo.com可以正常建立链接并且获得请求数据。

Which branch did you use?
Stable branch

Additional context
EN: At first I suspect that it is a keystore problem, but i set

sslContextFactory.setTrustAll(true);
sslContextFactory.setEndpointIdentificationAlgorithm("");
sslContextFactory.setSniRequired(false);

already has this problem, then I found a bug with jetty 9.4.x - 10.0.0: jetty/jetty.project#5605
and java-express.jar use jetty version=9.4.35.v20201120
CN: 开始我怀疑是keystore的问题，但是我加了如上代码忽略一切ssl信任但还是存在这个问题，然后发现了jetty在9.4.x-10.0.0版本有一个类似的bug，在java-express.jar中我也发现使用的jetty版本是9.4.35.v20201120，应该满足了bug的命中范围

EN: I'm not sure if it's a network issue, i use aliyun ecs and try to classic and vpc network both handshake failed, classic network can'y access .hoyoverse.com through the internet network under any circumstances (other ecs instance in the same availabile zone can be accessed through the internal network), VPC instance can be used in the same region. For example, if your own network environment is located in Beijing, and your ECS instance same in Beijing, you can be accessed, but other cities can't access.
CN: 我不确定是不是网络问题导致的，我使用的是阿里云ecs，并且经典网络和VPC网络都有试过，经典网络无论什么情况都不能通过外网访问.hoyoverse.com(同可用区内其它实例通过内网可访问)，VPC实例可以在同地区内使用，如自己的网络环境在北京，并且ECS实例在北京，北京是可以正常访问的，但其它城市就不能正确的建立SSL链接。

EN: by capturing packets and log we can see client send client helo success and server recived it, but server no send server hello paket to client
CN: 通过抓包和日志可以看到clinet hello发送成功，服务端也成功接收到，但服务端没有发送server hello信息给客户端

$ curl -iv -k https://api-account-os.hoyoverse.com    # bind hosts api-account-os.hoyoverse.com to server ip
*   Trying xxx.xxx.xxx.xxx...
* TCP_NODELAY set
* Connected to api-account-os.hoyoverse.com (xxx.xxx.xxx.xxx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):     # no sever hello packet recive
^C

• client packet (客户端抓包)
  

• server packet (服务端抓包)
  

