search

sagebind / isahc

The practical HTTP client that is fun to use.
https://docs.rs/isahc
MIT License
712 stars 62 forks source link

how to use TLS 1.3 with http2 ? version `isahc = { version = "1.7.2" }` #455

Open addame2 opened 1 month ago

addame2 commented 1 month ago

When i use this lib i can see it veoonectign with TLS 1.2 here is logs

Host: global.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Accept: */*
Access-Control-Request-Method: POST
Access-Control-Request-Headers: clientsource,route
Origin: https://global.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Sec-Fetch-Dest: empty
Referer: https://global.com/
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-GB,en;q=0.9

[2024-10-07 21:14:32][DEBUG] Connected to 45.76.88.173 (45.76.88.173) port 2333
[2024-10-07 21:14:32][DEBUG] Host global.com:443 was resolved.
[2024-10-07 21:14:32][DEBUG] IPv6: (none)
[2024-10-07 21:14:32][DEBUG] IPv4: 172.64.150.207, 104.18.37.49
[2024-10-07 21:14:32][DEBUG] SOCKS5 connect to 172.64.150.207:443 (locally resolved)
[2024-10-07 21:14:32][DEBUG] SOCKS5 request granted.
[2024-10-07 21:14:32][DEBUG] Connected to 45.76.88.173 (45.76.88.173) port 2333
[2024-10-07 21:14:32][DEBUG] ALPN: curl offers h2,http/1.1
[2024-10-07 21:14:34][DEBUG] using HTTP/2
[2024-10-07 21:14:34][DEBUG] [HTTP/2] [1] OPENED stream for https://global.com/user/login
[2024-10-07 21:14:34][DEBUG] [HTTP/2] [1] [:method: OPTIONS]
[2024-10-07 21:14:34][DEBUG] [HTTP/2] [1] [:scheme: https]
[2024-10-07 21:14:34][DEBUG] [HTTP/2] [1] [:authority: global.com]
[2024-10-07 21:14:34][DEBUG] [HTTP/2] [1] [:path: /user/login]
[2024-10-07 21:14:34][DEBUG] [HTTP/2] [1] [accept-encoding: deflate, gzip]
[2024-10-07 21:14:34][DEBUG] [HTTP/2] [1] [pragma: no-cache]
[2024-10-07 21:14:34][DEBUG] [HTTP/2] [1] [cache-control: no-cache]
[2024-10-07 21:14:34][DEBUG] [HTTP/2] [1] [accept: */*]
[2024-10-07 21:14:34][DEBUG] [HTTP/2] [1] [access-control-request-method: POST]
[2024-10-07 21:14:34][DEBUG] [HTTP/2] [1] [access-control-request-headers: clientsource,route]
[2024-10-07 21:14:34][DEBUG] [HTTP/2] [1] [origin: https://global.com]
[2024-10-07 21:14:34][DEBUG] [HTTP/2] [1] [user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0]
[2024-10-07 21:14:34][DEBUG] [HTTP/2] [1] [sec-fetch-mode: cors]
[2024-10-07 21:14:34][DEBUG] [HTTP/2] [1] [sec-fetch-site: same-site]
[2024-10-07 21:14:34][DEBUG] [HTTP/2] [1] [sec-fetch-dest: empty]
[2024-10-07 21:14:34][DEBUG] [HTTP/2] [1] [referer: https://global.com/]
[2024-10-07 21:14:34][DEBUG] [HTTP/2] [1] [accept-language: en-GB,en;q=0.9]
[2024-10-07 21:14:34][DEBUG] Request completely sent off
Status: 200 OK
date: "Mon, 07 Oct 2024 18:14:35 GMT"
content-type: "application/json"
[2024-10-07 21:14:35][DEBUG] Connection #0 to host 45.76.88.173 left intact
content-length: "3"
x-amzn-trace-id: "Root=1-6704250b-6bd0b8a76b956d6a14425235"
x-amzn-requestid: "553de43e-8b0f-426a-800e-9f129cbdce7c"
x-amz-apigw-id: "fSq5yEqXrPEEJtQ="
x-amz-cf-pop: "MRS52-C1"
x-amz-cf-pop: "MRS52-P4"
via: "1.1 6539a76bb06cb86ff6a4a036edfec006.cloudfront.net (CloudFront), 1.1 b2e1326b370630a6e99a66735129eb18.cloudfront.net (CloudFront)"
x-cache: "Miss from cloudfront"
x-amz-cf-id: "m37OZ_lhBFdfJ8GbAThympss7JJKuDbETtHWpeWl-TTEuEar7e_R8Q=="
x-xss-protection: "1; mode=block"
x-frame-options: "DENY"
referrer-policy: "strict-origin-when-cross-origin"
content-security-policy: "upgrade-insecure-requests;"
x-content-type-options: "nosniff"
strict-transport-security: "max-age=31536000; includeSubDomains; preload"
cache-control: "no-cache,no-store,must-revalidate"
access-control-allow-credentials: "true"
access-control-allow-origin: "https://global.com"
access-control-allow-methods: "POST,OPTIONS,GET"
vary: "Access-Control-Request-Method"
vary: "Origin"
vary: "Access-Control-Request-Headers"
access-control-max-age: "600"
access-control-allow-headers: "clientsource,route"
cf-cache-status: "DYNAMIC"
set-cookie: "__cf_bm=OY2LjzwWbNHLfzm9uUyxEAzKv6fSxnAoZYaR4W5WUK0-1728324875-1.0.1.1-oLELLU0IER3jd4JEAziB.09CDAalXoqETAe02crCUDLHwGMPkgQL2kfju6KDe4YdUy4UosZceJJE57TTvZgG5Q; path=/; expires=Mon, 07-Oct-24 18:44:35 GMT; domain=.global.com; HttpOnly; Secure; SameSite=None"
set-cookie: "_cfuvid=8OLwrt5IwUTv9AJYv..BaeYsqQSUIoLsxri3cgLS26o-1728324875217-0.0.1.1-604800000; path=/; domain=.global.com; HttpOnly; Secure; SameSite=None"
server: "cloudflare"
cf-ray: "8cefdf245f2140e3-SIN"

