proxy.py icon indicating copy to clipboard operation
proxy.py copied to clipboard
verified publisher icon abhinavsingh

Does library supports fully TLS interception

Open mai1x9 opened this issue 2 years ago • 3 comments

Hello there, I have been trying to use this library for TLS interception but I see lot of errors like file not found, SSLEofError, ssl v3 verification failed, unknown cert etc.. It keeps on throwing errors as i keep changing https websites (like stack-overflow, udemy, gmail, github etc..) I have checked other issues raised on tls / ssl related and I could see that the feature must be implemented or currently not supported etc.

Just want to know if I can really use this library and all tls issues are fixed or not. I could see limitations at: https://github.com/abhinavsingh/proxy.py#oserror-when-wrapping-client-for-tls-interception but had there been any new releases addressing these issues.

Apart from that lot of plugins used are based on http-bin or curl. But in reality practical example to https websites would be more good and it will be realistic.

Can I find a documentation where I have step by step right from generating ssl certs to adding them to browser and performing successful tls interception on a https website like stackoverflow.com or github.com.

Also I am interested to learn more on TLS interception especailly fixing errors, so i want to know if any good starting point/ resources to get acquainted on tls before i branch out code for development and request a PR.

mai1x9 avatar Nov 17 '23 10:11 mai1x9

@mai1x9 apologies for delayed response. Yes, proxy.py supports full TLS interception, but:

  1. It doesn't let you bypass out-of-bound mechanisms in place for certificate validation e.g. certificate pinning, stapling etc.
  2. OSError can also happen if client is using deprecated SSL versions

abhinavsingh avatar May 10 '24 17:05 abhinavsingh

@mai1x9 apologies for delayed response. Yes, proxy.py supports full TLS interception, but:

  1. It doesn't let you bypass out-of-bound mechanisms in place for certificate validation e.g. certificate pinning, stapling etc.
  2. OSError can also happen if client is using deprecated SSL versions

Thank you for reply @abhinavsingh but I am still facing lot of OSError. I am running on Windows 10, 22H2 version. Is there a way to fix this.

Also can you kindly provide the resources or starting point to build a code like proxy.py from scratch. I want to give a try writing my own code, but I am not getting any starting point from where I should look for TLS / SSL interception.

mai1x9 avatar May 12 '24 14:05 mai1x9

@mai1x9 To identify the root cause, lets identify the origin of failing requests. Does the origin of OSError requests come from browser or from your operating system directly.

I tried following and see where we can possibly improve upon:

  • Start proxy.py in TLS interception mode proxy --plugins proxy.plugin.CacheResponsesPlugin --ca-key-file ca-key.pem --ca-cert-file ca-cert.pem --ca-signing-key-file ca-signing-key.pem --log-level d
  • Open chrome browser pointing to proxy.py server ./helper/chrome_with_proxy.sh

and I see following logs from Chrome

[32534:42503:0514/200407.245142:ERROR:cert_verify_proc_builtin.cc(1052)] CertVerifyProcBuiltin for [clientservices.googleapis.com](http://clientservices.googleapis.com/) failed:
----- Certificate i=0 (CN=[upload.video.google.com](http://upload.video.google.com/)) -----
WARNING: Certificate does not have extended key usage

----- Certificate i=1 (CN=localhost) -----
ERROR: Does not have Basic Constraints

So looks like generated certificates are not complaint with https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.9 , something we might try to fix and see if it helps get past these OSErrors.

abhinavsingh avatar May 14 '24 14:05 abhinavsingh