1

When generating an SSL paid or self signed you assign a set of specific domains (wildcard or not), known as canonical names. If you use this SSL to open domains which are not on the list Chrome gives warning - NET::ERR_CERT_COMMON_NAME_INVALID - you know, click advanced > Proceed Unsafe.

I use the same certificate on Charles Proxy which opens all urls fine on chrome, without warning. Viewing on dev options > security > view certificate, I can see that it's my certificate, my domain etc. However Charles changes the domains on the cert automatically for any website you visit, which pass all Chrome validations / warnings.

Cert First Tab -- > Cert Details

How can I achieve this?

Preferably using Nginx or NodeJS via https.createServer(...)

Not worried about how to bypass chrome but how can a .cer be modified so instantly for each http request and be served to the browser.

JsEveryDay
  • 313
  • 2
  • 5
  • 16
  • What exactly is your use case? If you need it for a public site then you would need to have a publicly accepted CA certificate which you will not get for this purpose. – Steffen Ullrich Dec 07 '17 at 03:32
  • This is for development/debugging purposes. Why use http debugging software when you can do it natively in node. Most importantly understand this from a security perspective, I want to know how this is done or the concept of it. I didn't know certificates could be modified on the fly, I thought the certificate was and could only be a static set file. This would be used in linux machines or simply debugging over LAN. – JsEveryDay Dec 08 '17 at 05:11
  • *"I didn't know certificates could be modified on the fly, I thought the certificate was and could only be a static set file."* - certificates cannot be modified. Instead new certificates will be issued on demand by a local CA, i.e. depending on what domain the client wants to access. – Steffen Ullrich Dec 08 '17 at 05:27
  • I understand but any clues how to do this? My certificate is CA level, do I need to run openssl to generate new cert for each domain requested? Is there a more efficient way to do this? You are right charles must be acting as CA server, it requires .pk12 so it's definitely reissuing them. – JsEveryDay Dec 08 '17 at 06:19
  • I'm pretty sure that you cannot do this with nginx. As for Nodejs look at [this question](https://stackoverflow.com/questions/9519707/can-nodejs-generate-ssl-certificates). Other languages like Python or Perl have also ways to create certificates dynamically. – Steffen Ullrich Dec 08 '17 at 06:28
  • Nginx module below is working flawlessly. However is not compiling with the latest version. I already have the CA I just didn't know how to use it properly. I found this interesting link on your reference : [forge](https://github.com/digitalbazaar/forge), node way seems too complicated, Nginx it is for now. – JsEveryDay Dec 08 '17 at 15:09
  • You are correct, nginx has nothing to do with it. I see that the only option is to pipe domains and generate new ssl per request. This is the only solution thus far https://github.com/digitalbazaar/forge#x509 and add host header to subjectAltName – JsEveryDay Dec 08 '17 at 16:05

1 Answers1

0

Solved!

There are several options which include mitmproxy, sslsniff and my favorite SSLSPLIT

It is available for all distros, prepackaged, install via apt-get or yum install sslsplit and that's all. You simply need to run 1 command, simply package your certificate with key and bundle into 1 pem file and run this:

Forward the port though NAT via iptables and then run sslsplit 

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8888 

sslsplit -p /path/anywhere.pid -c certbundle.pem -l connections.log ssl 0.0.0.0 8888 sni 443

It reissues new certificates on the fly with modified subject names as well as log all traffic if you wish. Bypasses all chrome validations and it is quite fast. It doesn't proxy through Nginx though as I was hoping. .

--- Edit 1/6/2018 Also found a node solution which is beyond what I need https://www.npmjs.com/package/node-forge

JsEveryDay
  • 313
  • 2
  • 5
  • 16
  • My bad. I just logged in after a year. Also, total noob on this platform, hope you understand. Yes, I do recall that nginx module, it was useless. Sry :( – JsEveryDay Jul 24 '18 at 21:07
  • @SteffenUllrich would appreciate your knowledge on my new question https://stackoverflow.com/questions/51507509/how-to-proxy-https-without-interception-filtering-mitm – JsEveryDay Jul 24 '18 at 21:09