你好，自定义客户端证书功能没实现 tls CERT KEY CA

[victor-infosec]

tls CERT KEY CA
这个配置无法使用，没看到相关代码

[leiless]

	case "tls":
		args := c.RemainingArgs()
		if len(args) > 3 {
			return c.ArgErr()
		}
		tlsConfig, err := pkgtls.NewTLSConfigFromArgs(args...)
		if err != nil {
			return err
		}
		// Merge server name if tls_servername set previously
		tlsConfig.ServerName = u.transport.tlsConfig.ServerName
		u.transport.tlsConfig = tlsConfig
		log.Infof("%v: %v", dir, args)

https://github.com/leiless/dnsredir/blob/master/upstream.go#L399-L411

是有的呢，难道说你的Corefile没有honor tls CERT KEY CA配置吗？
如果是这样，麻烦贴一下你现有Corefile，以及TLS握手报错信息？

[leiless]

经我测试发现，tls CERT KEY CA是可以工作的，具体而言：

Corefile

.:10053 {
    debug
    loop

    dnsredir . {
        to tls://94.140.14.14
        # tls CA - No client authentication is used, and the CA file is used to verify the server certificate.
        tls dns-adguard-com.pem
    }
}

dns-adguard-com.pem 这个文件你可以从Firefox里面打开 https://94.140.14.14/dns-query ，然后将其 PEM证书下载下来放到和Corefile同一级目录下。

$ ./coredns_dnsredir-linux-amd64 -conf Corefile
[INFO] plugin/dnsredir: Initializing, version v0.0.7, HEAD f660931
[INFO] plugin/dnsredir: Match any
[INFO] plugin/dnsredir: Transport: tls Address: 94.140.14.14:853
[INFO] plugin/dnsredir: Upstream: &{tls 94.140.14.14:853 0 0x1a47040 <nil> <nil> <nil> }
[INFO] plugin/dnsredir: tls: [dns-adguard-com.pem]
.:10053
CoreDNS-1.8.3
linux/amd64, go1.16.2, 4293992-dirty
[DEBUG] plugin/dnsredir: "6855361830932061722.4471371409727006771." in name list, t: 1.959µs
[DEBUG] plugin/dnsredir: Upstream host tls://94.140.14.14:853 is selected
[DEBUG] plugin/dnsredir: New connection established for tls://94.140.14.14:853
[DEBUG] plugin/dnsredir: rtt: 403.312866ms
[DEBUG] plugin/dnsredir: "dns.google." in name list, t: 1.879µs
[DEBUG] plugin/dnsredir: Upstream host tls://94.140.14.14:853 is selected
[DEBUG] plugin/dnsredir: Cached connection used for tls://94.140.14.14:853
[DEBUG] plugin/dnsredir: rtt: 90.859µs
[DEBUG] plugin/dnsredir: cached connection was closed by peer: tls://94.140.14.14:853
[DEBUG] plugin/dnsredir: New connection established for tls://94.140.14.14:853
[DEBUG] plugin/dnsredir: rtt: 352.598933ms

$ dig @127.0.0.1 -p10053 dns.google +short A
8.8.4.4
8.8.8.8

[leiless]

除非你使用了自签发的TLS证书，否则我能想到针对公证签发证书的DoT（也就是公共DoT），大部分时候只需要设置 tls_servername 即可。
类似这样：

dnsredir . {
    to tls://103.2.57.5 tls://103.2.57.6
    tls_servername public.dns.iij.jp
}

具体可以参考 https://github.com/leiless/dnsredir#examples

[victor-infosec]

是的，我按照这个链接生成了自签名证书 https://www.jianshu.com/p/5938432e2130

在192.168.1.9上配置如下，目的是转发到192.168.1.10上

. {
    dnsredir . {
        to ietf-doh://192.168.1.10:8853/dns-query
        tls client.cert.pem client.key.pem ca.cert.pem
        health_check 60s
        max_fails 3
        expire 15s
    }
}

