goproxy icon indicating copy to clipboard operation
goproxy copied to clipboard

Published 20 hours ago verified publisher icon elazarl

Custom CA will not Work

Open ajcypherint opened this issue 3 years ago • 3 comments

Since the GoproxyCa is a global variable it adds it self to the tlsConfig.Certificates it will break a custom MITM CA. This part of the code loads the hard coded cert and breaks custom CA.

initial load of global

All new Custom CA are then Appended to the .Certificates instead of replacing .Certificate array element 0. append

If you want a custom CA to work define your own TLSConfigFromCA that removes the first certificate https://github.com/elazarl/goproxy/blob/8e322dfb79c43cc078201ade94238d8c7191dfe7/https.go#L447

by adding after above line

config.certificates=config.certificates[1:]

thus removing the offending certificate so maybe:

func TLSConfigFromCA(ca *tls.Certificate) func(host string, ctx *ProxyCtx) (*tls.Config, error) {
	return func(host string, ctx *ProxyCtx) (*tls.Config, error) {
		var err error
		var cert *tls.Certificate

		hostname := stripPort(host)
		config := defaultTLSConfig.Clone()
		ctx.Logf("signing for %s", stripPort(host))

		genCert := func() (*tls.Certificate, error) {
			return signHost(*ca, []string{hostname})
		}
		if ctx.certStore != nil {
			cert, err = ctx.certStore.Fetch(hostname, genCert)
		} else {
			cert, err = genCert()
		}

		if err != nil {
			ctx.Warnf("Cannot sign host certificate with provided CA: %s", err)
			return nil, err
		}

		config.Certificates = append(config.Certificates, *cert)
		config.Certificates = config.Certificates[1:]
		return config, nil
	}
}

ajcypherint avatar Aug 27 '21 23:08 ajcypherint

delete this.

guzzijones avatar Aug 31 '21 18:08 guzzijones

@ajcypherint can't you just change goproxy GoproxyCa to your liking?

elazarl avatar Sep 13 '21 06:09 elazarl

Yes. Close this issue. The problem was with our internal certificate.

On Mon, Sep 13, 2021, 2:35 AM Elazar Leibovich @.***> wrote:

@ajcypherint https://github.com/ajcypherint can't you just change goproxy GoproxyCa to your liking?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/elazarl/goproxy/issues/449#issuecomment-917884612, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMFSSNSRSCM7N3YB5BKWBY3UBWLU7ANCNFSM5C6OZFLQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

ajcypherint avatar Sep 13 '21 14:09 ajcypherint