ritm icon indicating copy to clipboard operation
ritm copied to clipboard

Published 20 hours ago verified publisher icon argos83

RITM assumes HTTP CONNECT requests are always HTTPS

Open bcoles opened this issue 7 years ago • 0 comments

RITM assumes HTTP CONNECT requests indicate that the client wants to initiate a HTTPS connection. This is an unsafe assumption.

This affects clients attempting to tunnel unencrypted HTTP with the CONNECT method, as the subsequent request is forwarded as unencrypted HTTP to the SSL reverse proxy server which expects a SSL/TLS client hello rather than HTTP data.

As a result, RITM returns a generic default WEBrick::Response 200 OK to the client in response to the initial CONNECT (rather than HTTP/1.0 200 Connection established) then fails to deliver the subsequent request to the appropriate server.

Additionally, while most clients will probably accept the 200 OK, a 200 Connection Established would be more appropriate.

To reproduce this issue, use this example RITM script:

#!/usr/bin/env ruby
require 'ritm'
session = Ritm::Session.new
session.configure {
  proxy[:bind_port] = 8081
  ssl_reverse_proxy[:bind_port] = 8082
}
session.start
puts 'Hit enter to finish'
gets
session.shutdown

Proxychains

Here's an example with proxychains:

HTTP

# proxychains curl -isk http://example.com/
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:8081-<><>-93.184.216.34:80-<><>-OK

HTTPS

# proxychains curl -isk https://example.com/
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:8081-<><>-93.184.216.34:443-<><>-OK
HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: text/html
[... truncated for brevity ...]

cURL

Here's an example with cURL:

HTTP

# curl -isk -x http://127.0.0.1:8081 http://example.com --proxytunnel
HTTP/1.1 200 OK
Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25) OpenSSL/1.0.1e
Date: Thu, 14 Dec 2017 07:19:11 GMT
Content-Length: 0
Connection: close

HTTPS

# curl -isk -x http://127.0.0.1:8081 https://example.com --proxytunnel
HTTP/1.1 200 OK
Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25) OpenSSL/1.0.1e
Date: Thu, 14 Dec 2017 07:19:20 GMT
Content-Length: 0
Connection: close

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=604800
Content-Type: text/html
[... truncated for brevity ...]

bcoles avatar Dec 17 '17 04:12 bcoles