SslStream AuthenticateAsClient Exceptions

Question

SslStream AuthenticateAsClient Exceptions

JDCain opened this issue 5 years ago · 10 comments

When using a Ssl proxy with selenium some items on the page will not load, with SslStream.AuthenticateAsClient throwing errors on some items within a page such as images and CSS. I am not sure if this is somehow due to how I am creating a self signed cert for the proxy.

Going to https://google.com
Context:
Accept = "image/webp,image/apng,image/,/*;q=0.8"
InnerException = {"The message received was unexpected or badly formatted."}

In order to debug and see the errors I had to make a copy of BenderProxy.SslProxy.
https://github.com/JDCain/SeleniumSslProxyErrorExample

Answer 1 · 2020-03-19T15:28:12.000Z

Does Google use TLS 1.3? If you add that to the SslProtocols value you're passing into the SslProxy constructor, does that change things?

Answer 2 · 2020-03-19T16:49:18.000Z

I added SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls13 and the error still comes up. I tried just 1.3 and it would not work at all.

Answer 3 · 2020-03-19T16:54:20.000Z

I don't have the best knowledge of Ssl so I was thinking it may be something with how I generate the self signed certificate. Is there anything obvious here: https://github.com/JDCain/SeleniumSslProxyErrorExample/blob/2ff77cfe22e4904ff4c80b115b28031ed782ec8d/Proxy.cs#L36
I was not attempting to add it to the windows store since I was wanting to run in Linux and windows.

Answer 4 · 2020-03-24T15:43:18.000Z

I tried to debug JD's issue and had no discernible pattern for what will fail and what won't. The same requests are consistently failing but there doesn't seem to be a pattern to which ones fail and which ones succeed. I've ruled out

TLS versions (all info on https://www.google.com was using TLS 1.2)
Cookies
Specific Headers
CORS
Timeouts
Bad self signed cert
Specific hosts
Specific content types
Specific HTTP Methods

Not really sure what else I can do to try and narrow down the issue

Answer 5 · 2020-03-26T15:47:10.000Z

If I only enable 1.2 I get this error instead: "Win32Exception: The token supplied to the function is invalid".
I've started using https://sha256.badssl.com/ to test as it is very simple and only has one piece of CSS on it. That piece of CSS always gets the token or other error when it tries to download.

Answer 6 · 2020-03-27T19:30:19.000Z

I installed the source code along side my project and I am now seeing this as the first exception:

Answer 7 · 2020-03-27T21:12:16.000Z

@JDCain That's a little more instructive. I can't guarantee I'll have any time to look at the issue in the near future, but the repro case and the inner exception will be useful.

Answer 8 · 2020-03-30T11:58:09.000Z

@jimevans There is no inner exception on that error. I've updated the example so that the error can be seen when running the single unit test in the project. Even if I set he timeout higher for stream this error comes up very fast for the image and CSS items.

System.Net.Sockets.SocketException
HResult=0x80004005
Message=A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Source=System.Net.Sockets
StackTrace:
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)

Answer 9 · 2020-04-15T13:40:37.000Z

Closing as no longer needed.
I used PassedBall in Titanium Proxy to accomplish the NTML selenium AUTH.
justcoding121/titanium-web-proxy#754

Answer 10 · 2020-04-15T16:42:55.000Z

Thanks for that. Somehow, when I was writing the blog post that inspired this fork, I missed Titanium. If I knew it was a thing, I'd never have forked FryProxy in the first place.