2015年3月

Windows 网络连接正常,能正常PING任何主机,但是浏览器等应用软件不能上网

如题,这多半是系统的 Winsock文件被破坏引起的。
以管理员方式运行控制台(可以使用 win+r 键输入 cmd,回车;在打开的控制台下面点击右键属性,再点击以管理员方式运行)。
在具有管理员权限的控制台输入命令 netsh winsock reset,然后重启电脑,问题解决。

Windows 下使用命令行工具设置代理

Windows 下的代理分为系统更新用的代理,以及应用软件用的代理(浏览器之类)。

应用软件用的代理(浏览器之类)
这是一个bat文件,将所有代码复制到记事本,修改忽略规则后,保存成修改计算机HTTP代理.bat。然后双击执行,在输入项目输入 http://192.168.1.10:8880 就会将代理设置为 192.168.1.10:8880
部分电脑设置后可能不生效,可以使用 win+R 键输入 inetcpl.cpl 确定。在弹出的设置里点击连接,然后点击 ctr+l 键后,点击确定设置就会生效。好吧,其实这样就没有使用到命令行了~

@echo off
title   设置计算机HTTP代理
set /p http_proxy=http://username:password@your_proxy:your_port:

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" ^
    /v ProxyServer /t REG_SZ /d %http_proxy% /f
    
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" ^
    /v ProxyOverride /t REG_SZ /d 192.168.*;*.local;localhost;127.0.0.1 /f

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" ^
    /v MigrateProxy /t REG_DWORD /d 0x1 /f

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" ^
    /v ProxyEnable /t REG_DWORD /d 0x1 /f

echo.
echo 修改计算机HTTP代理

系统更新用代理设置方式为

NetSh winhttp set proxy should be helpful. Here are the commands:

netsh winhttp set proxy myproxy

netsh winhttp set proxy myproxy:80 "<local>bar"

netsh winhttp set proxy proxy-server="http=myproxy;https=sproxy:88" bypass-list="*.contoso.com"

show

netsh winhttp show proxy

reset

netsh winhttp reset proxy

用OpenSSL命令行生成证书文件

证书文件生成

也许很多人和本人一样深有体会,使用OpenSSL库写一个加密通讯过程,代码很容易就写出来了,可是整个工作却花了了好几天。除将程序编译成功外(没有可以使用的证书文件,编译成功了,它并不能跑起来,并不表示它能正常使用,所以......),还需生成必要的证书和私钥文件使双方能够成功验证对方。
找了n多的资料,很多是说的很模糊,看了n多的英文资料,还是没有办法(不知道是不是外国朋友都比较厉害,不用说明得太清?),无意间找到yawl(yawl@nsfocus.com)写的文章,难得的汉字(呵呵)。里面有生成证书部分,说到生成了Certificate Signing Request (CSR)文件后,就有点不太清楚了。后面生成自签字证书在很多地方都可以找到的,签名这部分,yawl说mod_ssl有比较好的脚本,但是笔者一时找不到,就自己用openssl的ca命令来完成了,也不是很麻烦。

说说本人的操作环境:无盘工作站(有权限问题使用起来不太方便),操作目录是openssl/bin(没办法改不了环境变量,如果你可以改的话,就不用在这个目录下工作了),为了方便本人把apps下的openssl.cnf也复制到了这个目录下来。文件名都是以本人使用的来说了:

1.首先要生成服务器端的私钥(key文件):
openssl genrsa -des3 -out server.key 1024
运行时会提示输入密码,此密码用于加密key文件(参数des3便是指加密算法,当然也可以选用其他你认为安全的算法.),以后每当需读取此文件(通过openssl提供的命令或API)都需输入口令.如果觉得不方便,也可以去除这个口令,但一定要采取其他的保护措施!
去除key文件口令的命令:
openssl rsa -in server.key -out server.key

2.openssl req -new -key server.key -out server.csr -config openssl.cnf
生成Certificate Signing Request(CSR),生成的csr文件交给CA签名后形成服务端自己的证书.屏幕上将有提示,依照其指示一步一步输入要求的个人信息即可.

3.对客户端也作同样的命令生成key及csr文件:
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr -config openssl.cnf

4.CSR文件必须有CA的签名才可形成证书.可将此文件发送到verisign等地方由它验证,要交一大笔钱,何不自己做CA呢.
openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf

5.用生成的CA的证书为刚才生成的server.csr,client.csr文件签名:
Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf

现在我们所需的全部文件便生成了.

