Ask a Question

Fatal error 'ProtocolVersion' has been encountered on the local connection end.

0 votes
ago by (160 points)

I'm trying to setup proxifier+tlsproxy, but can't get it to function properly.
What I am trying to achieve:
Old Software on PC (doesn't support new TLS, can't change destination to local) HTTPS <-> proxifier (certain URLs) HTTPS <-> TLSProxy 127.0.0.99:9500 (and other, separate ports for different URLs) HTTPS <-> TLS 1.2/1.3 Server (Microsoft Azure)

My config looks like this:

  - name: SomeName
    in:
      address: 127.0.0.99
      port: 9500
      protocol: HTTPS
      tlsVersions: TLS10,TLS11,TLS12
      tlsCipherSuites: All

    out:
      address: SomeURL.com
      port: 443
      protocol: HTTPS
      tlsVersions: TLS12,TLS13

    certificate: CertPath.pfx; pwd="SomePassword"

I've also tried overriding SNI and Host but that didn't work either.
In my investigation I've tried:
FireFox (https) <-> proxifier (https) <-> TLSProxy (https) <-> Server

[INF][-]: Connection from 127.0.0.1:31216 accepted on 127.0.0.99:9500.
[INF][-]: Starting tunnel (127.0.0.1:31216) --'HTTPS/TLS10,TLS11,TLS12'--> (9500) --'HTTPS/TLS12,TLS13'--> (SomeURL.com:443).
[INF][I]: Assembly: Rebex.Tls 8.0.9278 for .NET 8
[INF][I]: Starting TLS negotiation.
[DBG][I]: Using TLS 1.2 core.
[DBG][I]: Enabled cipher suites: 0x0C1FFFFFFFFFFFFF.
[DBG][I]: Applicable cipher suites: 0x0C1FFFFFFFFFFFFF.
[DBG][I]: Using modern transport layer.
[DBG][I]: Invalid TLS packet received:
CONNECT ServerIP:443 HTTP/1.1..Host: ServerIP:443....
[DBG][I]: Rebex.Net.TlsException: Fatal error 'ProtocolVersion' has been encountered on the local connection end.
   at ydw.odc.MoveNext()
--- End of stack trace from previous location ---
   at ydw.odm.MoveNext()
[INF][I]: Fatal Alert:ProtocolVersion was sent.
[VRB][I]: Sent TLS packet: 
......F
[WRN][-]: (127.0.0.1) Cannot start inbound tunnel due to: Rebex.Net.TlsException: Fatal error 'ProtocolVersion' has been encountered on the local connection end.
[DBG][-]: Cannot start inbound tunnel due to: Rebex.Net.TlsException: Fatal error 'ProtocolVersion' has been encountered on the local connection end.
 ---> Rebex.Net.TlsException: Fatal error 'ProtocolVersion' has been encountered on the local connection end.
   at ydw.odc.MoveNext()
--- End of stack trace from previous location ---
   at ydw.odm.MoveNext()
   --- End of inner exception stack trace ---
   at ydw.odm.MoveNext()
--- End of stack trace from previous location ---
   at Rebex.Utils.Functional.FuncUtils.<innerFinally>d__44.MoveNext()
--- End of stack trace from previous location ---
   at ydw.ocv.MoveNext()
--- End of stack trace from previous location ---
   at ydw.ocu.MoveNext()
--- End of stack trace from previous location ---
   at ydt.ukb.MoveNext()
--- End of stack trace from previous location ---
   at ydt.ukc.MoveNext()
--- End of stack trace from previous location ---
   at yei.xny.MoveNext()
--- End of stack trace from previous location ---
   at yei.xnx.MoveNext()
--- End of stack trace from previous location ---
   at yei.xnr.MoveNext()
--- End of stack trace from previous location ---
   at wmh.pdi.MoveNext()
--- End of stack trace from previous location ---
   at wmh.pdg.MoveNext()
--- End of stack trace from previous location ---
   at Rebex.TlsProxy.Core.Tunnel.<Start>d__39.MoveNext()

