c# - HTTPS 代理实现 (SSLStream)

Question

我编写了一个充当代理服务器的控制台应用程序。现在我也喜欢实现 SSL。不喜欢解密任何流量。就像普通的 https 代理一样。我不确定我该如何继续。

var host = text.Remove(0, connectText.Length + 1);
var hostIndex = host.IndexOf(" ", StringComparison.Ordinal);
var hostEntry = host.Remove(hostIndex).Split(new []{":"}, StringSplitOptions.None);
requestClient.Connect(hostEntry[0], Convert.ToInt32(hostEntry[1]));
requestStream = requestClient.GetStream();
var sslStream = new SslStream(requestStream, false, (x1,x2,x3,x4) => true);
sslStream.AuthenticateAsClient(hostEntry[0]);
const string sslResponse = "HTTP/1.0 200 Connection established\r\n\r\n";
var sslResponseBytes = Encoding.UTF8.GetBytes(sslResponse);
proxyStream.Write(sslResponseBytes, 0, sslResponseBytes.Length);
proxyStream.Flush();

我应该直接将所有内容写入sslStream吗？浏览器连接proxyClient呢？我是否也需要包装流，或者我是否可以将所有内容直接写入 proxyStream？我应该使用 AuthenticateAsServer 并以某种方式传递来自 AuthenticateAsClient 的证书吗？

1. IE 向我的代理发出 CONNECT 请求
2. 我的代理看到它是一个 CONNECT 请求并获取 IP: 端口 目的地(例如 www.hotmail.com:443)
3. 我的代理创建了一个到 www.hotmail.com:443 的新 TCP 连接
4. 我的代理从该目的地获取 SslStream 并调用 AuthenticateAsClient - 这为我的代理提供了与 Hotmail 端的安全连接
5. 然后我的代理向浏览器发回一条“HTTP/1.0 200”消息，表明连接成功
6. 然后我的代理从浏览器连接获取 SslStream 并调用 AuthenticateAsServer - 为我的代理提供到浏览器端的安全连接

我看到了这个，但是如何在没有假证书的情况下进行 AuthenticateAsServer。我可以像在我的正常流中那样写吗，还是我应该考虑一些事情？

---

static void Main(string[] args)
{
    var tcpServer = new TcpListener(IPAddress.Parse("127.0.0.1"), 8080);
    tcpServer.Start();
    while (true)
    {
        var proxyClient = tcpServer.AcceptTcpClient();
        var requestClient = new TcpClient();
        var proxyStream = proxyClient.GetStream();
        NetworkStream requestStream = null;
        var bytes = new byte[proxyClient.ReceiveBufferSize];
        var hostHeaderAvailable = 0;
        int count;

        while (proxyStream.DataAvailable)
        {
            count = proxyStream.Read(bytes, 0, bytes.Length);
            if (hostHeaderAvailable == 0)
            {
                var text = Encoding.UTF8.GetString(bytes);
                const string connectText = "connect";
                const string hostText = "Host: ";
                //HTTPS NOT FULLY IMPLEMENTED YET
                if (text.ToLower().StartsWith(connectText))
                {
                    var host = text.Remove(0, connectText.Length + 1);
                    var hostIndex = host.IndexOf(" ", StringComparison.Ordinal);
                    var hostEntry = host.Remove(hostIndex).Split(new []{":"}, StringSplitOptions.None);
                    requestClient.Connect(hostEntry[0], Convert.ToInt32(hostEntry[1]));
                    requestStream = requestClient.GetStream();
                    var sslStream = new SslStream(requestStream, false, (x1,x2,x3,x4) => true);
                    sslStream.AuthenticateAsClient(hostEntry[0]);
                    const string sslResponse = "HTTP/1.0 200 Connection established\r\n\r\n";
                    var sslResponseBytes = Encoding.UTF8.GetBytes(sslResponse);
                    proxyStream.Write(sslResponseBytes, 0, sslResponseBytes.Length);
                    proxyStream.Flush();
                }
                //HTTP WORKS LIKE A CHARM
                else {
                    var hostIndex = text.IndexOf(hostText, StringComparison.Ordinal);
                    if (hostIndex < 0)
                        continue;
                    var host = text.Remove(0, hostIndex + hostText.Length);
                    hostIndex = host.IndexOf("\n", StringComparison.Ordinal);
                    if (hostIndex < 0)
                        continue;
                    host = host.Remove(hostIndex).Replace("\r", "");
                    requestClient.Connect(host, 80);
                    requestStream = requestClient.GetStream();
                }
            }
            hostHeaderAvailable++;
            if (requestClient.Connected) {
                requestStream.Write(bytes, 0, count);
            }
        }

        if (!requestClient.Connected) {
            proxyStream.Close();
            proxyClient.Close();
            continue;
        }

        var timeout = 0;
        while (!requestStream.DataAvailable) {
            if (timeout > 12)
                break;
            Thread.Sleep(500);
            timeout++;
        }

        while (requestStream.DataAvailable)
        {
            count = requestStream.Read(bytes, 0, bytes.Length);
            proxyStream.Write(bytes, 0, count);
        }
        proxyStream.Close();
        proxyClient.Close();
    }
}

Answer 1

IE issues a CONNECT request to my proxy My proxy sees that its a CONNECT request and gets the ip:port of the destination (eg, www.hotmail.com:443) My proxy creates a new TCP connection to www.hotmail.com:443

目前一切正确。

My proxy gets an SslStream from this destination and calls AuthenticateAsClient - this gives my proxy a secure connection to the hotmail side of things

没有。您的代理应该使用您已有的纯文本连接。

My proxy then sends an "HTTP/1.0 200" message back to the browser to say that the CONNECT was successful.

正确。或者，如果您遇到连接失败，您会发回适当的 HTTP 失败响应。

My proxy then gets an SslStream from the browser connection and calls AuthenticateAsServer - gives my proxy a secure connection to the browser side of things

没有。您的代理继续使用明文连接到浏览器。

how AuthenticateAsServer without fake certificate?

您根本不必这样做。

此时浏览器和上游服务器准备执行SSL握手。但是正如您所说，您不想嗅探内容，您自己无需成为 SSL 端点。您现在要做的就是同时在两个方向上复制字节。端点将进行 SSL 握手，就像您不在场一样。