Mine has set up a web server on Tencent Cloud server. However, since I have not filed the website with the government, accessing port 443 of the server through the domain name will be blocked, and the Chromium browser will display TCP RSET.
But I don’t use the domain name, I changed to the IP address to access, except that the SSL certificate verification failed (because my certificate is a domain name certificate), I can ask the server normally.
I know that all domain name connections need to query DNS first to obtain an IP address, and then use the IP to access the server. My domain name resolution is normal, and the correct IP can be obtained.
I tried to use openssl to simulate Chromium requests, the main code is as follows:
Query DNS:
hostent *hostent = gethostbyname("www.example.com");
in_addr ip;
memcpy(&(ip.s_addr), hostent->h_addr_list[0], hostent->h_length);
Create socket:
const int sock = socket(AF_INET, SOCK_STREAM, 0);
sockaddr_in sock_address;
sock_address.sin_family = AF_INET;
sock_address.sin_port = htons(443);
sock_address.sin_addr = ip;
int error = connect(sock, (sockaddr *) &sock_address, sizeof(sockaddr));
if (error) {
fprintf(log_err, "The socket connection failed.\n");
return 1;
}
SSL handshake:
SSL_library_init();
ERR_load_crypto_strings();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
const SSL_METHOD *sslMethod = SSLv23_client_method();
SSL_CTX *sslCtx = SSL_CTX_new(sslMethod);
if (!sslCtx) {
fprintf(log_err, "SSL_CTX_new failed\n");
ERR_print_errors_fp(log_err);
return 1;
}
SSL *ssl = SSL_new(sslCtx);
if (!ssl) {
fprintf(log_err, "ssl handle creation failed.\n");
ERR_print_errors_fp(log_err);
return 1;
}
SSL_set_fd(ssl, sock);
SSL_connect(ssl);
send http header:
char *head_line = "GET / HTTP/1.1\r\n";
SSL_write(ssl, head_line, (int) strlen(head_line));
head_line = "Host: www.example.com:443\r\n";
SSL_write(ssl, head_line, (int) strlen(head_line));
head_line = "Connection: keep-alive\r\n";
SSL_write(ssl, head_line, (int) strlen(head_line));
head_line = "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\r\n";
SSL_write(ssl, head_line, (int) strlen(head_line));
head_line = "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36\r\n";
SSL_write(ssl, head_line, (int) strlen(head_line));
head_line = "\r\n";
SSL_write(ssl, head_line, (int) strlen(head_line));
The above code can access my WEB server normally.
This is some environmental information.
openssl version: OpenSSL 1.1.1k 25 Mar 2021
system: Linux 5.10.59-1-MANJARO #1 SMP PREEMPT Sun Aug 15 13:11:32 UTC 2021 x86_64 GNU/Linux
Chromium version: 92.0.4515.159 (release) Arch Linux (64 位)
I want to know if there is any way to intercept only port 443 through the domain name without affecting the IP access to port 443?
My set of simulation code, in theory, should be the same as Chromium to access my WEB server, and the operations performed should be the same, but why one is successful and the other is failure?
Aucun commentaire:
Enregistrer un commentaire