我目前正在与客户(一家政府机构)合作,以自动执行一些数据收集,并且我编写了一些 Python 脚本来从 REST API 收集数据。该客户位于公司防火墙后面,该防火墙会捕获恶意流量(病毒、EXE 文件等),并且他们有一个自签名根 CA 证书 MITM 设置,这可能(也可能不)相关。
我可以运行我的脚本,但是时不时地任何Python 或 curl 的 ssh 请求抛出了 SEC_E_INVALID_TOKEN (0x80090308) 错误。由于 curl 会发生这种情况,因此我认为核心问题与我的 Python 脚本访问 REST API 的方式无关,因此对于这个问题,我的重点是让它与 curl 一起工作。以下是针对 postman-echo.com 运行 curl 时的输出示例:
C:\>curl -v "https://postman-echo.com/get?foo1=bar1&foo2=bar2" --ssl-no-revoke
* Trying 52.205.69.90...
* TCP_NODELAY set
* Connected to postman-echo.com (52.205.69.90) port 443 (#0)
* schannel: SSL/TLS connection with postman-echo.com port 443 (step 1/3)
* schannel: disabled server certificate revocation checks
* schannel: sending initial handshake data: sending 172 bytes...
* schannel: sent initial handshake data: sent 172 bytes
* schannel: SSL/TLS connection with postman-echo.com port 443 (step 2/3)
* schannel: encrypted data got 950
* schannel: encrypted data buffer: offset 950 length 4096
* schannel: next InitializeSecurityContext failed: SEC_E_INVALID_TOKEN (0x80090308) - The token supplied to the function is invalid
* Closing connection 0
* schannel: shutting down SSL/TLS connection with postman-echo.com port 443
* schannel: clear security context handle
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_INVALID_TOKEN (0x80090308) - The token supplied to the function is invalid
由于某种原因,打开/刷新任何Chrome 或 Internet Explorer 中的 HTTPS 页面(例如https://en.wikipedia.org) 在一段时间内(大约 15-20 分钟)“修复”该问题,并且相同的请求成功:
C:\>curl -v "https://postman-echo.com/get?foo1=bar1&foo2=bar2" --ssl-no-revoke
* Trying 52.205.69.90...
* TCP_NODELAY set
* Connected to postman-echo.com (52.205.69.90) port 443 (#0)
* schannel: SSL/TLS connection with postman-echo.com port 443 (step 1/3)
* schannel: disabled server certificate revocation checks
* schannel: sending initial handshake data: sending 172 bytes...
* schannel: sent initial handshake data: sent 172 bytes
* schannel: SSL/TLS connection with postman-echo.com port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with postman-echo.com port 443 (step 2/3)
* schannel: encrypted data got 2372
* schannel: encrypted data buffer: offset 2372 length 4096
* schannel: SSL/TLS connection with postman-echo.com port 443 (step 2/3)
* schannel: encrypted data got 379
* schannel: encrypted data buffer: offset 379 length 4096
* schannel: sending next handshake data: sending 158 bytes...
* schannel: SSL/TLS connection with postman-echo.com port 443 (step 2/3)
* schannel: encrypted data got 258
* schannel: encrypted data buffer: offset 258 length 4096
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with postman-echo.com port 443 (step 3/3)
* schannel: stored credential handle in session cache
> GET /get?foo1=bar1&foo2=bar2 HTTP/1.1
> Host: postman-echo.com
> User-Agent: curl/7.55.1
> Accept: */*
>
* schannel: client wants to read 102400 bytes
* schannel: encdata_buffer resized 103424
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: encrypted data got 692
* schannel: encrypted data buffer: offset 692 length 103424
* schannel: decrypted data length: 367
* schannel: decrypted data added: 367
* schannel: decrypted data cached: offset 367 length 102400
* schannel: encrypted data length: 296
* schannel: encrypted data cached: offset 296 length 103424
* schannel: decrypted data length: 267
* schannel: decrypted data added: 267
* schannel: decrypted data cached: offset 634 length 102400
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: decrypted data buffer: offset 634 length 102400
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 634
* schannel: decrypted data buffer: offset 0 length 102400
< HTTP/1.1 200 OK
< Content-Type: application/json; charset=utf-8
< Date: Tue, 11 Jun 2019 14:41:35 GMT
< ETag: W/"10b-bqF3nfSuAfjsSY6h8GyvTWVSS1o"
< Server: nginx
< set-cookie: sails.sid=s%3A3IRHG8EjQ8nmP28zAPeiCq4r6N39xt4D.NVeHhJ3pg1XfHs4c3CiM3H%2FNcf%2FRwrK7u5eOgofeOaE; Path=/; HttpOnly
< Vary: Accept-Encoding
< Content-Length: 267
< Age: 0
< Via: HTTPS/1.1 [cache]
<
{"args":{"foo1":"bar1","foo2":"bar2"},"headers":{"x-forwarded-proto":"https","host":"postman-echo.com","accept":"*/*","user-agent":"curl/7.55.1","via":"HTTPS/1.1 na-cachec01 0A650164","x-forwarded-port":"443"},"url":"https://postman-echo.com/get?foo1=bar1&foo2=bar2"}* Connection #0 to host postman-echo.com left intact
这当然不是很令人满意,因为我无法自动化该过程(我通过在错误时暂停,要求用户在浏览器中刷新网页来“修复”它,但从长远来看这是不可持续的)。
我需要对正在发生的事情有所了解,以便能够在组织内部进一步推动此事,但目前我真的不知道,所以任何帮助我都会很感激。
我发现这些这些 问题与相同的错误代码有关,但尚未解决,因此遗憾的是没有帮助。
编辑:找到这有完全相同的问题,但也没有解决方案。