search

hmgle / graftcp

A flexible tool for redirecting a given program's TCP traffic to SOCKS5 or HTTP proxy.
GNU General Public License v3.0
2.14k stars 179 forks source link

openssl error reported when connect to https #74

Closed ziyouchutuwenwu closed 1 month ago

ziyouchutuwenwu commented 1 month ago

Describe the bug A clear and concise description of what the bug is.

To Reproduce Steps to reproduce the behavior:

$ mgraftcp curl -I https://www.google.com
curl: (60) SSL: no alternative certificate subject name matches target hostname 'www.google.com'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

graftcp-local.conf

## graftcp-local configuation

## Listen address (default ":2233")
listen = :2233

## Write logs to file, to stdout if empty
# logfile = graftcp-local.log

## Log level (0-6), 0: debug, 1: info, 2: notice, 3: warn, 4: error,
## 5: critical: 6: fatal
loglevel = 1

## Pipe path for graftcp to send address info (default "/tmp/graftcplocal.fifo")
# pipepath = /tmp/graftcplocal.fifo

## SOCKS5 address (default "127.0.0.1:1080")
socks5 = 127.0.0.1:1080
http_proxy = 127.0.0.1:8118

## SOCKS5 proxy username (default "")
# socks5_username = SOCKS5USERNAME

## SOCKS5 proxy password (default "")
# socks5_password = SOCKS5PASSWORD

## HTTP proxy address (default "")
# http_proxy = 127.0.0.1:8080

## Set the mode for select a proxy (default "auto")
## "auto": select socks5 if socks5 is reachable, else HTTP proxy if HTTP proxy
##  is rechable, else direct.
## "random": select the reachable proxy randomly.
## "only_http_proxy": only use http proxy.
## "only_socks5": only use socks5 proxy.
## "direct": direct connect.
# select_proxy_mode = only_socks5
select_proxy_mode = only_http_proxy

## Use the system logger (syslog on Unix, Event Log on Windows)
## use_syslog = true

http config of privoxy

$ cat /etc/privoxy/config 
listen-address 0.0.0.0:8118
forward-socks5t / 127.0.0.1:1080 .

i try mgraftcp with curl, then gets different ip

$ curl ipinfo.io/ip
218.90.xxx.xxx
$ mgraftcp curl ipinfo.io/ip
122.118.yyy.yyy

when i set HTTP_PROXY HTTPS_PROXY env

HTTP_PROXY=http://127.0.0.1:8118
HTTPS_PROXY=http://127.0.0.1:8118
ALL_PROXY=socks5://127.0.0.1:1080
$ curl -I https://www.google.com
HTTP/1.1 200 Connection established

HTTP/2 200 
content-type: text/html; charset=ISO-8859-1
content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-MnVwTkNsrFbip0Sd0nKa0w' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
accept-ch: Sec-CH-Prefers-Color-Scheme
p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
date: Mon, 23 Sep 2024 03:07:32 GMT
server: gws
x-xss-protection: 0
x-frame-options: SAMEORIGIN
expires: Mon, 23 Sep 2024 03:07:32 GMT
cache-control: private
set-cookie: AEC=AVYB7crWZUvdIBNYQMmbkBH7hmkW4AU7-nwkGX88UgfM9cpWLSU_vhrwwg; expires=Sat, 22-Mar-2025 03:07:32 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
set-cookie: NID=517=Auk5jifZBvxZeSmRnu8osdNFqTMD6qyW0LPpZAuvq3ytHsU4BGDXEErexgeyEARmJ8I7fLa-7Jyt8e9u9GdKUDScUjdDIELVnq1T2kPFzWnY6spTq041MEIdhk4EZvyFkalZc9eal2nl27KncQcQuvQu67ol_qwnRdd-6eAIp2UDPUA0UeEfZtAQqnk-Rsk; expires=Tue, 25-Mar-2025 03:07:32 GMT; path=/; domain=.google.com; HttpOnly
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

Expected behavior get correct html from this command

$ mgraftcp curl -I https://www.google.com

Screenshots image

Desktop (please complete the following information):

hmgle commented 1 month ago

You can try mgraftcp --enable-debug-log --select_proxy_mode=only_http_proxy --http_proxy=127.0.0.1:8118 curl -v -I https://www.google.com and check the logs.