192.168.1.10上配置如下，目的是转发到192.168.1.11的基于UDP的DNS

https://.:8853 {
    tls server.cert.pem server.key.pem ca.cert.pem
    log
    errors
    forward . 192.168.1.11:53
}

9连接10报错
[WARNING] plugin/dnsredir: hc: DNS https://192.168.1.10:8853/dns-query failed rtt: 7.4982ms err: Get "https://192.168.1.10:8853/dns-query?ct=application/dns-message&dns=AAABAAABAAAAAAAAAAACAAE": x509: certificate signed by unknown authority

[leiless]

你能贴一下
openssl x509 -text -noout -in client.cert.pem
和
openssl x509 -text -noout -in server.cert.pem
输出的结果吗？

看错误提示x509: certificate signed by unknown authority应该是证书有什么地方配错啦？

[victor-infosec]

你能贴一下
openssl x509 -text -noout -in client.cert.pem
和
openssl x509 -text -noout -in server.cert.pem
输出的结果吗？

看错误提示x509: certificate signed by unknown authority应该是证书有什么地方配错啦？

$ openssl x509 -text -noout -in server.cert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            70:9b:18:eb:27:6c:4d:e6:71:e8:12:6a:60:a6:e5:e0:6c:9f:ee:d8
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = ca
        Validity
            Not Before: Jul  1 08:21:02 2021 GMT
            Not After : Jul  1 08:21:02 2022 GMT
        Subject: CN = server
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:bf:33:b5:dd:ac:68:65:d6:d7:9a:d1:35:2d:e7:
                    d2:1e:22:30:2f:2c:a6:f0:c2:50:8d:ab:26:d6:c2:
                    94:87:f1:43:d2:31:87:06:6e:8d:3f:b2:21:30:17:
                    f8:d7:79:bf:dd:21:e1:76:77:cc:86:fc:b3:b4:fa:
                    b7:75:6f:a6:d8:e6:ab:ec:da:90:a5:de:9f:29:5a:
                    6a:a9:cb:47:7b:37:29:6a:9f:39:b5:a0:36:9f:df:
                    40:dd:82:14:46:8b:0c:19:33:20:d6:d0:0f:77:24:
                    39:0a:e8:ca:56:89:8e:00:aa:25:ca:b6:a5:86:ff:
                    da:c2:1a:79:90:ce:d9:da:ff:bb:8e:5d:47:6c:2a:
                    db:67:87:65:e0:57:50:ff:ee:09:a8:e6:45:e2:a6:
                    92:40:74:5f:eb:5c:a5:72:f7:ef:15:b6:99:f9:9b:
                    7f:3c:1d:e1:be:02:aa:7d:70:0b:1c:68:b5:bb:29:
                    38:e5:0f:fd:1d:a4:fe:d1:bb:a1:6a:1d:0b:c2:a8:
                    c6:df:a0:83:04:d5:d8:f3:7b:d2:7d:d6:35:ef:ff:
                    d2:18:24:9c:5d:ee:e8:83:40:b1:32:d6:a3:27:62:
