The latest localproxy does not work on HTTPS Webproxy

[yilin01]

Hi

I just compiled the windows version and Mac version of localproxy with the latest changes. I tried the webproxy feature with tinyproxy. It works fine with HTTP webproxy (export HTTPS_PROXY=http://tinyproxyIp:port) and localproxy -k However, It does not with HTTPS webproxy (export HTTPS_PROXY=https://tinyproxyIp:port) and localproxy -c ./certs. I am getting the following error for both windows and mac version: [2021-07-27T18:32:07.161458]{4019}[error] Could not perform SSL handshake with Web Proxy: wrong version number [2021-07-27T18:32:07.161517]{4019}[error] Could not connect to proxy server: Failed to perform the SSL handshake with the Web proxy [2021-07-27T18:32:09.675704]{4019}[info] Attempting to establish web socket connection with endpoint wss://data.tunneling.iot.eu-west-1.amazonaws.com:443

I followed the Certificate setup instruction to download the cert from https://docs.aws.amazon.com/iot/latest/developerguide/server-authentication.html#server-authentication-certs and use "c_rehash" to process it.

What does the "wrong version number" means? Can anyone help on this issue?

Thanks Yi

[kareali]

Hi @yilin01, wrong version number is an error message from openssl because it's failing to perform the TLS handshake, many things could cause that (maybe your webproxy is not configured properly to support TLS, maybe the data has been corrupted, an issue with the cert, app bug, ...etc).

Could you fill a bug report as described here (especially the log output with -v 6 flag) so that I can get a better idea of what is happening? Also I have a couple more additional questions, Could you share the cert folder you're using? Does it contain the certificate for the web proxy as well or just the cloud certificate? Are you sure that your web proxy supports TLS on the port you're using with TLS?

[yilin01]

Thanks @kareali. The following is the log output with -v 6 (I masked the proxy ip address): 2021-07-28T09:52:39.456623]{36761}[trace] Resolving Web proxy host: xx.xxx.xxx.xx [2021-07-28T09:52:39.456717]{36761}[debug] Resolved Web proxy IP: xx.xxx.xxx.xx [2021-07-28T09:52:39.456750]{36761}[trace] Establishing TCP connection with the Web Proxy [2021-07-28T09:52:39.487710]{36761}[debug] Connected successfully with Web Proxy [2021-07-28T09:52:39.487798]{36761}[trace] Calling lowest_layer with type: websocket_stream_double_ssl_type [2021-07-28T09:52:39.521548]{36761}[error] Could not perform SSL handshake with Web Proxy: wrong version number [2021-07-28T09:52:39.521642]{36761}[error] Could not connect to proxy server: Failed to perform the SSL handshake with the Web proxy [2021-07-28T09:52:42.022437]{36761}[trace] Calling is_open with type: websocket_stream_double_ssl_type [2021-07-28T09:52:42.022524]{36761}[trace] Calling lowest_layer with type: websocket_stream_double_ssl_type [2021-07-28T09:52:42.022551]{36761}[trace] Calling lowest_layer with type: websocket_stream_double_ssl_type [2021-07-28T09:52:42.037960]{36761}[trace] Calling control_callback with type: websocket_stream_double_ssl_type [2021-07-28T09:52:42.038002]{36761}[info] Attempting to establish web socket connection with endpoint wss://data.tunneling.iot.eu-west-1.amazonaws.com:443

Also please find the zipped cert folder. maccerts.zip

I think the issue might be related to webproxy configuration. I am using the tinyproxy which supposed to support HTTP and HTTPS CONNECTION method. However, when I test it by using the following command: export HTTPS_PROXY=https://xx.xxx.xxx.xx:8888. (I masked out the ip) curl -I https://aws.amazon.com --proxy-insecure

I am getting the following error: curl: (35) error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number

If I run the command with -v : curl -I -v https://aws.amazon.com --proxy-insecure I am getting the following response (I masked out the proxyweb ip with xx.xxx.xxx.xx):

• Uses proxy env variable HTTPS_PROXY == 'https://xx.xxx.xxx.xx:8888'
• Trying xx.xxx.xxx.xx...
• TCP_NODELAY set
• Connected to xx.xxx.xxx.xx (xx.xxx.xxx.xx) port 8888 (#0)
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: /etc/ssl/cert.pem CApath: none
• TLSv1.2 (OUT), TLS handshake, Client hello (1):
• error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number
• Closing connection 0 curl: (35) error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number

I looked at the tinyproxy document and it states it does support CONNECT method. Here is part of config for Tinyproxy (#

ConnectPort: This is a list of ports allowed by tinyproxy when the

CONNECT method is used. To disable the CONNECT method altogether, set

the value to 0. If no ConnectPort line is found, all ports are

allowed (which is not very secure.)

)

Do you think if the issue is caused by tinyproxy configuration? Do you have a recommendation on a different webproxy server that can solve this issue?

Thanks Yi

[kareali]

@yilin01 Looks like a problem with tinyproxy. Not a proxy expert myself so I don't have much to offer regarding configuring tinyproxy but a quick look at their docs doesn't mention that it supports listening on TLS ports or provide a way to configure tinyproxy cert (which would be a must if supports TLS) so my guess would be that it's just not supported in tinyproxy.

http://tinyproxy.github.io/