curl (no arguments) <-> TLSProxy (https) <-> Server

[INF][-]: Connection from 127.0.0.1:31259 accepted on 127.0.0.99:9500.
[INF][-]: Starting tunnel (127.0.0.1:31259) --'HTTPS/TLS10,TLS11,TLS12'--> (9500) --'HTTPS/TLS12,TLS13'--> (SomeURL.com:443).
[INF][I]: Assembly: Rebex.Tls 8.0.9278 for .NET 8
[INF][I]: Starting TLS negotiation.
[DBG][I]: Using TLS 1.2 core.
[DBG][I]: Enabled cipher suites: 0x0C1FFFFFFFFFFFFF.
[DBG][I]: Applicable cipher suites: 0x0C1FFFFFFFFFFFFF.
[DBG][I]: Using modern transport layer.
[DBG][I]: Invalid TLS packet received:
GET / HTTP/1.1..Host: 127.0.0.99:9500..User-Agent: curl/8.18.0..Accept: */*....
[DBG][I]: Rebex.Net.TlsException: Fatal error 'ProtocolVersion' has been encountered on the local connection end.
   at ydw.odc.MoveNext()
--- End of stack trace from previous location ---
   at ydw.odm.MoveNext()
[INF][I]: Fatal Alert:ProtocolVersion was sent.
[VRB][I]: Sent TLS packet: 
......F
[WRN][-]: (127.0.0.1) Cannot start inbound tunnel due to: Rebex.Net.TlsException: Fatal error 'ProtocolVersion' has been encountered on the local connection end.
[DBG][-]: Cannot start inbound tunnel due to: Rebex.Net.TlsException: Fatal error 'ProtocolVersion' has been encountered on the local connection end.
 ---> Rebex.Net.TlsException: Fatal error 'ProtocolVersion' has been encountered on the local connection end.
   at ydw.odc.MoveNext()
--- End of stack trace from previous location ---
   at ydw.odm.MoveNext()
   --- End of inner exception stack trace ---
   at ydw.odm.MoveNext()
--- End of stack trace from previous location ---
   at Rebex.Utils.Functional.FuncUtils.<innerFinally>d__44.MoveNext()
--- End of stack trace from previous location ---
   at ydw.ocv.MoveNext()
--- End of stack trace from previous location ---
   at ydw.ocu.MoveNext()
--- End of stack trace from previous location ---
   at ydt.ukb.MoveNext()
--- End of stack trace from previous location ---
   at ydt.ukc.MoveNext()
--- End of stack trace from previous location ---
   at yei.xny.MoveNext()
--- End of stack trace from previous location ---
   at yei.xnx.MoveNext()
--- End of stack trace from previous location ---
   at yei.xnr.MoveNext()
--- End of stack trace from previous location ---
   at wmh.pdi.MoveNext()
--- End of stack trace from previous location ---
   at wmh.pdg.MoveNext()
--- End of stack trace from previous location ---
   at Rebex.TlsProxy.Core.Tunnel.<Start>d__39.MoveNext()

curl (https) <-> TLSProxy (https) <-> Server

[INF][O]: Connecting to ServerIP:443 using TlsClientSocket.
[VRB][I]: Received TLS packet: 
...
[INF][O]: Negotiating TLS 1.3, ECDH with secp256r1, AES with 256-bit key in GCM mode, SHA-384.
...
[INF][O]: Connection secured using cipher: TLS 1.3, ephemeral ECDH, AES with 256-bit key in GCM mode, AEAD.
[INF][-]: Established tunnel (127.0.0.1:31856) --'HTTPS/TLS12'--> (9500) --'HTTPS/TLS13'--> (SomeURL.com:443).
[DBG][-]: Endpoints: IN=[127.0.0.1:31856; 127.0.0.99:9500], OUT=[IP:31857; ServerIP:443].

I've tried to catch curl with proxifier, but for some reason it doesn't see curl.
Proxifier tells me this for firefox: Could not connect through proxy 127.0.0.99(127.0.0.99):9500 - Proxy returned incorrect HTTP reply.
Trying test from proxifier (HTTPS) <-> TLSProxy (HTTPS) <-> Server:

Starting: Test 1: Connection to the Proxy Server
IP Address: 127.0.0.99
Connection established
Test passed.
Starting: Test 2: Connection through the Proxy Server
Error : connection to the proxy server was closed unexpectedly. Please make sure that the proxy server protocol and address are correct.
Test failed.

TLSProxy side:

[INF][-]: Connection from 127.0.0.1:33473 accepted on 127.0.0.99:9500.
[INF][-]: Starting tunnel (127.0.0.1:33473) --'HTTPS/TLS10,TLS11,TLS12'--> (9500) --'HTTPS/TLS12,TLS13'--> (SomeURL.com:443).
[INF][I]: Assembly: Rebex.Tls 8.0.9278 for .NET 8
[INF][I]: Starting TLS negotiation.
[DBG][I]: Using TLS 1.2 core.
[DBG][I]: Enabled cipher suites: 0x0C1FFFFFFFFFFFFF.
[DBG][I]: Applicable cipher suites: 0x0C1FFFFFFFFFFFFF.
[DBG][I]: Using modern transport layer.
[DBG][I]: Invalid TLS packet received:
CONNECT SomeURL.com:443 HTTP/1.1..User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)..Host: SomeURL.com:443....
[DBG][I]: Rebex.Net.TlsException: Fatal error 'ProtocolVersion' has been encountered on the local connection end.
   at ydw.odc.MoveNext()
--- End of stack trace from previous location ---
   at ydw.odm.MoveNext()
[INF][I]: Fatal Alert:ProtocolVersion was sent.
[VRB][I]: Sent TLS packet: 
......F
[WRN][-]: (127.0.0.1) Cannot start inbound tunnel due to: Rebex.Net.TlsException: Fatal error 'ProtocolVersion' has been encountered on the local connection end.
[DBG][-]: Cannot start inbound tunnel due to: Rebex.Net.TlsException: Fatal error 'ProtocolVersion' has been encountered on the local connection end.
 ---> Rebex.Net.TlsException: Fatal error 'ProtocolVersion' has been encountered on the local connection end.
   at ydw.odc.MoveNext()
--- End of stack trace from previous location ---
   at ydw.odm.MoveNext()
   --- End of inner exception stack trace ---
   at ydw.odm.MoveNext()
--- End of stack trace from previous location ---
   at Rebex.Utils.Functional.FuncUtils.<innerFinally>d__44.MoveNext()
--- End of stack trace from previous location ---
   at ydw.ocv.MoveNext()
--- End of stack trace from previous location ---
   at ydw.ocu.MoveNext()
--- End of stack trace from previous location ---
   at ydt.ukb.MoveNext()
--- End of stack trace from previous location ---
   at ydt.ukc.MoveNext()
--- End of stack trace from previous location ---
   at yei.xny.MoveNext()
--- End of stack trace from previous location ---
   at yei.xnx.MoveNext()
--- End of stack trace from previous location ---
   at yei.xnr.MoveNext()
--- End of stack trace from previous location ---
   at wmh.pdi.MoveNext()
--- End of stack trace from previous location ---
   at wmh.pdg.MoveNext()
--- End of stack trace from previous location ---
   at Rebex.TlsProxy.Core.Tunnel.<Start>d__39.MoveNext()