                    01:a7:6d:a4:82:04:23:d8:80:97:2a:68:07:d4:86:
                    90:80:69:dc:fb:df:8c:3b:0a:f4:89:aa:fb:09:4f:
                    62:b9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Alternative Name:
                DNS:cc.local, DNS:test.cc.local, IP Address:192.168.1.10
    Signature Algorithm: sha256WithRSAEncryption
         6d:85:84:38:92:ab:8f:2f:3e:47:0d:ed:30:d7:0c:f1:51:cf:
         e9:2f:09:58:33:5e:1a:28:3e:96:5c:92:32:cf:e6:b5:d0:a2:
         41:28:28:99:72:06:70:9c:0d:dd:56:93:b4:c6:f3:1a:7c:f6:
         8d:6e:ab:dd:2d:0d:f0:54:b9:61:55:9c:60:cf:65:10:7c:0d:
         fe:ef:a0:3b:d0:56:8a:bd:75:4b:11:6a:0e:bc:a2:8e:65:01:
         f9:68:4b:df:a6:28:95:a2:3a:29:e4:6d:f7:95:2f:70:2c:a4:
         44:f2:79:f1:77:da:c3:b3:35:57:b0:ff:40:97:bc:f3:3b:d5:
         04:05:66:85:82:93:d6:ea:cb:54:9e:53:b8:18:6b:95:ff:08:
         7e:83:97:c3:2e:d8:d5:1b:4c:31:0f:24:81:6a:f1:ad:fd:7c:
         bf:51:43:aa:2c:fc:ea:5f:ea:84:72:89:80:4b:25:dc:76:89:
         80:8b:28:50:7a:cf:45:69:d8:9c:63:57:99:9d:1f:f5:28:fc:
         a0:c0:79:dc:55:4a:08:9d:6a:9c:82:38:e5:8a:39:3c:04:b4:
         20:bd:5f:b1:58:f4:17:2d:cc:d2:4f:4b:6a:7c:79:a0:cc:9d:
         1c:d2:a4:2d:03:0c:55:7f:8a:06:10:ad:d7:9c:cc:6f:27:a6:
         d4:a4:da:15:f6:3a:a2:14:d6:f1:0b:fa:9c:f8:0b:0d:26:97:
         53:bb:bc:3f:62:ba:2b:89:cf:4f:31:81:37:51:bb:f5:0b:d9:
         82:23:0b:f0:c5:a2:20:5c:cf:ca:49:cf:dc:52:fa:77:d9:59:
         c6:72:c3:98:68:b8:88:ad:c9:8a:64:96:2c:c3:58:87:d5:ce:
         27:b2:ce:eb:ea:a4:05:21:95:94:2a:d1:a0:7d:52:5e:de:d4:
         0b:5c:61:f8:67:26:ab:69:41:8c:cf:1e:00:aa:97:d4:69:56:
         f2:e8:b8:20:a2:f7:d0:9e:81:6d:79:19:d5:95:52:9e:9d:20:
         9b:08:44:a5:fb:a0:5e:f7:65:85:bc:fe:ee:12:6f:81:94:4d:
         e6:4c:e9:7b:bc:84:aa:11:24:dc:17:dc:1a:61:e9:c2:ba:96:
         22:af:32:8b:53:8a:a3:c6:e9:c1:95:9e:f6:be:fb:67:c8:b8:
         b6:89:96:2c:23:3d:be:19:4d:35:6f:8e:fc:76:bc:fc:ae:2d:
         6f:3b:b8:8a:f3:b9:c5:ff:4d:44:34:ad:78:19:10:44:69:14:
         65:67:b4:fa:9f:94:bf:2d:f1:53:4a:94:a0:40:f7:c1:7c:aa:
         f4:2b:a8:8a:b5:d6:82:75:e0:7e:77:35:6c:f0:2e:ce:82:1c:
         81:f0:47:cd:f2:c7:f7:2a











