C# 使用c SslStream直接SSL/TLS（无连接消息）MITM代理

我正在尝试使用C创建一个本地windows MITM代理，以处理一个现在不受支持的应用程序，该应用程序来自一家不再存在的公司

代理只需为一个HTTPS域提供服务，该域通过创建侦听本地地址的代理来完成：端口127.0.0.1:443

然后在主机文件中创建一个条目，即127.0.0.1 my.single.domain.com

当将域的条目直接添加到我的主机文件中时，我不会得到正常的连接类型的HTTP请求，而是在套接字上收到一个直接的客户机hello，我可以看到下一步是发起握手

但是，我不确定如何使用csstream处理这个问题。可以找到的大多数示例，包括在MSDN之类的地方，都是针对CONNECT type proxys的

---

我是否需要创建两个SSL流来处理此问题。

回答我自己的问题，但可能会给其他人一些指导。这不是生产标准代码，但它可以工作

public sealed class SslTcpProxy
{
    static void Main(String[] args)
    {
        // Create a TCP/IP (IPv4) socket and listen for incoming connections.
        TcpListener tcpListener = new TcpListener(IPAddress.Parse("127.0.0.1"), 443);
        tcpListener.Start();

        Console.WriteLine("Server listening on 127.0.0.1:433  Press enter to exit.");
        Console.WriteLine();
        Console.WriteLine("Waiting for a client to connect...");
        Console.WriteLine();

        // Application blocks while waiting for an incoming connection.
        TcpClient tcpClient = tcpListener.AcceptTcpClient();
        AcceptConnection(tcpClient);

        Console.ReadLine();
        tcpListener.Stop();
    }

    private static void AcceptConnection(TcpClient client)
    {
        try
        {
            // Using a pre-created certificate.
            String certFilePath = Environment.CurrentDirectory + @"\certificates\server-cert.pfx";

            X509Certificate2 certificate;

            try
            {
                certificate = new X509Certificate2(certFilePath, "[CER_PASSWORD]");
            }
            catch (Exception ex)
            {
                throw new Exception($"Could not create the certificate from file from {certFilePath}", ex);
            }

            SslStream clientSslStream = new SslStream(client.GetStream(), false);
            clientSslStream.AuthenticateAsServer(certificate, false, SslProtocols.Default, false);

            // Display the properties and settings for the authenticated as server stream.
            Console.WriteLine("clientSslStream.AuthenticateAsServer");
            Console.WriteLine("------------------------------------");
            DisplaySecurityLevel(clientSslStream);
            DisplaySecurityServices(clientSslStream);
            DisplayCertificateInformation(clientSslStream);
            DisplayStreamProperties(clientSslStream);

            Console.WriteLine();

            // The Ip address of the server we are trying to connect to.
            // Dont use the URI as it will resolve from the host file.
            TcpClient server = new TcpClient("[SERVER_IP]", 443);
            SslStream serverSslStream = new SslStream(server.GetStream(), false, SslValidationCallback, null);
            serverSslStream.AuthenticateAsClient("[SERVER_NAME]");

            // Display the properties and settings for the authenticated as server stream.
            Console.WriteLine("serverSslStream.AuthenticateAsClient");
            Console.WriteLine("------------------------------------");
            DisplaySecurityLevel(serverSslStream);
            DisplaySecurityServices(serverSslStream);
            DisplayCertificateInformation(serverSslStream);
            DisplayStreamProperties(serverSslStream);

            new Task(() => ReadFromClient(client, clientSslStream, serverSslStream)).Start();
            new Task(() => ReadFromServer(serverSslStream, clientSslStream)).Start();
        }
        catch (Exception ex)
        {
            Console.WriteLine(ex.Message);
            throw;
        }

    }

    private static Boolean SslValidationCallback(Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslpolicyerrors)
    {
        return true;
    }

    private static void ReadFromServer(Stream serverStream, Stream clientStream)
    {
        Byte[] message = new Byte[4096];

        Int32 serverBytes;

        try
        {
            while ((serverBytes = serverStream.Read(message, 0, message.Length)) > 0)
            {
                clientStream.Write(message, 0, serverBytes);
            }
        }
        catch
        {
            // Whatever
        }
    }

    private static void ReadFromClient(TcpClient client, Stream clientStream, Stream serverStream)
    {
        Byte[] message = new Byte[4096];

