trojan
trojan copied to clipboard
[BUG] SSL handshake failed with xxx.com:443: certificate verify failed
- [x] I certify that I have read the contributing guidelines and I acknowledge if I don't follow the format below, or I'm using an old version of trojan, or I apparently fail to provide sufficient information (such as logs, specific numbers), or I don't check this box, my issue will be closed immediately without any notice.
Trojan Version
1.60.0
Describe the bug
我在ios上面使用 trojan,由于 部分代码在 ios 上面无效,所以被我屏蔽了。 当我把 verify 配置成 false,可以正常使用,配置成 true,就会提示 :
SSL handshake failed with xxx.com:443: certificate verify failed
我屏蔽掉的代码是:
#ifdef __APPLE__
// SecKeychainSearchRef pSecKeychainSearch = NULL;
// SecKeychainRef pSecKeychain;
// OSStatus status = noErr;
// X509 *cert = NULL;
//
// // Leopard and above store location
// status = SecKeychainOpen ("/System/Library/Keychains/SystemRootCertificates.keychain", &pSecKeychain);
// if (status == noErr) {
// X509_STORE *store = SSL_CTX_get_cert_store(native_context);
// status = SecKeychainSearchCreateFromAttributes (pSecKeychain, kSecCertificateItemClass, NULL, &pSecKeychainSearch);
// for (;;) {
// SecKeychainItemRef pSecKeychainItem = nil;
//
// status = SecKeychainSearchCopyNext (pSecKeychainSearch, &pSecKeychainItem);
// if (status == errSecItemNotFound) {
// break;
// }
//
// if (status == noErr) {
// void *_pCertData;
// UInt32 _pCertLength;
// status = SecKeychainItemCopyAttributesAndData (pSecKeychainItem, NULL, NULL, NULL, &_pCertLength, &_pCertData);
//
// if (status == noErr && _pCertData != NULL) {
// unsigned char *ptr;
//
// ptr = (unsigned char *)_pCertData; /*required because d2i_X509 is modifying pointer */
// cert = d2i_X509 (NULL, (const unsigned char **) &ptr, _pCertLength);
// if (cert == NULL) {
// continue;
// }
//
// if (!X509_STORE_add_cert (store, cert)) {
// X509_free (cert);
// continue;
// }
// X509_free (cert);
//
// status = SecKeychainItemFreeAttributesAndData (NULL, _pCertData);
// }
// }
// if (pSecKeychainItem != NULL) {
// CFRelease (pSecKeychainItem);
// }
// }
// CFRelease (pSecKeychainSearch);
// CFRelease (pSecKeychain);
// }
#endif // __APPLE__
代码具体对应 service.cpp line 156 to line 203.
因为这些api只在mac 上面有效,iOS 上面提示找不到符号。
我服务端配置没有问题,证书也没有问题,使用浏览器访问网页显示 https 证书是正常的。
openssl 版本 : 1.1.1d
Linux也有同样的问题
[master1 root /opt/trojan]# ./trojan
Welcome to trojan 1.15.1
[2022-02-21 21:44:55] [WARN] trojan service (client) started at 127.0.0.1:1080
[2022-02-21 21:45:01] [INFO] 127.0.0.1:52962 requested connection to cip.cc:80
[2022-02-21 21:45:01] [ERROR] 127.0.0.1:52962 SSL handshake failed with xxx.com:443: certificate verify failed
[2022-02-21 21:45:01] [INFO] 127.0.0.1:52962 disconnected, 0 bytes received, 70 bytes sent, lasted for 0 seconds
[2022-02-21 21:45:09] [INFO] 127.0.0.1:52994 requested connection to cip.cc:80
@omaidb @GreaterFire Not working properly on centos7.9
[ERROR] 127.0.0.1:36572 SSL handshake failed with de1-1.nigirocloud.com:443: certificate verify failed
Is there any solution thanks
@marksugar @omaidb
你们客户端有没有指定 cafile 路径?
首先获取你的系统的 cafile 路径:
curl -v https://www.qq.com |& grep CAfile
然后把这个路径填入客户端的配置里面, 比如 archlinux 上是这个路径 :
"cert": "/etc/ssl/certs/ca-certificates.crt",
macOS 是 /etc/ssl/cert.pem
trojan 的文档里面有提到
cert: if verify is set to true, the same certificate used by the server or a collection of CA certificates could be provided. If you leave this field blank, OpenSSL will try to look for a system CA store and will be likely to fail.
意思是这个如果留空, 那么就会依赖 openssl 去获取这个路径, 大概率会失败... 所以建议手动指定
按照你说的办法做,仍旧有问题。
Hi, you can try this: sudo apt install ca-certificates
Hi, you can try this:
sudo apt install ca-certificates
It work for me, thanks!