DeleGate as a Man-In-The-Middle proxy
Yutaka Sato
July 5, 2006
( Note that this feature is available only in the binary distributions. )
Peeping the encrypted communication in HTTPS/SSL as a HTTP proxy becomes necessary in several situations. If the peeping is done by stealth by a malicious third party, it should be prevented as Man-In-The-Middle attack. But if it is done by the same party including the user of the client, it can be a useful feature.
decrypt +---[ ]----> encrypt (request)
HTTPS | | HTTPS
client ===========+ DeleGate +================================ server
HTTPS/SSL | HTTP | HTTPS/SSL
| |
encrypt <---[ ]----+ decrypt (response)
+ conversion
+ filtering (HTTP header rewriting)
+ CFI (data conversion, A.V. filter, etc)
+ MOUNT (URL)
+ CHARSET (text)
+ logging
+ cache
+ access-control
+ ...
Configuring DeleGate as a HTTP proxy to do such peeping has become
easy in the version 9.2.3, with a STLS option just as:
|
STLS=mitm |
|
delegated -v -P8080 SERVER=http STLS=mitm FTOSV=-tee-n |
| STLS=-mitm | ... the option of DeleGate to enable the spot MITM |
| https://host.domain/path | ... the real URL of the target SSL server |
| https://-mitm.host.domain/path | ... a pseudo URL to enable MITM with the SSL server |
( excerpt from the reference manual )
STLS parameter* == STLS=stlsSpecs[,sslwayCom][:connMap] stlsSpecs == [-]stlsSpec[/im][/ssl][,stlsSpecs] stlsSpec == fsv | fcl | mitm | imimSec sslwayCom == {sslway [-Vrfy] [-CApath dir] ...} connMap == ProtoList:dstHostList:srcHostList -- default: none -- restriction: applicable to HTTP, FTP, SMTP, POP, IMAP, SOCKS -- required: SSLway
-
This parameter controls the initiation of SSL (TLS) based on a negotiation
between client and server in each application protocol.
The common scheme of the negotiation is known as "STARTTLS".
"fsv" specifies using SSL with server and "fcl" specifies using SSL with client.
When SSL is not supported on a connection, the STARTTLS negotiation will fail
and the connection will be closed by default.
To continue a session even when SSL is not available,
prefix "-" to "fsv" or "fcl".
If "fcl" is specified, a client may start SSL without STARTTLS negotiation. Such implicit SSL negotiation from the client-side is detected by peeping a SSL hand-shake packet on the connection from the client-side at the beginning of a session for a certain period specified with imimSec. The default value is "im0.25" (250m seconds). "-im" disables this implicit SSL negotiation. If a stlsSpec is followed with "/im" as STLS="fsv/im" for example, SSL with the peer (with the server in this case) is applied without the STARTTLS negotiation.
If "mitm" is specified, it behaves like "-fcl,-fsv" that is if SSL is enabled in the client side then SSL on the server side is enabled. It can be used with a HTTP proxy DeleGate as a "secure proxy" or "SSL-tunnel" to peep the bidirectional communication in CONNECT method, relaying it as a usual HTTP applying filters and cache. ("mitm" means "Man-In-The-Middle" mode) If it is set optional as "STLS=-mitm" then the MITM mode is activated only when the client specified the server name prefixing with "-mitm." as "https://-mitm.host.domain/" for "https://host.domain/".
If non default SSLway command path or options are necessary to be used, the SSLway command can be specified after stlsSpecs as STLS="fcl,sslway -Vrfy -cert mycert.pem" for example.
Example:
-
STLS="fcl" -- use SSL with client (exit the session if not available)
STLS="-fcl" -- use SSL with client if available
STLS="fsv,-fcl" -- use SSL with server, and with client if available
STLS="fsv/ssl" SERVER="ftp" -- use AUTH SSL instead of AUTH TLS
STLS="fsv,im0.5" SERVER="ftp" -- automatic detection of implicit/explicit SSL server
| PageViews: 1,020 hits / 130 nets |