mitmproxy icon indicating copy to clipboard operation
mitmproxy copied to clipboard

Published 20 hours ago verified publisher icon mitmproxy

Add Support for Configuring TLS 1.3 Cipher Suites

Open mhils opened this issue 4 years ago • 10 comments

Due to the major differences between the way that ciphersuites for TLSv1.2 and below and ciphersuites for TLSv1.3 work, they are configured in OpenSSL differently too.

We don't support configuring TLSv1.3 cipher suites yet. If this would be useful to you, please comment here.

mhils avatar Nov 02 '20 00:11 mhils

I think it would be a useful feature and even a necessity at some point. Beyond that, would it be possible to customize the handshake so that the proxy-server connection looks for example like a normal browser-server connection ? Some environments may act differently upon the clients TLS fingerprint.

https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967

c1b3rd0rk avatar Nov 10 '20 20:11 c1b3rd0rk

@c1b3rd0rk: Yes. We're currently refactoring our proxy core (#1775), which lays the foundation for this. The entire OpenSSL TLS configuration will be handled in a mitmproxy addon and can then be customized by users:

https://github.com/mitmproxy/mitmproxy/blob/f7c649924cf524133fc7814d806f6b253f0b67e9/mitmproxy/addons/tlsconfig.py#L130-L188

We likely won't put effort into perfectly mimicking clients until that becomes a more substantial problem in practice.

mhils avatar Nov 28 '20 14:11 mhils

That's great to hear. I took a short look a the code a while ago. mitmproxy crafts its own hello. For mimicking would it maybe be possible to just "copy" the original client hello i.e. mitmproxy sends exactly the same data (except maybe the client random)?

Depending on where you are in the network the problem is already substantial. Attackers (and defenders) are already making use of this. Intercepting proxies are actively targeted because all traffic is funneled through them. Once you pwn them you get all the traffic in clear. From your new beachhead you can now also start to attack the rest of the network. The only thing you need to do if you want to see if an intercepting proxy is in use is make the victim connect to your website. There are TLS fingerprint plugins available for apache and nginx. You then can see if this looks like a normal browser hello or it looks like a browser (from the user agent) but the TLS fingerprint is different. Or, if you have capabilities on a bigger level, just sniff all traffic on the WAN side. It also makes tracking of specific users easier. Alternatively you can specifically choose to not attack a client because an intercepting proxy is running. You increase the risk your neat malware will be saved in clear in some traffic dump.

There is only few well maintained software for intercepting proxies around, also some of the commercial ones just use squid. I don't know about the adoption of mitmproxy but it is certainly among those few. Better be sneaky and don't stick out of the crowd :)

https://github.com/fooinha/nginx-ssl-ja3 https://docs.opnsense.org/manual/how-tos/nginx_tls_fingerprints.html https://docs.trafficserver.apache.org/en/latest/admin-guide/plugins/ja3_fingerprint.en.html https://blogs.cisco.com/security/tls-fingerprinting-in-the-real-world https://media.defense.gov/2019/Dec/16/2002225460/-1/-1/0/INFO%20SHEET%20%20MANAGING%20RISK%20FROM%20TRANSPORT%20LAYER%20SECURITY%20INSPECTION.PDF

c1b3rd0rk avatar Dec 02 '20 15:12 c1b3rd0rk

Hello! I have a need to configure TLS ciphersuites and extensions (including TLS 1.3) to match those of a client application (the one using proxy). I have a little experience writing mitmproxy addons. What can I use as a starting point/reference? A quick look over tlsconfig.py leads me to TODOs. By the way, mitmproxy is an absolutely great tool! Thanks a lot for putting your efforts into it!

fedosgad avatar Feb 14 '22 10:02 fedosgad

@fedosgad: In short, we use OpenSSL via cryptography/pyOpenSSL.

For the OpenSSL bits, see https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites and https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_ciphersuites.html. cryptography exposes the relevant bindings, but pyOpenSSL does not. https://github.com/pyca/pyopenssl/pull/963 may help in figuring out how to do things.

mhils avatar Feb 14 '22 11:02 mhils

What does the support for TLS 1.3 cipher suites currently look like?

I seem to be able to set 1.3 in the mitmproxy config but I get weird behavior

ghost avatar Nov 23 '22 08:11 ghost

Is there any progress on this? Support for TLS 1.3 ciphers would be great!

fuomag9 avatar Jul 04 '23 18:07 fuomag9

No progress on this as far as I'm aware. :)

mhils avatar Jul 04 '23 18:07 mhils

Still no support for TLSv1.3 cipher suites?

PATAPOsha avatar Dec 13 '23 18:12 PATAPOsha

to blend in better and get to a point where you can just mirror the client you want to proxy, this would be helpful. Lower TLS versions are slowly being phased out.

yoshimo avatar Feb 17 '24 13:02 yoshimo