另:
client使用的文件有:ca.crt,client.crt,client.key
server使用的文件有:ca.crt,server.crt,server.key
.crt文件和.key可以合到一个文件里面,本人把2个文件合成了一个.pem文件(直接拷贝过去就行了)

Custom SSL Certificate With Charles Web Proxy

Charles Web Proxy is an excellent tool for debugging HTTP requests. It has support for inspecting requests/responses and even more cool features like breakpoints or rewrites. I use it when developing iOS apps that communicate with a server over HTTP but also to figure out how my favorite apps from the App Store works. The Charles documentation is a good resource for understanding the features in Charles.

请输入图片描述

Charles Web Proxy acts as the server to the client and as the client to the server.
HTTPS

Support for SSL proxying is built into Charles using man-in-the-middle HTTPS proxy. It is incredibly useful as many apps use HTTPS. Instead of the client seeing the certificate of the server it sees a certificate Charles has signed with its own root certificate. Further Charles communicates with the server using the certificate of the server. In this way the client thinks it is communicating with the server and the server thinks it is communicating with the client, while they are in fact both talking to Charles.

However, since the certificate provided by Charles is not signed by a trusted certificate authority, the client will in most cases reject it. To avoid this you have to add the root certificate of Charles as a trusted certificate on the client. There are both instruction how to do that for Mac/PC and iPhone.
Security problem

Installing the root certificate of Charles as a trusted certificate on your device however introduces security threats. An evil-minded person could simply use an SSL certificate signed with the root certificate of Charles to perform a man-in-the-middle attack on your device, since this certificate and its key is available for everyone to download on the internet.
Custom SSL certificate

Luckily Charles supports using your own custom SSL certificate as the root certificate, which you have to create yourselves. This can be done using openssl. You will be asked some information about the certificate. I recommend at least setting Organization Name to something meaningful as for instance Charles Proxy Custom SSL certificate. This makes it easier to find the certificate in Keychain.

$ openssl req -x509 -newkey rsa:1024 -keyout charles.key -out charles.crt -days 3650 -nodes

An X.509 certificate and a private key will be created. Charles expects a PKCS12 file where these are bundled together. So lets create such a bundle. You will be asked for a password and you must specify one for Charles to accept the bundle. Further every time Charles is launched you will be asked to type in this password. In the end of this post I will show how to avoid this.

$ openssl pkcs12 -export -out charles.pfx -inkey charles.key -in charles.crt

Enter Export Password: <YOUR KEY>
Verifying - Enter Export Password: <YOUR KEY>

Now simply select the charles.pfx file in Proxy Settings SSL Use a Custom CA Certificate in Charles. Notice that Charles only saves the path to the file, so place the file somewhere meaningful.

Remember to install the certificate in keychain by simply opening the charles.crt file. It can be installed in the iOS simulator by dragging the charles.crt into the simulator window and on your iOS device by sending it using email. Remember to delete the old Charles certificate if you had it installed.
Replace default certificate

Charles is now using our custom SSL certificate and we can be happy and feel secure. However, if you like me use Charles on a daily basis you will quickly get annoyed by having to provide the password of the PKCS12 bundle every time you launch Charles. My method to avoid this is to trick Charles into thinking that it is using the default Charles CA certificate when it is actually using my custom certificate.

Charles stores the used certificate in a keystore file located in a jar file. The trick is to create a new keystore file with our custom certificate and then replace the file. We use keytool to make the keystore file from the charles.pfx file. The file is protected by a password, and it is important that we use the same password as the keystore file bundled with Charles. A quick inspection of the Charles jar file reveals that this password is expected to be Q6uKCvhD6AmtSNn7rAGxrN8pv9t93.

$ keytool -v -importkeystore -srckeystore charles.pfx -srcstoretype PKCS12 -destkeystore keystore -deststoretype JKS

Enter destination keystore password: Q6uKCvhD6AmtSNn7rAGxrN8pv9t93
Re-enter new password: Q6uKCvhD6AmtSNn7rAGxrN8pv9t93
Enter source keystore password: <YOUR KEY>

This will generate a keystore file. The private key stored is still protected by key provided when it was created. This must be changed as well to the key Charles expects.

$ keytool -alias 1 -keypasswd -new Q6uKCvhD6AmtSNn7rAGxrN8pv9t93 -keystore keystore -storepass Q6uKCvhD6AmtSNn7rAGxrN8pv9t93 -keypass <YOUR KEY>

The last thing to do is to replace the default keystore file with the new generated one, which is located inside the charles.jar file.

jar vfu /Applications/Charles.app/Contents/Resources/Java/charles.jar keystore

Remember to disable Use a Custom CA Certificate in Charles. Charles is now using your custom SSL certificate and you don’t have to type in a password every time you launch Charles.