but when i use pure Command::new("curl") i can see it useing http2 and TLSv1.3

let mut curl_command = Command::new("curl");
curl_command
    .arg("--keepalive-time")
    .arg("120")
    .arg("--verbose");

* IPv6: (none)
* IPv4: ip
*   Trying 104.18.37.49:443...
* Connected to global.com() port 443
* ALPN: curl offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2871 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
} [5 bytes data]
* using HTTP/2
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* [HTTP/2] [1] OPENED stream for https://global.com/user/login
} [5 bytes data]
> Host: global.com
> authority: global.com
> Accept: application/json, text/plain, */*
> Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
> Cache-Control: no-cache
> Priority: u=1, i
> Accept-Encoding: gzip, deflate, br, zstd
> Content-Type: application/x-www-form-urlencoded
> User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.3
> sec-ch-ua: "Google Chrome";v="127", "Chromium";v="127", ";Not A Brand";v="24"
> sec-ch-ua-mobile: ?0
> sec-ch-ua-platform: Linux
> Content-Length: 1114

here I my current code 

    let proxy_url: Uri = proxy
        .parse()
        .context("Failed to parse proxy URL")?;

    let isahc_client = IsahcHttpClient::builder()
        .version_negotiation(VersionNegotiation::http2())
        .tcp_keepalive(TokioDuration::from_secs(300))
        .timeout(TokioDuration::from_secs(60)) // Example of setting a request timeout
        .proxy(proxy_url) 
        .build()?;
sagebind commented 1 month ago

There's not currently a way to specify which TLS version to use, however this is something that I believe is already implemented in the version 2 branch (currently on hold).

It is also worth noting that Isahc uses libcurl, and not the curl command, so in a way, Isahc and the curl command are both equally consumers of libcurl.

It could very well be just differences in which libcurl version is being used. Isahc by default uses a bundled libcurl and not the one installed on your system. I would check to see which versions of libcurl are being used in both places. You can see the libcurl version used by Isahc by checking the return value of version.

You can also disable the static-curl default crate feature to get Isahc to link to your system-wide libcurl, which might behave more similarly to the curl command.

addame2 commented 1 month ago

@sagebind thanks for quick reply

Isahc version: isahc/1.7.2 (features:default,encoding-rs,http2,mime,static-curl,text-decoding) libcurl/8.9.0-DEV SecureTransport zlib/1.2.12 nghttp2/1.61.0

but I will run my code in Docker so it more important my docker will run TLS 1.3 then on my MacBook

how I can disable the static-curl?

I have try this isahc = { version = "1.7.2", default-features = false, features = ["http2", "mime", "text-decoding"] } still same

thanks this WORK isahc = { version = "1.7.2", default-features = false, features = ["http2", "mime", "text-decoding"] }

[2024-10-08 09:04:43][DEBUG] ALPN: curl offers h2,http/1.1
[2024-10-08 09:04:43][DEBUG]  CAfile: /etc/ssl/cert.pem
[2024-10-08 09:04:43][DEBUG]  CApath: none
[2024-10-08 09:04:43][DEBUG] (304) (OUT), TLS handshake, Client hello (1):
[2024-10-08 09:04:45][DEBUG] (304) (IN), TLS handshake, Server hello (2):
[2024-10-08 09:04:45][DEBUG] (304) (IN), TLS handshake, Unknown (8):
[2024-10-08 09:04:45][DEBUG] (304) (IN), TLS handshake, Certificate (11):
[2024-10-08 09:04:45][DEBUG] (304) (IN), TLS handshake, CERT verify (15):
[2024-10-08 09:04:45][DEBUG] (304) (IN), TLS handshake, Finished (20):
[2024-10-08 09:04:45][DEBUG] (304) (OUT), TLS handshake, Finished (20):
[2024-10-08 09:04:45][DEBUG] SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
[2024-10-08 09:04:45][DEBUG] ALPN: server accepted h2
[2024-10-08 09:04:45][DEBUG] Server certificate:
[2024-10-08 09:04:45][DEBUG]  start date: Feb 24 00:00:00 2024 GMT
[2024-10-08 09:04:45][DEBUG]  expire date: Feb 25 23:59:59 2025 GMT
[2024-10-08 09:04:45][DEBUG]  subjectAltName: host "global.com" matched cert's "*.global.com"
[2024-10-08 09:04:45][DEBUG]  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=GTrust TLS RSA CA G1
[2024-10-08 09:04:45][DEBUG]  SSL certificate verify ok.
[2024-10-08 09:04:45][DEBUG] using HTTP/2

for docker do I need to add something ?

addame2 commented 3 weeks ago

SSL connection should be this SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS

but I am getting this SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF

@sagebind can you help me little bit confuse

SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF