tls部分不管是否使用mtls都回显示客户端未提供证书的错误，但提供的证书用openssl可以成功连接

wangxin327 commented 5 months ago

客户端命令：./gost -L socks5://:1080 -F socks5://xxx.xxx.xxx.xxx:8889 服务端命令： ./gost -L socks5://:8889 logs： {"handler":"socks5","kind":"service","level":"info","listener":"tcp","msg":"listening on [::]:1080/tcp","service":"service-0","time":"2024-06-25T17:03:23.450+08:00"} {"handler":"socks5","kind":"handler","level":"info","listener":"tcp","local":"[::1]:1080","msg":"[::1]:56463 <> [::1]:1080","remote":"[::1]:56463","service":"service-0","time":"2024-06-25T17:03:26.804+08:00"} {"address":"220.181.38.150:80","connector":"socks5","dialer":"tcp","hop":"hop-0","kind":"connector","level":"error","local":"30.30.128.82:56464","msg":"remote error: tls: certificate required","network":"tcp","node":"node-0","remote":"xxx.xxx.xxx.xxx:8889","time":"2024-06-25T17:03:27.024+08:00"} {"handler":"socks5","kind":"handler","level":"error","listener":"tcp","msg":"route(retry=0) remote error: tls: certificate required","service":"service-0","time":"2024-06-25T17:03:27.024+08:00"} {"duration":220952250,"handler":"socks5","kind":"handler","level":"info","listener":"tcp","local":"[::1]:1080","msg":"[::1]:56463 >< [::1]:1080","remote":"[::1]:56463","service":"service-0","time":"2024-06-25T17:03:27.025+08:00"} {"handler":"socks5","kind":"service","level":"error","listener":"tcp","msg":"remote error: tls: certificate required","service":"service-0","time":"2024-06-25T17:03:27.025+08:00"} 服务端logs： {"handler":"socks5","kind":"service","level":"info","listener":"tcp","msg":"listening on [::]:1080/tcp","service":"service-0","time":"2024-06-25T17:03:23.450+08:00"} {"handler":"socks5","kind":"handler","level":"info","listener":"tcp","local":"[::1]:1080","msg":"[::1]:56463 <> [::1]:1080","remote":"[::1]:56463","service":"service-0","time":"2024-06-25T17:03:26.804+08:00"} {"address":"220.181.38.150:80","connector":"socks5","dialer":"tcp","hop":"hop-0","kind":"connector","level":"error","local":"30.30.128.82:56464","msg":"remote error: tls: certificate required","network":"tcp","node":"node-0","remote":"xxx.xxx.xxx.xxx:8889","time":"2024-06-25T17:03:27.024+08:00"} {"handler":"socks5","kind":"handler","level":"error","listener":"tcp","msg":"route(retry=0) remote error: tls: certificate required","service":"service-0","time":"2024-06-25T17:03:27.024+08:00"} {"duration":220952250,"handler":"socks5","kind":"handler","level":"info","listener":"tcp","local":"[::1]:1080","msg":"[::1]:56463 >< [::1]:1080","remote":"[::1]:56463","service":"service-0","time":"2024-06-25T17:03:27.025+08:00"} {"handler":"socks5","kind":"service","level":"error","listener":"tcp","msg":"remote error: tls: certificate required","service":"service-0","time":"2024-06-25T17:03:27.025+08:00"}

ginuerzh commented 5 months ago

服务端添加notls=true试试：

gost -L socks5://:8889?notls=true

wangxin327 commented 5 months ago

这样可以运行，但如果使用socks5+tls模式，不管是不是双向认证（mtls）都会出现类似错误，但我提供的证书用openssl的s_server和s_s_client测试过是可以正常连接的，所以应该不是证书的问题。可以帮忙排查一下吗？

wangxin327 commented 5 months ago

比如客户端命令：./gost -L socks5://:1080 -F socks5+tls://xxx.xxx.xxx.xxx:8889 服务端命令： ./gost -L socks5+tls://:8889产生的错误信息为{"handler":"socks5","kind":"service","level":"info","listener":"tls","msg":"listening on [::]:8889/tcp","service":"service-0","time":"2024-06-25T19:29:10.862+08:00"} {"handler":"socks5","kind":"handler","level":"info","listener":"tls","local":"172.20.45.225:8889","msg":"182.92.253.26:58684 <> 172.20.45.225:8889","remote":"182.92.253.26:58684","service":"service-0","time":"2024-06-25T19:29:21.876+08:00"} {"handler":"socks5","kind":"handler","level":"error","listener":"tls","local":"172.20.45.225:8889","msg":"tls: client didn't provide a certificate","remote":"182.92.253.26:58684","service":"service-0","time":"2024-06-25T19:29:21.925+08:00"} {"duration":49889813,"handler":"socks5","kind":"handler","level":"info","listener":"tls","local":"172.20.45.225:8889","msg":"182.92.253.26:58684 >< 172.20.45.225:8889","remote":"182.92.253.26:58684","service":"service-0","time":"2024-06-25T19:29:21.925+08:00"} {"handler":"socks5","kind":"service","level":"error","listener":"tls","msg":"tls: client didn't provide a certificate","service":"service-0","time":"2024-06-25T19:29:21.925+08:00"}

wangxin327 commented 5 months ago

客户端使用

services:
- name: service-0
  addr: :1080
  handler:
    type: socks5
    chain: chain-0
  listener:
    type: tcp
chains:
- name: chain-0
  hops:
  - name: hop-0
    nodes:
    - name: node-0
      addr: xxx.xxx.xxx.xxx:8889
      connector:
        type: socks5
      dialer:
        type: mtls
        tls:
          certFile: cert/client/client.crt
          keyFile: cert/client/client.key

服务端：

services:
- name: service-0
  addr: :8889
  handler:
    type: socks5
  listener:
    type: mtls
    tls:
      certFile: cert/server/server.crt
      keyFile: cert/server/server.key
      caFile: cert/server/ca.crt

已经验证证书可以用openssl正常连接，证书路径正确，有读写执行权限，但就是报错tls: client didn't provide a certificate

ginuerzh commented 5 months ago

我本地测试没有问题，如果你用的版本比较老可以更新到最新的nightly版本试试。

wangxin327 commented 5 months ago

服务端添加notls=true试试：
gost -L socks5://:8889?notls=true

请问这个错误可能的原因是什么？为什么关闭默认的协商加密会正常呢？

go-gost / gost

tls部分不管是否使用mtls都回显示客户端未提供证书的错误，但提供的证书用openssl可以成功连接 #514