Can you help me figuring out, what I am doing wrong?
P.S. I've successfully paired Proxifier with other Proxy-programs, never had any issues, but they are not suitable for changing TLS.

Applies to: Rebex HTTPS, Rebex TLS

1 Answer

+1 vote
ago by (76.9k points)
selected ago by
 
Best answer

Please note that Rebex TLS Proxy is not a HTTP CONNECT proxy (or any other proxy with a specific syntax such as HTTPS, SOCKS4/5). Rebex TLS Proxy transparently adds/removes/modifies TLS layer of the communication. In your case, the proxy is configured to listen on port 9500 expecting TLS1.0-TLS1.2 communication and forward the traffic to/from SomeURL.com:443 using TLS1.2/1.3 protocols.

Now, to your tests:

  1. curl (https) <-> TLSProxy (https) <-> Server:
    It's working, because curl sent a HTTPS request (TLS + HTTP) to the proxy. It is expected.

  2. curl (no arguments) <-> TLSProxy (https) <-> Server:
    It's not working, because curl sent plain HTTP request (no TLS) to the proxy. It is expected to fail. The log contains the reason:

    [DBG][I]: Invalid TLS packet received:
GET / HTTP/1.1..Host: 127.0.0.99:9500..User-Agent: curl/8.18.0..Accept: */*....

    You can see that plain HTTP GET was received by the proxy, but the proxy expected TLS traffic. This is the same as if you used plain (not HTTPS) http://someurl.com on port 443.

  3. proxifier (https) <-> TLSProxy (https) <-> Server:
    With the info above, you would spot the issue now:

    [DBG][I]: Invalid TLS packet received:
CONNECT SomeURL.com:443 HTTP/1.1..User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)..Host: SomeURL.com:443....

    And from the first log (FireFox (https) <-> proxifier (https) <-> TLSProxy (https) <-> Server):

    [DBG][I]: Invalid TLS packet received:
CONNECT ServerIP:443 HTTP/1.1..Host: ServerIP:443....

    The proxifier is adding a HTTP CONNECT proxy traffic to the communicaiton, which is not expected at the Rebex TLS Proxy side.

It seems that to make it working, just remove the proxifier from communication and run Rebex TLS Proxy there instead. Or if it is easier for you, configure proxifier just to forward traffic to 127.0.0.99:9500 without using HTTP CONNECT = act as a relay (if it is possible - I don't know its possibilities).

Note: We plan to add support for HTTP CONNECT to Rebex TLS Proxy, so this issue would be solved by reconfiguring the proxy. Unfortunately, it is not completed yet and it seems it will not be available within next month. If you want to test a preview when it is ready, please let me know.

ago by (160 points)
Thank you for a quick response.
I knew that #2 wouldn't work, done it to see if the error would match.
Basically I won't be able to match proxifier with TLSProxy as they are now:
https://www.proxifier.com/docs/win-v4/proxy.html
https://www.ietf.org/rfc/rfc2817.txt (published in 2000, kinda makes sense why proxifiers HTTPS worked with other HTTPS proxies)

And how would I "just remove the proxifier from communication and run Rebex TLS Proxy there instead"? Is there such capability in TLSProxy? I would gladly do that, if it is possible, but I haven't found a single mention of such ability in TLSProxy.
In this chain Proxifier catches traffic from specific executable (program) addressed to specific URLs+Ports and IPs+Ports, as I've mentioned in the initial question - I cannot readdress to proxy from the program itself(not a firefox).
So far looks like I'll have to try the next alternative in the list (Squid), but in case it can be achieved with TLSProxy itself - let me know how.

As for the test preview, if I won't find solution until then - I'll gladly test it.
...