[12:57:42] [DEBUG] fill NOT_HANDSHAKING
[12:57:42] [DEBUG] filled 234 HeapByteBuffer@2cb5c65c[p=0,l=234,c=17408,r=234]={<<<\x16\x03\x01\x00\xE5\x01\x00\x00\xE1\x03\x03m\xFd\xCd~\xB18q\xB3\xB7VG\x00\xB2z...\x03\x02\x01\x02\x03\x00\x10\x00\x0e\x00\x0c\x02h2\x08http/1.1>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00}
[12:57:42] [DEBUG] net filled=234
[12:57:42] [DEBUG] fill starting handshake SslConnection@2b5c994c::SocketChannelEndPoint@917f918{l=/xxx.xxx.xxx.xxx:443,r=/xxx.xxx.xxx.xxx:34784,OPEN,fill=-,flush=-,to=2/30000}{io=0/0,kio=0,kro=1}->SslConnection@2b5c994c{NOT_HANDSHAKING,eio=234/-1,di=-1,fill=IDLE,flush=IDLE}~>DecryptedEndPoint@138e8171{l=/xxx.xxx.xxx.xxx:443,r=/xxx.xxx.xxx.xxx:34784,OPEN,fill=-,flush=-,to=19/30000}=>HttpConnection@669d9707[p=HttpParser{s=START,0 of -1},g=HttpGenerator@3d20bf22{s=START}]=>HttpChannelOverHttp@4ff2d7c2{s=HttpChannelState@260cd8ee{s=IDLE rs=BLOCKING os=OPEN is=IDLE awp=false se=false i=true al=0},r=0,c=false/false,a=IDLE,uri=null,age=0}
[12:57:42] [DEBUG] unwrap net_filled=234 Status = OK HandshakeStatus = NEED_TASK bytesConsumed = 234 bytesProduced = 0 encryptedBuffer=[p=234,l=234,c=17408,r=0] unwrapBuffer=HeapByteBuffer@14db06fa[p=0,l=0,c=17408,r=0]={<<<>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00} appBuffer=HeapByteBuffer@14db06fa[p=0,l=0,c=17408,r=0]={<<<>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00}
[12:57:42] [DEBUG] fill NEED_TASK
[12:57:42] [DEBUG] SNI matching for type=host_name (0), value=api-account-os.hoyoverse.com
[12:57:42] [DEBUG] SNI host name api-account-os.hoyoverse.com
[12:57:43] [DEBUG] fill NEED_WRAP
[12:57:43] [DEBUG] >flush SslConnection@2b5c994c::SocketChannelEndPoint@917f918{l=/xxx.xxx.xxx.xxx:443,r=/xxx.xxx.xxx.xxx:34784,OPEN,fill=-,flush=-,to=243/30000}{io=0/0,kio=0,kro=1}->SslConnection@2b5c994c{NEED_WRAP,eio=0/-1,di=-1,fill=IDLE,flush=IDLE}~>DecryptedEndPoint@138e8171{l=/xxx.xxx.xxx.xxx:443,r=/xxx.xxx.xxx.xxx:34784,OPEN,fill=-,flush=-,to=260/30000}=>HttpConnection@669d9707[p=HttpParser{s=START,0 of -1},g=HttpGenerator@3d20bf22{s=START}]=>HttpChannelOverHttp@4ff2d7c2{s=HttpChannelState@260cd8ee{s=IDLE rs=BLOCKING os=OPEN is=IDLE awp=false se=false i=true al=0},r=0,c=false/false,a=IDLE,uri=null,age=0}
[12:57:43] [DEBUG] flush b[0]=HeapByteBuffer@214537df[p=0,l=0,c=0,r=0]={<<<>>>}
[12:57:43] [DEBUG] flush NEED_WRAP
[12:57:43] [DEBUG] wrap Status = OK HandshakeStatus = NEED_UNWRAP bytesConsumed = 0 bytesProduced = 1359 sequenceNumber = 0 [p=0,l=1359,c=17408,r=1359] ioDone=false/false
[12:57:43] [DEBUG] DecryptedEndPoint@138e8171{l=/xxx.xxx.xxx.xxx:443,r=/xxx.xxx.xxx.xxx:34784,OPEN,fill=-,flush=-,to=262/30000} stored flush exception
org.eclipse.jetty.io.EofException: null
	at org.eclipse.jetty.io.ChannelEndPoint.flush(ChannelEndPoint.java:279)
	at org.eclipse.jetty.io.ssl.SslConnection.networkFlush(SslConnection.java:474)
	at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.flush(SslConnection.java:1068)
	at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:643)
	at org.eclipse.jetty.server.HttpConnection.fillRequestBuffer(HttpConnection.java:336)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:254)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
	at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:540)
	at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:395)
	at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
	at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:773)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:905)
	at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: java.io.IOException: Connection reset by peer
	at java.base/sun.nio.ch.FileDispatcherImpl.writev0(Native Method)
	at java.base/sun.nio.ch.SocketDispatcher.writev(SocketDispatcher.java:66)
	at java.base/sun.nio.ch.IOUtil.write(IOUtil.java:217)
	at java.base/sun.nio.ch.IOUtil.write(IOUtil.java:153)
	at java.base/sun.nio.ch.SocketChannelImpl.write(SocketChannelImpl.java:563)
	at java.base/java.nio.channels.SocketChannel.write(SocketChannel.java:642)
	at org.eclipse.jetty.io.ChannelEndPoint.flush(ChannelEndPoint.java:273)
	... 15 common frames omitted
[12:57:43] [DEBUG] handshake failed SslConnection@2b5c994c::SocketChannelEndPoint@917f918{l=/xxx.xxx.xxx.xxx:443,r=/xxx.xxx.xxx.xxx:34784,OPEN,fill=-,flush=-,to=249/30000}{io=0/0,kio=0,kro=1}->SslConnection@2b5c994c{NEED_UNWRAP,eio=0/1359,di=-1,fill=IDLE,flush=IDLE}~>DecryptedEndPoint@138e8171{l=/xxx.xxx.xxx.xxx:443,r=/xxx.xxx.xxx.xxx:34784,OPEN,fill=-,flush=-,to=266/30000}=>HttpConnection@669d9707[p=HttpParser{s=START,0 of -1},g=HttpGenerator@3d20bf22{s=START}]=>HttpChannelOverHttp@4ff2d7c2{s=HttpChannelState@260cd8ee{s=IDLE rs=BLOCKING os=OPEN is=IDLE awp=false se=false i=true al=0},r=0,c=false/false,a=IDLE,uri=null,age=0} {

EN: Here is success response request by localhost
CN: 下面是在服务器本地可以正常访问的请求

# curl -iv -k https://api-account-os.hoyoverse.com    # bind hosts api-account-os.hoyoverse.com to 127.0.0.1
* Rebuilt URL to: https://api-account-os.hoyoverse.com/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to api-account-os.hoyoverse.com (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=SA; ST=My State; L=My City; O=My Company; OU=My Team; CN=My SSL Certificate
*  start date: Apr 22 02:32:21 2022 GMT
*  expire date: Feb  4 02:32:21 2296 GMT
*  issuer: C=SA; ST=My State; L=My City; O=My Company; OU=My Team; CN=My SSL Certificate
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET / HTTP/1.1
> Host: api-account-os.hoyoverse.com
> User-Agent: curl/7.61.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Thu, 12 May 2022 05:57:05 GMT
Date: Thu, 12 May 2022 05:57:05 GMT
< Server: Javalin
Server: Javalin
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 22
Content-Length: 22

<
* Connection #0 to host api-account-os.hoyoverse.com left intact
Welcome to Grasscutter

