答案1
这文章OP 给出了一些限制和问题
不支持 TLS 1.1 和 1.2 这是 Mono 框架中当前 TLS 实现状态引入的硬性限制。因此 Linux 版 Fiddler 目前无法使用这些协议。
我们得出结论,mono-fiddler 仅支持 tls1.0,这意味着当 curl 直接连接到服务器时,它将是这样的:
* Connected to pi.com (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
显然,它们都使用tls1.2和http1.1作为协商结果。但是,当curl使用mono-fiddler作为代理时,结果会有所不同:
* Connected to 127.0.0.1 (127.0.0.1) port 8888 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to pi.com:443
> CONNECT pi.com:443 HTTP/1.1
> Host: pi.com:443
> User-Agent: curl/7.58.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection Established
< FiddlerGateway: Direct
< StartTime: 18:08:06.731
< Connection: close
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.0 (IN), TLS handshake, Certificate (11):
* TLSv1.0 (IN), TLS handshake, Server finished (14):
* TLSv1.0 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.0 (OUT), TLS change cipher, Client hello (1):
* TLSv1.0 (OUT), TLS handshake, Finished (20):
* TLSv1.0 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.0 / AES256-SHA
* ALPN, server did not agree to a protocol
他们使用 tls1.0,甚至更糟糕的 http1.0。最糟糕的是 Chrome 从 v72.0.xxx 开始出于某些安全策略原因弃用了 tls1.0 和 tls1.1。因此 Chrome 会报告 ssl 版本不匹配。
SSL/TLS 握手属性不可用 Fiddler for Linux 目前无法显示这些内容。这项工作正在进行中。
当 Firefox 使用 mono-fiddler 作为代理时,这将导致 SSL_ERROR_RX_MALFORMED_SERVER_HELLO。