我使用Titanium Web Proxy来修改https请求的标头。它在Windows中工作正常,但在Linux中alert handshake failure错误失败。
我已经用以下命令生成了根CA证书。
openssl genrsa -out rootCert.key 4096
openssl req -x509 -new -nodes -key rootCert.key -sha256 -days 1024 -out rootCert.crt
openssl pkcs12 -export -out rootCert.pfx -inkey rootCert.key -in rootCert.crt
并使用以下命令安装生成的证书。还确保我的证书文件被正确地附加到/etc/ssl/certs/ca-certificates.crt文件。
sudo cp rootCert.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
My ProxyService Code
public class ProxyService : IHostedService, IDisposable
{
#region Private Fields
private readonly ILogger<ProxyService> logger;
private readonly ProxyConfig proxyConfig;
private readonly HeaderConfig headerConfig;
private readonly ProxyServer proxyServer;
private ExplicitProxyEndPoint explicitEndPoint;
#endregion
#region Constructor
public ProxyService(ILogger<ProxyService> logger, IOptions<ProxyConfig> proxyConfig, IOptions<HeaderConfig> headerConfig)
{
this.logger = logger;
this.proxyConfig = proxyConfig.Value;
this.headerConfig = headerConfig.Value;
proxyServer = new ProxyServer();
proxyServer.ExceptionFunc += onException;
proxyServer.TcpTimeWaitSeconds = 10;
proxyServer.ConnectionTimeOutSeconds = 15;
proxyServer.ReuseSocket = false;
proxyServer.EnableConnectionPool = false;
proxyServer.ForwardToUpstreamGateway = true;
proxyServer.CertificateManager.SaveFakeCertificates = true;
}
#endregion
#region IHostedService Implementation
public Task StartAsync(CancellationToken cancellationToken)
{
proxyServer.BeforeRequest += onRequest;
proxyServer.ServerCertificateValidationCallback += onCertificateValidation;
explicitEndPoint = new ExplicitProxyEndPoint(IPAddress.Parse(proxyConfig.IPAddress), proxyConfig.Port);
explicitEndPoint.BeforeTunnelConnectRequest += onBeforeTunnelConnectRequest;
proxyServer.CertificateManager.CertificateEngine = Titanium.Web.Proxy.Network.CertificateEngine.BouncyCastleFast;
proxyServer.AddEndPoint(explicitEndPoint);
proxyServer.Start();
foreach (ProxyEndPoint endPoint in proxyServer.ProxyEndPoints)
{
logger.LogInformation("Listening on '{0}' at IP {1} and port: {2} ", endPoint.GetType().Name, endPoint.IpAddress, endPoint.Port);
}
return Task.CompletedTask;
}
public Task StopAsync(CancellationToken cancellationToken)
{
logger.LogInformation("Stopping proxy service!");
explicitEndPoint.BeforeTunnelConnectRequest -= onBeforeTunnelConnectRequest;
proxyServer.BeforeRequest -= onRequest;
proxyServer.ServerCertificateValidationCallback -= onCertificateValidation;
proxyServer.Stop();
return Task.CompletedTask;
}
#endregion
#region IDisposable Implementation
public void Dispose()
{
proxyServer.Dispose();
}
#endregion
#region Event Handlers
private Task onBeforeTunnelConnectRequest(object sender, TunnelConnectSessionEventArgs e)
{
string hostname = e.HttpClient.Request.RequestUri.Host;
logger.LogInformation("Tunnel to: {0}", hostname);
if (!hostname.Contains(headerConfig.BaseHostName))
{
e.DecryptSsl = false;
}
return Task.CompletedTask;
}
private Task onRequest(object sender, SessionEventArgs e)
{
var headers = e.HttpClient.Request.Headers;
if (headers.HeaderExists(headerConfig.TokenHeaderName))
{
var uri = e.HttpClient.Request.RequestUri;
if (uri.Host.EndsWith(headerConfig.BaseHostName) && uri.AbsolutePath.StartsWith(headerConfig.UriPath))
{
logger.LogInformation("Adding auth header to: {0}", uri.ToString());
var token = headers.GetFirstHeader(headerConfig.TokenHeaderName).Value;
headers.AddHeader("Authorization", token);
}
headers.RemoveHeader(headerConfig.TokenHeaderName);
}
return Task.CompletedTask;
}
private Task onCertificateValidation(object sender, CertificateValidationEventArgs e)
{
if (e.SslPolicyErrors == SslPolicyErrors.None)
{
e.IsValid = true;
}
return Task.CompletedTask;
}
private void onException(Exception exception)
{
logger.LogError(exception, exception.Message);
}
#endregion
}
完整误差
proxy_1 | Error occured whilst handling session request
proxy_1 | Titanium.Web.Proxy.Exceptions.ProxyHttpException: Error occured whilst handling session request
proxy_1 | ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
proxy_1 | ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
proxy_1 | ---> Interop+Crypto+OpenSslCryptographicException: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
proxy_1 | --- End of inner exception stack trace ---
proxy_1 | at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, Byte[] recvBuf, Int32 recvOffset, Int32 recvCount, Byte[]& sendBuf, Int32& sendCount)
proxy_1 | at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteContext& context, ArraySegment`1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions)
proxy_1 | --- End of inner exception stack trace ---
proxy_1 | at System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
proxy_1 | at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
proxy_1 | at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
proxy_1 | at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
proxy_1 | at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
proxy_1 | at System.Net.Security.SslStream.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
proxy_1 | --- End of stack trace from previous location where exception was thrown ---
proxy_1 | at System.Net.Security.SslStream.ThrowIfExceptional()
proxy_1 | at System.Net.Security.SslStream.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
proxy_1 | at System.Net.Security.SslStream.EndProcessAuthentication(IAsyncResult result)
proxy_1 | at System.Net.Security.SslStream.EndAuthenticateAsClient(IAsyncResult asyncResult)
proxy_1 | at System.Net.Security.SslStream.<>c.<AuthenticateAsClientAsync>b__65_1(IAsyncResult iar)
proxy_1 | at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
proxy_1 | --- End of stack trace from previous location where exception was thrown ---
很难给出一个明确的答案,但我认为问题在于您生成的证书。尝试在目标主机名中添加带有主题备选名称的-addext参数。例如,对于'example.com'域名:
openssl req -x509 -new -nodes -key rootCert.key -sha256 -days 1024
-out rootCert.crt -addext "subjectAltName = DNS:example.com"
或者,如果你想使用根证书,你可以运行没有rootCert的Titanium服务。PFX文件,它应该生成一个。然后,您可以提取PEM证书并将其添加到ca-certificates:
openssl pkcs12 -in rootCert.pfx -out rootCert.crt -clcerts -nokeys
信任根证书后,Titanium生成的所有证书都应该有效。