tls connection error and support quic

[r00tback]

2024-09-29 05:03:07 ERROR cthulhu::net_proxy::proxy::net: Failed to establish TLS connection: received fatal alert: CertificateUnknown,URI:www.googleapis.com:443 at src\net_proxy\proxy\net.rs:271 I keep getting this error even when the site loads, but i keep getting warnings about the certificate and need to keep clicking ok or change settings in the browser not to show a warning about an invalid certificate i think you can add a way to ignore the check certificate or always return it valid not sure I tried to edit this but failed

also, there's another error that it does not support http3 and QUIC which makes some sites fail to load you using an old version of hyper. I am trying to use a branch that supports QUIC like this https://github.com/djc/hyper/tree/quinn-h3 or add https://crates.io/crates/quinn but it is still not 100% working i think if you can integrate it with http3 and Quic, it will be more stable and reliable

[LXS2000]

If only the domain googleapis.com has this issue, it is possible that it is caused by Google Chrome’s built-in trust configuration not trusting third-party CAs.

The quinn-h3 branch has not been updated for 4 years, and it seems that there is no mature HTTP/3 library in the Rust ecosystem.

[r00tback]

I am encountering issues with many websites that display a warning message before allowing me to proceed. I cannot determine the cause of this issue, which makes using a proxy unstable, especially when using software other than Chrome or browsers that do not have the option to disable these warnings.

about Quic and h3 there is some .

https://github.com/cloudflare/quiche https://github.com/hyperium/h3 https://github.com/quinn-rs/quinn https://crates.io/crates/salvo_core

[r00tback]

Is there a way to communicate directly? I shared my WhatsApp contact with you. I've been working on this project for over 2 weeks, but I'm feeling frustrated as I'm not experienced with Rust. i fix one issue i get another, I feel like I'm wasting time.

[r00tback]

https://github.com/Tencent/tquic this maybe can help to add quic http3 ?

[LXS2000]

I am encountering issues with many websites that display a warning message before allowing me to proceed. I cannot determine the cause of this issue, which makes using a proxy unstable, especially when using software other than Chrome or browsers that do not have the option to disable these warnings.

about Quic and h3 there is some .

https://github.com/cloudflare/quiche https://github.com/hyperium/h3 https://github.com/quinn-rs/quinn https://crates.io/crates/salvo_core

Have you added the CA certificate to the root directory trust zone?

[LXS2000]

Is there a way to communicate directly? I shared my WhatsApp contact with you. I've been working on this project for over 2 weeks, but I'm feeling frustrated as I'm not experienced with Rust. i fix one issue i get another, I feel like I'm wasting time.

i dont have a Whatsapp account...

[r00tback]

I have added the CA certificate to the root directory trust zone. It works fine in some browsers but not in others. So, my setup is correct, but as you said, the browser thinks it's not trusted. I believe you can avoid this issue by ensuring that the code always returns a valid certificate, but I'm not sure how to implement that. The important part is to make it support HTTP/3 QUIC. I've tried using various libraries and methods, but I keep encountering unfamiliar errors and can't get it to work

[LXS2000]

It may be difficult to make this project support http3 because http3 uses UDP, which is completely different from other HTTP protocols at the bottom level

[LXS2000]

I am unable to return the correct certificate every time because some programs may limit the trust to only certificates issued by certain CAs regardless of whether the certificate is trusted by the system, and the technology used in this project is man in the middle attack, which can only return self signed certificates

[r00tback]

It may be difficult to make this project support http3 because http3 uses UDP, which is completely different from other HTTP protocols at the bottom level

it just need to accept http3 traffic if you look at the last https://github.com/Tencent/tquic

it has the server for quic and client so it accepts http3 requests and redirects it to the server or other method uses quic socks proxy if http3 requests quic traffic want to go through it

[r00tback]

I am unable to return the correct certificate every time because some programs may limit the trust to only certificates issued by certain CAs regardless of whether the certificate is trusted by the system, and the technology used in this project is man in the middle attack, which can only return self signed certificates

the issue not between the browser and client local but from browser to other sites some site say its not trusted connection but accept the connection and this what make the error show in the browser

async fn connect_to_dns(
    authority: &Authority,
    ca: Arc<ClientConfig>,
) -> io::Result<TlsStream<TcpStream>> {
    let stream = TcpStream::connect(authority.as_ref()).await?;
    let connector = TlsConnector::from(ca);
    let host = authority.host();
    let server_name = match DnsName::try_from_ascii(host.as_bytes()) {
        Ok(v) => rustls::ServerName::DnsName(v),
        Err(_e) => {
            let ip = match IpAddr::from_str(host) {
                Ok(v) => v,
                Err(_e) => {
                    panic!("invalid server name:{authority}")
                }
            };
            let ip_address = rustls::ServerName::IpAddress(ip);
            ip_address
        }
    };
    let stream = connector.connect(server_name, stream).await?;
    Ok(stream)

this code checks it I think and you need to make it ignore this check and always say it trusts and processes the request to something like this

