在ubuntu上使用独角形摆件时的ERR_SSL_VERSION_INTERFERENCE错误

Question

我试图在Ubuntu17.10和mono4.6.2上使用费德勒拦截网络请求。根据给出的这里指令，我还通过运行命令mozroots --import --sync导入了证书。但启动后，我将面临ERR_SSL_VERSION_INTERFERENCE与https访问网站的问题。

我怎样才能解决这个问题？

Answer 1

文章 OP给出了一些限制和问题

不支持TLS 1.1和1.2，这是Mono框架中TLS实现的当前状态引入的一个硬限制。因此，Fiddler for Linux目前无法使用这些协议。

我们得出结论，只支持tls1.0，这意味着当curl直接连接到服务器时，它将如下所示：

* Connected to pi.com (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1

显然，它们使用tls1.2和http1.1作为协商结果。但是，当curl使用单小提琴作为代理时，结果将是不同的：

* Connected to 127.0.0.1 (127.0.0.1) port 8888 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to pi.com:443
> CONNECT pi.com:443 HTTP/1.1
> Host: pi.com:443
> User-Agent: curl/7.58.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection Established
< FiddlerGateway: Direct
< StartTime: 18:08:06.731
< Connection: close
< 
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.0 (IN), TLS handshake, Certificate (11):
* TLSv1.0 (IN), TLS handshake, Server finished (14):
* TLSv1.0 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.0 (OUT), TLS change cipher, Client hello (1):
* TLSv1.0 (OUT), TLS handshake, Finished (20):
* TLSv1.0 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.0 / AES256-SHA
* ALPN, server did not agree to a protocol

他们使用tls1.0，更糟糕的是http1.0。最可怕的事情是Chrome被弃用的tls1.0和tls1.1，从v72.0.xxx到一些安全策略。所以Chrome报告ssl版本不匹配。

SSL/TLS握手属性不能用于Linux的Fiddler，目前无法显示这些属性。这是一项正在进行的工作。

这将导致SSL_ERROR_RX_MALFORMED_SERVER_HELLO时，火狐使用单一摆弄作为代理。