[nzlug] HTTPS proxy
Jim Cheetham
jim at gonzul.net
Wed Mar 14 16:15:04 NZDT 2007
On 14/03/07, Michal Ludvig <michal at logix.cz> wrote:
> Jim Cheetham wrote:
> > Well, you can't decrypt SSL transactions unless you have a copy of the
> > server certificates at least.
>
> I assume it's standard SSL as it runs on port 443. And in SSL I believe
> MITM is easily possible:
Yeah, MITM isn't decryption :-)
If the client authenticates the server certificate, or signature
authority, you'll be sunk. This is generally rare except in a very
tightly closed system. If the server verifies the client, and you
can't open up the client to get their certificate, you're also sunk;
this is more common, but still slightly unusual (unfortunately).
Googling found a possible match for you :-
http://www.delegate.org/delegate/mitm/
"DeleGate is a multi-purpose application level gateway, or a proxy
server which runs on multiple platforms (Unix, Windows, MacOS X and
OS/2). DeleGate mediates communication of various protocols (HTTP,
FTP, NNTP, SMTP, POP, IMAP, LDAP, Telnet, SOCKS, DNS, etc.), applying
cache and conversion for mediated data, controlling access from
clients and routing toward servers. It translates protocols between
clients and servers, applying SSL(TLS) to arbitrary protocols,
converting between IPv4 and IPv6, merging several servers into a
single server view with aliasing and filtering. Born as a tiny proxy
for Gopher in March 1994, it has steadily grown into a general purpose
proxy server. Besides being a proxy, DeleGate can be used as a simple
origin server for some protocols (HTTP, FTP and NNTP)."
MITM mode was added in June 2006. I'm not yet sure of the license.
-jim
More information about the NZLUG
mailing list