`use rustls::{ClientConfig, OwnedTrustAnchor, RootCertStore};

use rustls::client::ServerCertVerified; use std::sync::Arc; use std::io; use tokio::net::TcpStream; use tokio_rustls::TlsConnector; use webpki::DNSNameRef; use rustls::client::ServerCertVerifier;

struct NoCertificateVerification;

impl ServerCertVerifier for NoCertificateVerification { fn verify_servercert( &self, : &rustls::Certificate, : &[rustls::Certificate], : &rustls::ServerName, : &mut dyn Iterator, : &[u8], _: std::time::SystemTime, ) -> Result<ServerCertVerified, rustls::Error> { Ok(ServerCertVerified::assertion()) } }

async fn connect_to_dns_trusting_all( authority: &Authority, ) -> io::Result<TlsStream> { // Create a TCP connection let stream = TcpStream::connect(authority.as_ref()).await?;

// Create a custom client config that disables certificate verification
let mut root_store = RootCertStore::empty();
root_store.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| {
    OwnedTrustAnchor::from_subject_spki_name_constraints(ta.subject, ta.spki, ta.name_constraints)
}));

let mut config = ClientConfig::builder()
    .with_safe_defaults()
    .with_root_certificates(root_store)
    .with_no_client_auth();

// Set custom verifier that skips cert verification
config.dangerous().set_certificate_verifier(Arc::new(NoCertificateVerification));

let connector = TlsConnector::from(Arc::new(config));
let host = authority.host();

// Use the host as the ServerName
let server_name = rustls::ServerName::try_from(host).expect("Invalid server name");

// Perform TLS handshake
let stream = connector.connect(server_name, stream).await?;

Ok(stream)

} `

[LXS2000]

do you have any website for test http3 and certificate verification?

[r00tback]

https://quic.nginx.org/ for http3 quic traffic test and https://http3.is/ this check h3

[r00tback]

https://websocketstest.com/ to test WebSocket

[LXS2000]

When I open it https://quic.nginx.org/ This website defaults to using the http2 protocol as the cthulhuRs proxy does not support http3, everything else is normal.

[r00tback]

I'm not sure what you're trying to do or test, but you need to try sending traffic over QUIC HTTP/3 to test if HTTP/3 requests will go through or not. The site opens fine and most sites will open, but HTTP/3 traffic will not work because it's not supported in cthulhuRs . So, you need to either add support for HTTP/3 over QUIC or tunnel the traffic to a SOCKS5 server that supports QUIC (allow to set that if HTTP/3 traffic is found it redirects it to another proxy that will handle it ) so it works like a bridge. https://mitmproxy.org/posts/releases/mitmproxy10/ is python that do quic mitm not sure if it can help

[r00tback]

if you want to test http3 connection only you can use curl --http3 and use the curl version that supports it https://github.com/stunnel/static-curl/releases/tag/8.10.1 and use something like this to check http3 and tls curl -I --http3 https://www.cloudflare.com -v if you want the local server to test v1 v2 v3 https://github.com/siketyan/h123

[r00tback]

any progress on this issue? Are you going to work on this or should I find alternative methods, i hope we can talk directly via telegram WhatsApp etc so I know what you trying to do

[LXS2000]

After researching, it was found that HTTP requests based on UDP do not forward to TCP based proxy services at all

[LXS2000]

I am unable to register for the communication apps you mentioned

[r00tback]

After researching, it was found that HTTP requests based on UDP do not forward to TCP based proxy services at all

yes it needs udp proxy or you can do UDP over tcp to a proxy that supports this or just tunnel it to local udp proxy did you check

https://mitmproxy.org/posts/releases/mitmproxy10/

they added support for http3

[r00tback]

I am unable to register for the communication apps you mentioned

which app works for you but not qq coz i can't register on it

[LXS2000]

I am unable to register for the communication apps you mentioned

which app works for you but not qq coz i can't register on it

I use WeChat ,’lxs3451743380’ that is my account