3

我正在使用 Qt 编写 ssl 代理服务器。这是代码示例:

# header
class SslProxyServer : public QTcpServer
{
    Q_OBJECT
public:
    explicit SslProxyServer(quint16 port, QObject *parent = 0);

private slots:
    void onEncrypted();
    void onReadyRead();
    void onSslErrors(QList<QSslError> sslErrors);
    void onModeChanged(QSslSocket::SslMode sslMode);
    void onStateChanged(QAbstractSocket::SocketState socketState);
    void onError(QAbstractSocket::SocketError socketError);

protected:
    void incomingConnection(qintptr socketDescriptor);
};

# source
SslProxyServer::SslProxyServer(quint16 port, QObject *parent) : QTcpServer(parent)
{
    if (!listen(QHostAddress::Any, port)) {
        qDebug() << "Unable to start tcp server";
        return;
    }
    if (m_tcpServer->isListening()) {
        qDebug() << "Listening port" << m_tcpServer->serverPort();
    } else {
        qDebug() << "Not listening";
    }
}

void SslProxyServer::incomingConnection(qintptr socketDescriptor)
{
    qDebug() << "incomingConnection";

    QSslSocket *serverSocket = new QSslSocket(this);
    if (serverSocket->setSocketDescriptor(socketDescriptor)) {
        connect(serverSocket, SIGNAL(encrypted()), this, SLOT(onEncrypted()));
        connect(serverSocket, SIGNAL(readyRead()), this, SLOT(onReadyRead()));
        connect(serverSocket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(onSslErrors(QList<QSslError>)));
        connect(serverSocket, SIGNAL(modeChanged(QSslSocket::SslMode)), this, SLOT(onModeChanged(QSslSocket::SslMode)));
        connect(serverSocket, SIGNAL(stateChanged(QAbstractSocket::SocketState)), this, SLOT(onStateChanged(QAbstractSocket::SocketState)));
        connect(serverSocket, SIGNAL(error(QAbstractSocket::SocketError)), this, SLOT(onError(QAbstractSocket::SocketError)));

        QSslConfiguration sslConfiguration = serverSocket->sslConfiguration();

        // ...
        QSslCertificate cert(&certFile, QSsl::Pem);
        QSslKey key(&keyFile, QSsl::Rsa, QSsl::Pem);
        sslConfiguration.setPeerVerifyMode(QSslSocket::VerifyNone);
        sslConfiguration.setLocalCertificate(cert); // set domain cert
        sslConfiguration.setPrivateKey(key); // set domain key
        sslConfiguration.setProtocol(QSsl::AnyProtocol);
        // ...
        QSslCertificate caCert(&caCertFile, QSsl::Pem);
        sslConfiguration.setCaCertificates(QList<QSslCertificate>() << caCert); // add ca cert

        serverSocket->setSslConfiguration(sslConfiguration);

        serverSocket->startServerEncryption();
    } else {
        qDebug() << "Cannot set socket descriptor";
        delete serverSocket;
    }
}

void SslProxyServer::onEncrypted()
{
    qDebug() << "onEncrypted";
}

void SslProxyServer::onReadyRead()
{
    qDebug() << "onReadyRead";
}

void SslProxyServer::onSslErrors(QList<QSslError> sslErrors)
{
    qDebug() << "onSslErrors";
}

void SslProxyServer::onModeChanged(QSslSocket::SslMode sslMode)
{
    qDebug() << "onModeChanged(" << (int) sslMode << ")";
}

void SslProxyServer::onStateChanged(QAbstractSocket::SocketState socketState)
{
    qDebug() << "onStateChanged(" << (int) socketState << ")";
}

void SslProxyServer::onError(QAbstractSocket::SocketError socketError)
{
    qDebug() << "onError(" << (int) socketError << ")";

    QSslSocket *serverSocket = qobject_cast<QSslSocket *>(sender());
    qDebug() << serverSocket->errorString();
}

我已经生成了带有私钥的 CA 自签名证书,以及使用我的 CA 证书签名的特定域的另一个证书。在我将 CA 证书复制到/usr/local/share/ca-certificates并运行sudo update-ca-certificates. 但是当我尝试使用 3rd-party 应用程序连接到我的代理服务器时,我的服务器用作 https 代理,我得到 QAbstractSocket::SslHandshakeFailedError 错误,下一个输出:

Listening port 8888 
incomingConnection 
onModeChanged( 2 ) 
onError( 13 ) 
"Error during SSL handshake: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request" 
onStateChanged( 0 )

所以它甚至没有进入onReadyRead插槽。当我尝试使用 openssl 命令测试我的服务器时:openssl s_client -connect 127.0.0.1:8888 -debug- 它已成功连接到我的服务器。输出包含下一行:

verify error:num=19:self signed certificate in certificate chain
verify return:0
No client certificate CA names sent
---
SSL handshake has read 2667 bytes and written 439 bytes
Verify return code: 19 (self signed certificate in certificate chain)
---

但我可以将数据发送到我的服务器并在我的onReadyRead插槽中查看其原始值。

关于我的环境的一些信息:操作系统:Ubuntu 12.04 x86_64 Qt:5.2.1(GCC 4.6.1,64 位)

提前致谢,

4

1 回答 1

3

...当我尝试使用 3rd-party 应用程序连接到我的代理服务器时,我的服务器用作 https 代理

...当我尝试使用 openssl 命令测试我的服务器时: openssl s_client -connect 127.0.0.1:8888 -debug - 它已成功连接到我的服务器。

这些是不同的东西。使用您的 openssl 命令,您可以建立一个 TCP 连接,然后立即升级到 SSL。但是,https 代理的工作方式不同:它首先建立 TCP 连接,然后发出 HTTP CONNECT 命令,只有在从代理获得成功响应后,它才会将连接升级到 SSL,例如

- client to server
> CONNECT ip:port HTTP/1.0\r\n
> \r\n
- followed by server to client
< HTTP/1.0 200 connection established\r\n
< \r\n
... SSL handshake ...

并且由于客户端发送了一个 https 代理请求,但您希望 SSL 握手立即开始(即您希望收到 ClientHello 消息),因此失败并显示:

“SSL 握手期间出错:错误:1407609B:SSL 例程:SSL23_GET_CLIENT_HELLO:https 代理请求”

于 2014-08-31T13:56:29.437 回答