PageViews: 1,021 hits / 130 nets |
( Note that this feature is available only in the binary distributions. )
Peeping the encrypted communication in HTTPS/SSL as a HTTP proxy becomes necessary in several situations. If the peeping is done by stealth by a malicious third party, it should be prevented as Man-In-The-Middle attack. But if it is done by the same party including the user of the client, it can be a useful feature.
decrypt +---[ ]----> encrypt (request) HTTPS | | HTTPS client ===========+ DeleGate +================================ server HTTPS/SSL | HTTP | HTTPS/SSL | | encrypt <---[ ]----+ decrypt (response) + conversion + filtering (HTTP header rewriting) + CFI (data conversion, A.V. filter, etc) + MOUNT (URL) + CHARSET (text) + logging + cache + access-control + ...Configuring DeleGate as a HTTP proxy to do such peeping has become easy in the version 9.2.3, with a STLS option just as:
STLS=mitm |
delegated -v -P8080 SERVER=http STLS=mitm FTOSV=-tee-n |
STLS=-mitm | ... the option of DeleGate to enable the spot MITM |
https://host.domain/path | ... the real URL of the target SSL server |
https://-mitm.host.domain/path | ... a pseudo URL to enable MITM with the SSL server |
( excerpt from the reference manual )
STLS parameter* == STLS=stlsSpecs[,sslwayCom][:connMap] stlsSpecs == [-]stlsSpec[/im][/ssl][,stlsSpecs] stlsSpec == fsv | fcl | mitm | imimSec sslwayCom == {sslway [-Vrfy] [-CApath dir] ...} connMap == ProtoList:dstHostList:srcHostList -- default: none -- restriction: applicable to HTTP, FTP, SMTP, POP, IMAP, SOCKS -- required: SSLway
If "fcl" is specified, a client may start SSL without STARTTLS negotiation. Such implicit SSL negotiation from the client-side is detected by peeping a SSL hand-shake packet on the connection from the client-side at the beginning of a session for a certain period specified with imimSec. The default value is "im0.25" (250m seconds). "-im" disables this implicit SSL negotiation. If a stlsSpec is followed with "/im" as STLS="fsv/im" for example, SSL with the peer (with the server in this case) is applied without the STARTTLS negotiation.
If "mitm" is specified, it behaves like "-fcl,-fsv" that is if SSL is enabled in the client side then SSL on the server side is enabled. It can be used with a HTTP proxy DeleGate as a "secure proxy" or "SSL-tunnel" to peep the bidirectional communication in CONNECT method, relaying it as a usual HTTP applying filters and cache. ("mitm" means "Man-In-The-Middle" mode) If it is set optional as "STLS=-mitm" then the MITM mode is activated only when the client specified the server name prefixing with "-mitm." as "https://-mitm.host.domain/" for "https://host.domain/".
If non default SSLway command path or options are necessary to be used, the SSLway command can be specified after stlsSpecs as STLS="fcl,sslway -Vrfy -cert mycert.pem" for example.
Example:
PageViews: 1,021 hits / 130 nets |