0

I'm currently implementing a proxy. This is an special proxy which just replies to previously recorded requests (it has a database of request/responses and upon receiving request returns the match, this Database is generated using Fiddler). In fact it is offline.

This works fine for sites without SSL, but for SSL sites, there is a CONNET HTTP message 

CONNECT myserver:9443 HTTP/1.1
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/534.34 (KHTML, like Gecko) PhantomJS/1.9.0 Safari/534.34
Host: myserver

I don't know what should I exactly return upon receiving this request?

Thanks

Sali Hoo
  • 743
  • 2
  • 8
  • 22

1 Answers1

1

(Perhaps this question might be of interest.)

A normal HTTPS proxy would handle the CONNECT request, make a TCP connection to myserver:9443 and, if this connection is established successfully, return a 200 status code to the client. After this, it simply relays everything between the client and the target server without looking into it.

Since you're trying to implement a MITM proxy (offline too), you're going to have to emulate the connection to the actual server by redirecting the traffic to and from the client to a pseudo HTTPS server.

You might be able to do this by implementing a fake socket class and wrapping it via ssl.wrap_socket. (Presumably, since your application is already working for plain HTTP offline, you already have done some of the work to emulate reading and writing to pseudo sockets using your offline data.)

You may also have a generate a certificate on the fly. Typically, your proxy server could have its own CA, and you'd import its CA certificate into the client's trust anchors. Using that CA, just before sending any SSL/TLS data from the client to your pseudo server, generate a certificate signed with that CA, valid for the requested host name (which you can obtain from CONNECT), and configure your pseudo server with that. Without this step, the client should complain about invalid certificates.

Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376
  • 1
    It's possible that connection is done not to SSL-secured server at all (and instead a tunnel for some other protocol is built) so the task has no generic solution. – Eugene Mayevski 'Callback May 27 '14 at 06:01
  • Thanks Bruno for your detailed explanations. After reading this and looking at an example of MITM proxy (http://mitmproxy.org/doc/howmitmproxy.html), I got it. I have written the proxy in PHP, and I think you mentioned a Python library, I hope to find a good PHP library for this :) – Sali Hoo May 27 '14 at 21:03