$ openssl x509 -text -noout -in client.cert.pem
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            70:9b:18:eb:27:6c:4d:e6:71:e8:12:6a:60:a6:e5:e0:6c:9f:ee:d9
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = ca
        Validity
            Not Before: Jul  1 08:21:02 2021 GMT
            Not After : Jul  1 08:21:02 2022 GMT
        Subject: CN = client
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:f0:f7:cb:f8:28:35:cd:50:9f:67:d3:31:36:82:
                    eb:44:89:d9:d0:80:2a:60:95:ca:69:7c:30:01:f5:
                    b9:e2:a5:c4:5a:58:cd:92:94:10:99:04:b9:e8:58:
                    60:b8:f6:69:c6:dc:ea:71:5c:ce:01:ac:6d:f5:0f:
                    46:3c:33:06:b0:90:b3:10:59:ac:31:de:36:fe:a4:
                    02:49:85:6c:48:b2:70:33:bf:72:e7:71:12:86:5a:
                    59:58:06:a0:34:34:78:f6:29:2c:3f:52:18:71:9b:
                    72:09:45:83:61:b4:d0:0e:31:85:2d:66:72:c2:36:
                    ef:3e:49:ef:c3:a1:f1:ae:36:f9:70:d6:58:8b:10:
                    9f:d4:49:b4:b6:d4:48:3d:e2:d4:62:a5:30:34:92:
                    e4:17:58:ee:12:41:24:1c:f2:0a:65:26:52:2e:97:
                    b7:2c:03:46:42:89:5f:b6:58:8e:b2:c8:7a:1a:c8:
                    65:c2:34:a5:d6:41:3d:03:8c:3d:46:80:4c:1d:dc:
                    bd:37:5a:d4:ea:91:d6:cd:33:51:01:c6:b5:00:bc:
                    ff:0e:64:6d:ce:3a:bb:fa:78:af:0a:56:4c:2e:53:
                    44:1c:cd:26:aa:64:c9:8f:92:f4:cc:50:a9:60:ed:
                    80:c5:65:64:69:85:6d:81:b4:49:c5:3f:90:96:bb:
                    3c:4b
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         1a:92:9d:71:e2:c0:f1:9e:64:d9:30:35:da:05:f3:ea:ef:be:
         d3:d2:97:9f:8b:6a:4a:a1:e5:bf:4b:28:e0:9c:30:4c:12:3d:
         8f:8b:50:f7:8f:17:d2:b1:b5:f2:9d:35:de:8b:71:0b:f2:76:
         05:1a:ae:2d:30:aa:07:04:0a:04:d7:c9:af:54:96:64:5a:68:
         61:9c:03:8c:39:25:a3:b8:b3:33:57:6f:7b:00:55:df:7e:a7:
         61:de:54:ca:c6:df:3e:a5:0e:8e:bb:d3:a7:9a:16:fe:cf:10:
         57:33:9b:c8:ed:92:94:2e:a7:cc:9f:7b:6d:27:61:6e:11:d9:
         d8:13:79:43:a1:e4:fe:05:a2:ee:cc:f5:c4:00:7d:de:f2:12:
         ee:85:08:36:6c:c5:be:d8:32:62:24:58:5f:a1:cd:3e:7e:e9:
         d8:eb:2c:36:3a:84:8e:a4:15:63:65:46:3c:58:c5:c7:cb:a1:
         43:73:11:25:12:68:8a:47:8b:0e:6a:27:1f:15:62:ec:80:b6:
         b3:1c:77:20:42:26:95:b4:e4:18:63:7e:89:ac:35:2d:d9:78:
         1a:30:f4:b6:46:1a:f6:5e:2b:58:e4:90:6a:a3:e6:c4:43:b7:
         26:79:5d:78:de:2b:de:67:24:9a:fa:4b:a8:43:17:4c:19:66:
         b7:ba:26:7a:3b:9b:dd:fb:8d:f8:18:69:3f:71:e0:4c:54:2f:
         5a:dd:3a:8b:f5:f8:fb:3c:ad:f0:90:4f:31:3b:26:c2:10:51:
         c6:92:72:79:9f:6a:8b:8c:97:bb:0a:5a:77:64:8d:8b:0c:ee:
         6a:df:bc:54:5c:21:11:6a:c7:47:0e:d1:ff:ad:37:c0:f4:fd:
         30:e1:21:20:7a:cd:1b:24:74:31:80:55:52:dc:bd:57:47:86:
         cf:51:d2:40:65:02:cf:04:b3:ed:70:b0:97:19:b8:b2:6f:37:
         5a:74:54:b3:d5:05:24:59:62:37:5b:fb:6e:04:4b:72:34:c1:
         a6:69:fc:4e:4d:3b:d1:1b:d2:fb:58:76:fd:e7:e4:d8:b6:d2:
         ed:8c:d9:bd:ea:35:4f:e9:a9:f7:31:96:c9:ff:ee:b7:01:5d:
         8b:0a:6b:fb:4f:dd:ff:13:ff:0b:79:f9:73:bb:3a:32:97:c3:
         f3:2b:f2:5c:d4:1c:c0:7f:80:49:56:3b:91:9e:ed:bd:6c:a8:
         e9:20:01:69:4f:26:c3:5e:20:17:98:18:45:96:17:7f:83:22:
         af:11:c1:a0:e9:9b:45:a4:0a:63:9d:70:c1:75:94:1e:d6:7e:
         29:cb:57:8c:8c:26:93:63:b7:6c:eb:9e:72:97:f5:fb:e2:a4:
         82:aa:0b:0d:60:5f:4f:8a

