Re: [Simpleweb-Support] SSL Handshake problem

[Niall G. <gal...@ya...>]

Hi,
I think what Bruno is suggesting is what you want. If you like feel free to send on your proxy code and ill tell you what's wrong.
Niall

--- On Mon, 5/10/10, Fábio Matos <fab...@gm...> wrote:

From: Fábio Matos <fab...@gm...>
Subject: Re: [Simpleweb-Support] SSL Handshake problem
To: "Simple support and user issues" <sim...@li...>
Date: Monday, May 10, 2010, 11:09 AM

Hi Bruno,
Thanks for your patience. I'l try be more clear about what I want to do.
I want a HTTPS proxy that acts as a man-in-the-middle for logging purposes.



Browser ----- (1) ------ Simple "Proxy" (2) ------- (3) ------- Server
(1) Traffic encrypted with Proxy Certificate(2) Traffic decrypted with Proxy Certificate and logged

(3) Traffic encrypted with Server Certificate
So, with the proxy configured in the browser, when the client connects to a server page using HTTPS, it should be presented NOT the server certificate BUT the proxy certificate.

When the encrypted data arrives at the proxy, because it was encrypted with its proxy and not the server one, it can decrypt the data and log it.After that it encrypts the data with the server certificate and sends it.

The response follows the same logic, but backwards.
The problem I currently have with Simple is that if defined as a proxy in the users browser, the handshake process does not work, 

so it never receives the request encrypted with its certificate to be logged.
This is different than a tunnel, like you referred, as in a tunnel the proxy only makes two SSLSockets (browser-proxy and proxy-server) and connects them, never seeing whats is the data flowing through, because its encrypted with the server certificate. 


I hope I was clearer this time.
Thanks for you time.

2010/5/10 Bruno Harbulot <Bru...@ma...>


Hi Fabio,



I'm not sure you see how HTTP proxy servers work. If you've configured

your browser to use 127.0.0.1:8888 as a proxy, it will use CONNECT for

HTTPS connections. CONNECT must relay the entire TCP traffic upon which

is the SSL connection for this to work. An HTTP proxy server that

supports HTTPS doesn't have to support SSL itself.



If you want your proxy to behave like an HTTP proxy with regards to

HTTPS servers, it's CONNECT you need to implement, this has absolutely

nothing to do with SSL or any SSLContext as far as this proxy server is

concerned. It's just tunnelling the connection (no HTTP involved after

the CONNECT request/response itself).



If, alternatively, you want it to act like a reverse proxy, which would

relay the requests to your JBoss AS (I'm not sure if that's what you're

trying to do), then you'd need your browser to assume it's the actual

server (and thus not configure your browser to use it as an HTTP proxy).



It's not clear from what you're saying which of these two scenarios

you're trying to achieve. They're completely different.



Best wishes,



Bruno.





On 10/05/10 17:55, Fábio Matos wrote:

> Hello Bruno,

>

> I know what you said, but doesn't simple already supports this with the

> use of the SSLContext as I explained?

>

> This is the cenario:

>

> Browser ----- Simple "Proxy" (with proxy certificate) ----- JBoss AS

> (server certificate and webpage in root, port 8443)

>

> If I access https://127.0.0.1:8443, and defined the browser proxy to

> 127.0.0.1:8888 <http://127.0.0.1:8888> as explained, I was expecting to

> see simple

> providing the proxy certificate to the browser and after acceptance the

> request should arrive at the handler.

> Am I mistaken on this assumptions? Is this event possible with Simple?

> If not, where should I start to look in simple source code to make it

> possible?

>

> Thanks.

>

> 2010/5/10 Bruno Harbulot <Bru...@ma...

> <mailto:Bru...@ma...>>

>

>     Hi Fábio,

>

>     HTTP proxy servers, when relaying an HTTPS connection, are not the SSL

>     end-point. They use the 'CONNECT' verb to relay to connection directly

>     to the requested HTTPS server. If they were allowed to intercept the

>     initial connection and then re-emit it to the intended server, they

>     would act as a man-in-the-middle, which is what SSL is designed to

>     prevent.

>

>     If you want to design an HTTP proxy that supports SSL connections, you

>     need to support the CONNECT verb, which on the server-side simply

>     tunnels the connection to the destination server, and on the client-side

>     starts the handshake after receiving the 200 status code from CONNECT.

>

>     Best wishes,

>

>     Bruno.

>

>

>     On 10/05/10 17:20, Fábio Matos wrote:

>      > Hello,

>      >

>      > I'm trying to make a man-in-the-middle ssl proxy using simple and

>     apache

>      > httpclient.

>      >

>      > Basicly, I receive the request in the simple handler, convert it to a

>      > httpclient request, send it, convert the httpclient response to

>     simple

>      > response and voilá, I got myself a proxy.

>      > This is working perfectly using HTTP.

>      >

>      > The next step was adding HTTPS support.

>      > To do so I created a self-signed certificate/keystore, loaded it

>     up in a

>      > SSLContext and feed it to connection.connect method.

>      >

>      > And we arrive to the reason of this post. The port set in simple

>     is 8888.

>      >

>      > I have two behaviors:

>      >

>      > 1.

>      > If I access the https://127.0.0.1:8888 directly it shows me the

>      > certificate warning (self-signed), I accept it and the handler

>     receives

>      > the unencrypted request just  fine.

>      >

>      > 2.

>      > If I set the browser proxy to 127.0.0.1:8888

>     <http://127.0.0.1:8888> <http://127.0.0.1:8888> in

>      > all protocols so, like in the HTTP case, every package passes by the

>      > simple handler, access a https website and the following error occurs

>      > multiple times and empty response is returned:

>      >

>      > Using SSLEngineImpl.

>      > Notifier-0, fatal error: 80: problem unwrapping net record

>      > javax.net.ssl.SSLException: Unrecognized SSL message, plaintext

>     connection?

>      > Notifier-0, SEND TLSv1 ALERT:  fatal, description = internal_error

>      > Notifier-0, WRITE: TLSv1 Alert, length = 2

>      >

>      > I saw the related post about the release of Simple 4.1.20 that should

>      > fix an SSL problem and I'm using that version.

>      > I tried it with the example shown in that post and it also gives

>     me the

>      > referred error.

>      >

>      > Can you please give me any help on this? Is this a bug or a

>      > configuration error?

>      >

>      > Thanks in advance.

>      >

>      > --

>      > Fábio Matos

>      >



------------------------------------------------------------------------------



_______________________________________________

Simpleweb-Support mailing list

Sim...@li...

https://lists.sourceforge.net/lists/listinfo/simpleweb-support




-- 
Fábio Matos



-----Inline Attachment Follows-----

------------------------------------------------------------------------------


-----Inline Attachment Follows-----

_______________________________________________
Simpleweb-Support mailing list
Sim...@li...
https://lists.sourceforge.net/lists/listinfo/simpleweb-support