        FileInfo fileInfo = new FileInfo("client");

        if (!fileInfo.Exists)
        {
            fileInfo.Create().Dispose();
        }

        using (FileStream stream = fileInfo.OpenWrite())
        {
            while (true)
            {
                Int32 clientBytes;

                try
                {
                    clientBytes = clientStream.Read(message, 0, message.Length);
                }
                catch
                {
                    break;
                }

                if (clientBytes == 0)
                {
                    break;
                }

                serverStream.Write(message, 0, clientBytes);
                stream.Write(message, 0, clientBytes);
            }

            client.Close();
        }
    }

    static void DisplaySecurityLevel(SslStream stream)
    {
        Console.WriteLine("Cipher: {0} strength {1}", stream.CipherAlgorithm, stream.CipherStrength);
        Console.WriteLine("Hash: {0} strength {1}", stream.HashAlgorithm, stream.HashStrength);
        Console.WriteLine("Key exchange: {0} strength {1}", stream.KeyExchangeAlgorithm, stream.KeyExchangeStrength);
        Console.WriteLine("Protocol: {0}", stream.SslProtocol);
    }

    static void DisplaySecurityServices(SslStream stream)
    {
        Console.WriteLine("Is authenticated: {0} as server? {1}", stream.IsAuthenticated, stream.IsServer);
        Console.WriteLine("IsSigned: {0}", stream.IsSigned);
        Console.WriteLine("Is Encrypted: {0}", stream.IsEncrypted);
    }

    static void DisplayStreamProperties(SslStream stream)
    {
        Console.WriteLine($"Can read: {stream.CanRead}, write {stream.CanWrite}");
        Console.WriteLine($"Can timeout: {stream.CanTimeout}");
    }

    static void DisplayCertificateInformation(SslStream stream)
    {
        Console.WriteLine($"Certificate revocation list checked: {stream.CheckCertRevocationStatus}");

        X509Certificate localCertificate = stream.LocalCertificate;

        if (stream.LocalCertificate != null)
        {
            Console.WriteLine("Local cert was issued to {0} and is valid from {1} until {2}.",
                localCertificate.Subject,
                localCertificate.GetEffectiveDateString(),
                localCertificate.GetExpirationDateString());
        }
        else
        {
            Console.WriteLine("Local certificate is null.");
        }

        // Display the properties of the client's certificate.
        X509Certificate remoteCertificate = stream.RemoteCertificate;

        if (stream.RemoteCertificate != null)
        {
            if (remoteCertificate != null)
            {
                Console.WriteLine(
                    $"Remote cert was issued to {remoteCertificate.Subject} and is valid from {remoteCertificate.GetEffectiveDateString()} until {remoteCertificate.GetExpirationDateString()}.");
            }
        }
        else
        {
            Console.WriteLine("Remote certificate is null.");
        }

    }
}

---

我建议编辑你的问题，少问一些例子，用有效的技术问题直截了当地回答问题，否则人们会把它关闭。我对你的问题进行了大量编辑，试图使其有效并可回答。我不确定我是否成功，但仅供参考，如果您不同意编辑，请随时回滚。据我所知，您只希望代理服务器能够处理客户端Hello而不是CONNECT。您应该为我们提供更多关于代理服务器的信息，这样我们就知道它是如何处理请求的，比如它是否使用MVC？etcAt目前只是一个简单的控制台mitm代理。我猜它将需要一个客户端SSLStream和一个服务器SSLStream。我不需要为客户创建假证书，因为我有真实证书的副本。我真正的问题是我知道我想实现什么，但谷歌上的当前示例，甚至我自己的书，要么使用连接方法而不是直接ssl流，要么已经过时，要么根本不起作用。我喜欢.net，但微软一直在移动目标帖子，很难找到这些类型的最新例子，而不是一些常见的要求。@WilliamHumphreys当你说你有证书时，这些是什么类型的证书？他们将被绑定到一个域+IP。127.0.0.1绝对不会成为IP。需要更多信息。你可能应该从回答中删除抱怨，并添加一些实际的评论。发布一段代码没有多大用处。此外，我还编写了多个本地MITM程序，我考虑到了您的问题。我花了2年的时间写了我写的最后一个本地MITM软件，在你抱怨之前，你给了人们5个小时。我告诉你们这些并不是为了挑起一场争斗，我告诉你们是因为你们让一个，如果我敢说的话，是你们所问问题的专家的人，对回答完全不感兴趣。这是值得考虑的。它不起作用…范围中未定义BufferSize。这是很久以前一个更大的应用程序的片段。它不是一字不差的，而是一个指南。在这种情况下，它工作得很好。目前，只需将BufferSize替换为message.Length。