[leiless]

是的，我按照这个链接生成了自签名证书 https://www.jianshu.com/p/5938432e2130

在192.168.1.9上配置如下，目的是转发到192.168.1.10上

. {
    dnsredir . {
        to ietf-doh://192.168.1.10:8853/dns-query
        tls client.cert.pem client.key.pem ca.cert.pem
        health_check 60s
        max_fails 3
        expire 15s
    }
}

192.168.1.10上配置如下，目的是转发到192.168.1.11的基于UDP的DNS

https://.:8853 {
    tls server.cert.pem server.key.pem ca.cert.pem
    log
    errors
    forward . 192.168.1.11:53
}

9连接10报错
[WARNING] plugin/dnsredir: hc: DNS https://192.168.1.10:8853/dns-query failed rtt: 7.4982ms err: Get "https://192.168.1.10:8853/dns-query?ct=application/dns-message&dns=AAABAAABAAAAAAAAAAACAAE": x509: certificate signed by unknown authority

你能在192.168.1.9的Corefile的dnsredir添加下tls_servername cc.local然后再运行试试看呢？

[victor-infosec]

是的，我按照这个链接生成了自签名证书 https://www.jianshu.com/p/5938432e2130
在192.168.1.9上配置如下，目的是转发到192.168.1.10上

. {
    dnsredir . {
        to ietf-doh://192.168.1.10:8853/dns-query
        tls client.cert.pem client.key.pem ca.cert.pem
        health_check 60s
        max_fails 3
        expire 15s
    }
}

192.168.1.10上配置如下，目的是转发到192.168.1.11的基于UDP的DNS

https://.:8853 {
    tls server.cert.pem server.key.pem ca.cert.pem
    log
    errors
    forward . 192.168.1.11:53
}

9连接10报错
[WARNING] plugin/dnsredir: hc: DNS https://192.168.1.10:8853/dns-query failed rtt: 7.4982ms err: Get "https://192.168.1.10:8853/dns-query?ct=application/dns-message&dns=AAABAAABAAAAAAAAAAACAAE": x509: certificate signed by unknown authority

你能在192.168.1.9的Corefile的dnsredir添加下tls_servername cc.local然后再运行试试看呢？

添加了tls_servername cc.local，还是同样的问题

tls client.cert.pem client.key.pem ca.cert.pem这行注释掉了，问题还是一样

先这样吧，有时间再测试下，感谢感谢！

[leiless]

你能在192.168.1.9机器上试试 curl -vL --cacert ca.cert.pem https://192.168.1.10:8853/dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB 看能不能正常握手？

[victor-infosec]

你能在192.168.1.9机器上试试 curl -vL --cacert ca.cert.pem https://192.168.1.10:8853/dns-query 看能不能正常握手？

curl是正常的

└─$ curl -vL --cacert ca.cert.pem https://192.168.1.10:8853/dns-query                                         
*   Trying 10.251.6.132:8853...
* Connected to 10.251.6.132 (10.251.6.132) port 8853 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: ca.cert.pem
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=server
*  start date: Jul  2 01:45:30 2021 GMT
*  expire date: Jul  2 01:45:30 2022 GMT
*  subjectAltName: host "10.251.6.132" matched cert's IP address!
*  issuer: CN=ca
*  SSL certificate verify ok.
> GET /dns-query HTTP/1.1
> Host: 10.251.6.132:8853
> User-Agent: curl/7.74.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS alert, close notify (256):
* Empty reply from server
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (52) Empty reply from server

