在 ubuntu 上使用 fiddler 与 mono 时出现 ERR_SSL_VERSION_INTERFERENCE 错误

tag-icon tag-icon 17.10 mono certificates
在 ubuntu 上使用 fiddler 与 mono 时出现 ERR_SSL_VERSION_INTERFERENCE 错误

我正在尝试使用拦截网络请求提琴手在 Ubuntu 17.10 和 mono 4.6.2 上。根据给出的说明这里 我也通过运行命令导入了证书mozroots --import --sync。但启动后,我遇到了ERR_SSL_VERSION_INTERFERENCE无法访问网站的问题https

我该如何修复此问题?

答案1

文章OP 给出了一些限制和问题

不支持 TLS 1.1 和 1.2 这是 Mono 框架中当前 TLS 实现状态引入的硬性限制。因此 Linux 版 Fiddler 目前无法使用这些协议。

我们得出结论,mono-fiddler 仅支持 tls1.0,这意味着当 curl 直接连接到服务器时,它将是这样的:

* Connected to pi.com (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1

显然,它们都使用tls1.2和http1.1作为协商结果。但是,当curl使用mono-fiddler作为代理时,结果会有所不同:

* Connected to 127.0.0.1 (127.0.0.1) port 8888 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to pi.com:443
> CONNECT pi.com:443 HTTP/1.1
> Host: pi.com:443
> User-Agent: curl/7.58.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection Established
< FiddlerGateway: Direct
< StartTime: 18:08:06.731
< Connection: close
< 
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.0 (IN), TLS handshake, Certificate (11):
* TLSv1.0 (IN), TLS handshake, Server finished (14):
* TLSv1.0 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.0 (OUT), TLS change cipher, Client hello (1):
* TLSv1.0 (OUT), TLS handshake, Finished (20):
* TLSv1.0 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.0 / AES256-SHA
* ALPN, server did not agree to a protocol

他们使用 tls1.0,甚至更糟糕的 http1.0。最糟糕的是 Chrome 从 v72.0.xxx 开始出于某些安全策略原因弃用了 tls1.0 和 tls1.1。因此 Chrome 会报告 ssl 版本不匹配。

SSL/TLS 握手属性不可用 Fiddler for Linux 目前无法显示这些内容。这项工作正在进行中。

当 Firefox 使用 mono-fiddler 作为代理时,这将导致 SSL_ERROR_RX_MALFORMED_SERVER_HELLO。

相关内容