[BedamatiMohanty]

dont run as local run as remote and set the default page like google.docs or something like that. else deployment will error out with null pointer

[Sayu233]

同样的问题
mitm就会遇到，而fiddler就没问题

[scmu1]

Maybe i find the reason, hoyoverse.com is international service domain in china doesn't have domain record information, aliyun yundun blocked tls handshake traffic.
我想我大概发现原因了，hoyoverse.com是国际服的域名，在中国没有备案信息，而阿里云云盾在sni中提取访问的域名信息，发现在国内没有备案信息就直接拦截了流量。

In my analysis, I also saw that both the server and the client have received each other's tcp rst packet to disconnect the link, which has always puzzled me, this phenomenon is completely in line with the characteristics of aliyun yundun.
在我的分析中也看到了服务端和客户端都是收到了对方的tcp rst包来断开链接，这也是一直令我疑惑的地方，这个现象是完全符合云盾的特征的。

From https://zhuanlan.zhihu.com/p/72944758

[ZARALEON]

Maybe i find the reason, hoyoverse.com is international service domain in china doesn't have domain record information, aliyun yundun blocked tls handshake traffic.
我想我大概发现原因了，hoyoverse.com是国际服的域名，在中国没有备案信息，而阿里云云盾在sni中提取访问的域名信息，发现在国内没有备案信息就直接拦截了流量。

In my analysis, I also saw that both the server and the client have received each other's tcp rst packet to disconnect the link, which has always puzzled me, this phenomenon is completely in line with the characteristics of aliyun yundun.
在我的分析中也看到了服务端和客户端都是收到了对方的tcp rst包来断开链接，这也是一直令我疑惑的地方，这个现象是完全符合云盾的特征的。

From https://zhuanlan.zhihu.com/p/72944758

如果暂时关闭云盾，甚至卸载云盾，那能不能连接成功？

[scmu1]

我这边没有安装云盾，怀疑是整体的流量有拦截

[memetrollsXD]

This is an issue tracker, not a support forum. Please visit the Discord for further support.

GitHub issue 不是技术支持论坛。需要技术支持请去 Discord，里面有专门的中文频道

[BedamatiMohanty]

Sorry for the inconvinience. Have unsubscribed through github! Thanks. Skickades från E-post<https://go.microsoft.com/fwlink/?LinkId=550986> för Windows Från: ***@***.***> Skickat: den 16 maj 2022 09:28 Till: ***@***.***> Kopia: Bedamati ***@***.***>; ***@***.***> Ämne: Re: [Grasscutters/Grasscutter] [Bug] internet ip request *.hoyoverse.com ssl handshake failed (Issue #833) This is an issue tracker, not a support forum. Please visit the Discord<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdiscord.gg%2FT5vZU6UyeG&data=05%7C01%7Cbedamati.mohanty%40tietoevry.com%7C81b4193198284b1db91b08da370d9a7c%7Ccbede638a3d9459f8f4e24ced73b4e5e%7C0%7C0%7C637882828800618748%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Cy03OLzhMeXbaNvauNNvtYZTr3CPlLpHcFPVmvfUbNc%3D&reserved=0> for further support. GitHub issue 不是技术支持论坛。需要技术支持请去 Discord<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdiscord.gg%2FT5vZU6UyeG&data=05%7C01%7Cbedamati.mohanty%40tietoevry.com%7C81b4193198284b1db91b08da370d9a7c%7Ccbede638a3d9459f8f4e24ced73b4e5e%7C0%7C0%7C637882828800618748%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Cy03OLzhMeXbaNvauNNvtYZTr3CPlLpHcFPVmvfUbNc%3D&reserved=0>，里面有专门的中文频道 — Reply to this email directly, view it on GitHub<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FGrasscutters%2FGrasscutter%2Fissues%2F833%23issuecomment-1127322726&data=05%7C01%7Cbedamati.mohanty%40tietoevry.com%7C81b4193198284b1db91b08da370d9a7c%7Ccbede638a3d9459f8f4e24ced73b4e5e%7C0%7C0%7C637882828800775062%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=85e4ZjBISdUDSvJQppDvvdCTOHHxfsz%2FwBvixNwdtMw%3D&reserved=0>, or unsubscribe<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAUSZYDKK5PJLGIZW6IOX6V3VKH2HJANCNFSM5VXEFANQ&data=05%7C01%7Cbedamati.mohanty%40tietoevry.com%7C81b4193198284b1db91b08da370d9a7c%7Ccbede638a3d9459f8f4e24ced73b4e5e%7C0%7C0%7C637882828800775062%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=5nSDX7Dp10DsuFNRwlV3zatFKgUWyKSZNwEc2b1H9bY%3D&reserved=0>. You are receiving this because you commented.Message ID: ***@***.***>

[ZxyGch]

Server TLS handshake failed. connection closed

Unable to establish TLS connection with server (connection closed). Trying to establish TLS with client anyway. If you plan to redirect requests away from this server, consider setting connection_strategy to lazy to suppress early connections.

阿里云，相同的问题，不知道怎么解决