[victor-infosec]

我把两台机器的配置都改成tls://的，其他没改，就OK了。使用DoH的话，配置不配置tls都报unknown authority这个错。。。

下面的配置就可以

在192.168.1.9上配置如下，目的是转发到192.168.1.10上
. {
    dnsredir . {
        to tls://192.168.1.10:8853/dns-query
        tls client.cert.pem client.key.pem ca.cert.pem
        health_check 60s
        max_fails 3
        expire 15s
    }
}

192.168.1.10上配置如下，目的是转发到192.168.1.11的基于UDP的DNS
tls://.:8853 {
    tls server.cert.pem server.key.pem ca.cert.pem
    log
    errors
    forward . 192.168.1.11:53
}

[leiless]

x509: certificate signed by unknown authority 这个错误看起来意思是说CA证书没有被系统信任，不过我们在tls里面已经指定了使用的CA证书，这个问题需要进一步的调查。

从表现上，看起来像是DoH server验证的时候使用了系统CA证书去完成验证，由于自签发的证书没有被加入到系统列表，所以导致了报错 x509: certificate signed by unknown authority？

由于我目前对公私钥体系还不太明白，可能后面有时间再看看这个问题。

[leiless]

从表现上，看起来像是DoH server验证的时候使用了系统CA证书去完成验证，由于自签发的证书没有被加入到系统列表，所以导致了报错 x509: certificate signed by unknown authority？

作为验证，你可以帮忙尝试下将你自签发的CA证书 ca.cert.pem 放到 /etc/ssl/certs 这个目录吗？
然后使用你之前的DoH配置再试试看？

https://serverfault.com/questions/62496/ssl-certificate-location-on-unix-linux/722646#722646

[victor-infosec]

从表现上，看起来像是DoH server验证的时候使用了系统CA证书去完成验证，由于自签发的证书没有被加入到系统列表，所以导致了报错 x509: certificate signed by unknown authority？

作为验证，你可以帮忙尝试下将你自签发的CA证书 ca.cert.pem 放到 /etc/ssl/certs 这个目录吗？
然后使用你之前的DoH配置再试试看？

https://serverfault.com/questions/62496/ssl-certificate-location-on-unix-linux/722646#722646

我放在/etc/ssl/certs这个目录下了，还是同样的问题。设置成tls://后就可以了说明应该是读取到了当前目录下的ca.cert.pem。
关于证书方面的我也不是特别懂，我先转发到阿里云的DoH服务器了，不搞内部转发了。:-(

[leiless]

我放在/etc/ssl/certs这个目录下了，还是同样的问题。设置成tls://后就可以了说明应该是读取到了当前目录下的ca.cert.pem。

你是在192.168.1.10上操作的吗？我猜测需要在出现x509: certificate signed by unknown authority错误的机器上操作。

[victor-infosec]

我放在/etc/ssl/certs这个目录下了，还是同样的问题。设置成tls://后就可以了说明应该是读取到了当前目录下的ca.cert.pem。

你是在192.168.1.10上操作的吗？我猜测需要在出现x509: certificate signed by unknown authority错误的机器上操作。

我在两台机器上都放到那个目录下了。。。
有时间的话你可以按照这个
https://www.jianshu.com/p/5938432e2130
链接生成下证书，自己测试下？可能是我的姿势不对

[leiless]

有时间我试试看，我似乎有点思路了，我猜测是可能发起HTTPS请求的时候，没有override http.Client的TLS config。

[cnclg]

确实也遇到了类似的问题

[leiless]

确实也遇到了类似的问题

最近有点忙，我找个时间看看吧。我猜测可能就如前述的原因导致的。

你方便描述下你的问题吗？