Search code examples
c++qtsslproxyman-in-the-middle

Failed SSL handshake with ssl server written on Qt 5.2.1

I am writing ssl proxy server using Qt. Here is code sample:

# header
class SslProxyServer : public QTcpServer
{
    Q_OBJECT
public:
    explicit SslProxyServer(quint16 port, QObject *parent = 0);

private slots:
    void onEncrypted();
    void onReadyRead();
    void onSslErrors(QList<QSslError> sslErrors);
    void onModeChanged(QSslSocket::SslMode sslMode);
    void onStateChanged(QAbstractSocket::SocketState socketState);
    void onError(QAbstractSocket::SocketError socketError);

protected:
    void incomingConnection(qintptr socketDescriptor);
};

# source
SslProxyServer::SslProxyServer(quint16 port, QObject *parent) : QTcpServer(parent)
{
    if (!listen(QHostAddress::Any, port)) {
        qDebug() << "Unable to start tcp server";
        return;
    }
    if (m_tcpServer->isListening()) {
        qDebug() << "Listening port" << m_tcpServer->serverPort();
    } else {
        qDebug() << "Not listening";
    }
}

void SslProxyServer::incomingConnection(qintptr socketDescriptor)
{
    qDebug() << "incomingConnection";

    QSslSocket *serverSocket = new QSslSocket(this);
    if (serverSocket->setSocketDescriptor(socketDescriptor)) {
        connect(serverSocket, SIGNAL(encrypted()), this, SLOT(onEncrypted()));
        connect(serverSocket, SIGNAL(readyRead()), this, SLOT(onReadyRead()));
        connect(serverSocket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(onSslErrors(QList<QSslError>)));
        connect(serverSocket, SIGNAL(modeChanged(QSslSocket::SslMode)), this, SLOT(onModeChanged(QSslSocket::SslMode)));
        connect(serverSocket, SIGNAL(stateChanged(QAbstractSocket::SocketState)), this, SLOT(onStateChanged(QAbstractSocket::SocketState)));
        connect(serverSocket, SIGNAL(error(QAbstractSocket::SocketError)), this, SLOT(onError(QAbstractSocket::SocketError)));

        QSslConfiguration sslConfiguration = serverSocket->sslConfiguration();

        // ...
        QSslCertificate cert(&certFile, QSsl::Pem);
        QSslKey key(&keyFile, QSsl::Rsa, QSsl::Pem);
        sslConfiguration.setPeerVerifyMode(QSslSocket::VerifyNone);
        sslConfiguration.setLocalCertificate(cert); // set domain cert
        sslConfiguration.setPrivateKey(key); // set domain key
        sslConfiguration.setProtocol(QSsl::AnyProtocol);
        // ...
        QSslCertificate caCert(&caCertFile, QSsl::Pem);
        sslConfiguration.setCaCertificates(QList<QSslCertificate>() << caCert); // add ca cert

        serverSocket->setSslConfiguration(sslConfiguration);

        serverSocket->startServerEncryption();
    } else {
        qDebug() << "Cannot set socket descriptor";
        delete serverSocket;
    }
}

void SslProxyServer::onEncrypted()
{
    qDebug() << "onEncrypted";
}

void SslProxyServer::onReadyRead()
{
    qDebug() << "onReadyRead";
}

void SslProxyServer::onSslErrors(QList<QSslError> sslErrors)
{
    qDebug() << "onSslErrors";
}

void SslProxyServer::onModeChanged(QSslSocket::SslMode sslMode)
{
    qDebug() << "onModeChanged(" << (int) sslMode << ")";
}

void SslProxyServer::onStateChanged(QAbstractSocket::SocketState socketState)
{
    qDebug() << "onStateChanged(" << (int) socketState << ")";
}

void SslProxyServer::onError(QAbstractSocket::SocketError socketError)
{
    qDebug() << "onError(" << (int) socketError << ")";

    QSslSocket *serverSocket = qobject_cast<QSslSocket *>(sender());
    qDebug() << serverSocket->errorString();
}

I've generated CA self-signed certificate with private key, and another certificate for specific domain, which I signed with my CA certificate. After I copy CA certificate to /usr/local/share/ca-certificates and run sudo update-ca-certificates. But when I try to connect to my proxy server using 3rd-party app, where my server used as https proxy I get QAbstractSocket::SslHandshakeFailedError error with next output:

Listening port 8888 
incomingConnection 
onModeChanged( 2 ) 
onError( 13 ) 
"Error during SSL handshake: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request" 
onStateChanged( 0 )

So it does not even enter in onReadyRead slot. When I try to test my server using openssl command: openssl s_client -connect 127.0.0.1:8888 -debug - it is successfully connected to my server. Output contains next lines:

verify error:num=19:self signed certificate in certificate chain
verify return:0
No client certificate CA names sent
---
SSL handshake has read 2667 bytes and written 439 bytes
Verify return code: 19 (self signed certificate in certificate chain)
---

but I can send data to my server and see its raw value in my onReadyRead slot.

Some info about my env: OS: Ubuntu 12.04 x86_64 Qt: 5.2.1 (GCC 4.6.1, 64 bits)

Thanks in advance,

Solution

  • ... when I try to connect to my proxy server using 3rd-party app, where my server used as https proxy

    ... When I try to test my server using openssl command: openssl s_client -connect 127.0.0.1:8888 -debug - it is successfully connected to my server.

    These are different things. With your openssl command you establish a TCP connection which you immediately upgrade to SSL. But, an https proxy works differently: it first establishes a TCP connection, then issues a HTTP CONNECT command and only once it gets a successful response from the proxy it upgrades the connection to SSL, e.g.

    - client to server
> CONNECT ip:port HTTP/1.0\r\n
> \r\n
- followed by server to client
< HTTP/1.0 200 connection established\r\n
< \r\n
... SSL handshake ...

    And because the client send a https proxy request like it should but you expect the immediate start of the SSL handshake (that is you expect a ClientHello message) this fails with:

    "Error during SSL handshake: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request"