ziyouchutuwenwu commented 1 month ago 
$ env | grep PROXY
GOPROXY=https://goproxy.cn

mmc at manjaro in ~ (dev_env) 
$ mgraftcp --enable-debug-log --select_proxy_mode=only_http_proxy --http_proxy=127.0.0.1:8118 curl -v -I https://www.google.com
[2024-09-24 08:20:20] [INFO] graftcp-local start listening :0...
* Host www.google.com:443 was resolved.
* IPv6: 2001::1
* IPv4: 199.59.148.96
*   Trying 199.59.148.96:443...
* Connected to www.google.com (199.59.148.96) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
[2024-09-24 08:20:20] [INFO] Request PID: 2503, Source Addr: 127.0.0.1:60636, Dest Addr: 199.59.148.96:443
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.google.com:443 
* closing connection #0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.google.com:443 
[2024-09-24 08:20:30] [ERROR] accept err: accept tcp [::]:34129: use of closed network connection

mmc at manjaro in ~ (dev_env) 
$ pon

mmc at manjaro in ~ (dev_env) 
$ env | grep PROXY                                                                                                             
GOPROXY=https://goproxy.cn
HTTP_PROXY=http://127.0.0.1:8118
HTTPS_PROXY=http://127.0.0.1:8118
ALL_PROXY=socks5://127.0.0.1:1080

mmc at manjaro in ~ (dev_env) 
$ curl -v -I https://www.google.com
* Uses proxy env variable HTTPS_PROXY == 'http://127.0.0.1:8118'
*   Trying 127.0.0.1:8118...
* Connected to 127.0.0.1 (127.0.0.1) port 8118
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Establish HTTP proxy tunnel to www.google.com:443
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> User-Agent: curl/8.9.1
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection established
HTTP/1.1 200 Connection established
< 

* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=www.google.com
*  start date: Aug 26 07:15:49 2024 GMT
*  expire date: Nov 18 07:15:48 2024 GMT
*  subjectAltName: host "www.google.com" matched cert's "www.google.com"
*  issuer: C=US; O=Google Trust Services; CN=WR2
*  SSL certificate verify ok.
*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha384WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://www.google.com/
* [HTTP/2] [1] [:method: HEAD]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: www.google.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.9.1]
* [HTTP/2] [1] [accept: */*]
> HEAD / HTTP/2
> Host: www.google.com
> User-Agent: curl/8.9.1
> Accept: */*
> 
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 200 
HTTP/2 200 
< content-type: text/html; charset=ISO-8859-1
content-type: text/html; charset=ISO-8859-1
< content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-Ikf-CfNkZvqxsXdAqGmhcQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-Ikf-CfNkZvqxsXdAqGmhcQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
< accept-ch: Sec-CH-Prefers-Color-Scheme
accept-ch: Sec-CH-Prefers-Color-Scheme
< p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
< date: Tue, 24 Sep 2024 00:20:50 GMT
date: Tue, 24 Sep 2024 00:20:50 GMT
< server: gws
server: gws
< x-xss-protection: 0
x-xss-protection: 0
< x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
< expires: Tue, 24 Sep 2024 00:20:50 GMT
expires: Tue, 24 Sep 2024 00:20:50 GMT
< cache-control: private
cache-control: private
< set-cookie: AEC=AVYB7cohetqkF7XXXh0DZPseYwwNK-yI4jrA-0c3UwNAfQ981HG4r0tF8A; expires=Sun, 23-Mar-2025 00:20:50 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
set-cookie: AEC=AVYB7cohetqkF7XXXh0DZPseYwwNK-yI4jrA-0c3UwNAfQ981HG4r0tF8A; expires=Sun, 23-Mar-2025 00:20:50 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
< set-cookie: NID=517=ltgjlTiGouvL8S5oqItPeodxe-sadTMMmaEOMdB7uq2y3ml7B68KQKeZLTzDR02MjuXb4sNGPPw_R3BqGfAi3gT2iXdWA86qLJbGi8oEzOVybh_-rfSj5SEz-x3cqFonNIaM7jXRa3D-3CrdMZaqNhkfgG5E64iDXC3GJPvnfV7bEM_cmckuv2Tl5MTOLgZ9; expires=Wed, 26-Mar-2025 00:20:50 GMT; path=/; domain=.google.com; HttpOnly
set-cookie: NID=517=ltgjlTiGouvL8S5oqItPeodxe-sadTMMmaEOMdB7uq2y3ml7B68KQKeZLTzDR02MjuXb4sNGPPw_R3BqGfAi3gT2iXdWA86qLJbGi8oEzOVybh_-rfSj5SEz-x3cqFonNIaM7jXRa3D-3CrdMZaqNhkfgG5E64iDXC3GJPvnfV7bEM_cmckuv2Tl5MTOLgZ9; expires=Wed, 26-Mar-2025 00:20:50 GMT; path=/; domain=.google.com; HttpOnly
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
< 

* Connection #0 to host 127.0.0.1 left intact
hmgle commented 1 month ago
  • Host www.google.com:443 was resolved.
  • IPv6: 2001::1
  • IPv4: 199.59.148.96
  • Trying 199.59.148.96:443...
  • Connected to www.google.com (199.59.148.96) port 443

This IP(199.59.148.96) is not Google's, it is likely a polluted DNS resolution result.