Is the entire request sent encrypted or only the payload
Related
I'm trying to test my API using SoapUI 5.4.0. I added my website SSL certificate in Keystore and my clients SSL in Truststore. I added apikey in header and parameters in parameters section. But, still I'm getting:
response error 401 Unauthorized
Please help to fix this issue.
Have you sent the request with configured Keystore?
example:
below Screen I have configured the ssl keystore, hope you have also done the same.
And then while sending request , you need to point the ssl keystore. For every request which requires ssl you need to do this.
I am creating a 'firewall' type device (i.e. sitting in the middle of a communication) that in some cases need to intercept a HTTPS request and return a message to the client browser (like e.g. : sorry this is blocked).
I can do this for HTTP by redirecting (with iptables DNAT) to another port on the device where netcat is listening:
while true; do echo -e "HTTP/1.1 200 OK\n\nsorry this is blocked"|nc -l -p 8000; done
(so nc is listening on port 8000 and returning a normal code 200 reply. Could of course also be some other return code like 403 Forbidden etc.)
But what to do for HTTPS?
The whole thing is encapsulated in SSL/TLS and if intercepted the browser will just display a message that the secure connection failed.
I tried responding with a HTTP 307 Temporary Redirect with a Location pointing to http://127.0.0.1 (which would then give the above message). But the browser doesn't like this.
I need to display some sort of customized message (not necessarily HTML).
I realize that it would be a huge security issue if a HTTPS request could be changed to HTTP, thus stripping the security without the client noticing, but can a popup message or something not be forced in the client? Or at least a standard code like '403 Forbidden'..?
Is there something in the SSL or TLS protocols that I can (ab)use?
Thanks.
So you are developing a transparent proxy. When it comes to HTTPS traffic every proxy has the choice:
Pass it without decryption
Block it completely
Perform a man-in-the-middle attack for getting access to the content
If you performing the man-in-the-middle attack and the client does not trust the certificate used by the proxy it will get a certificate warning. You can not send anything HTTP related to the client because SSL/TLS already fails to establish the tunnel. No tunnel means that you will not be able to transmit a single "HTTP byte" (this also means that you can not redirect the client somewhere else).
And on SSL/TLS level there is AFAIK no way to send a custom message. The "TLS alert message" only allows pre-defined constant values.
My application capture every packet coming from the server. I can read those packet for HTTP. I want to read the subject field from ssl certificate. But I cant. Is it encoded? If it is, how can I decode & read it?
Assuming that SSL negotiates a protocol that needs certificates, the certificates are generally in ASN.1 based X.509v3 format when they're sent from the server to the client.
From the TLS 1.0 RFC (which is a start if you want to listen to/analyze the protocol);
7.4.2. Server certificate
When this message will be sent:
The server must send a certificate whenever the agreed-upon key
exchange method is not an anonymous one. This message will always
immediately follow the server hello message.
Meaning of this message:
The certificate type must be appropriate for the selected cipher
suite's key exchange algorithm, and is generally an X.509v3
certificate.
I need to send an https post to an external server. Is it best practice to first verify the external peer and then afterwards in a separate request to send the post data? Or is it ok to ask to verify the peer and send the post data in the same request? I'm using pycurl if that helps any. Thanks for any help.
From the CURL docs:
When CURLOPT_SSL_VERIFYPEER is nonzero, and the verification fails to prove that the certificate is authentic, the connection fails. When the option is zero, the peer certificate verification succeeds regardless.
The SSL negotiation phase happens before any data is sent, so if the external peer fails to verify, the connection will fail before any data is sent. It should be OK to do it all as one request.
SSL -- Negotiation Phase
http://www.ietf.org/proceedings/32/sec/cat.elgamal.slides.html
The client initiates the session
The server responds and sends its certificate
The client generates the master key and sends it encrypted using the server's public key
Requires a server certificate but does not require a client certificate
Requires a certain level of trust in the server's certificate
Optional client certificate can be used to authenticate the client to the server
I'm using wireshark and then opening gmail and hotmail to see if I can see the HTML text sent from server to client, but I couldn't find it! Is it encrypted? I knew HTTPS encrypts client packets -- not both!
Please tell me what is wrong with my information.
HTTPS is HTTP over SSL/TLS, where SSL/TLS encrypts the connection in both directions.
During the SSL/TLS handshake, shared keys are negotiated (via the negotiation of a master secret): you get a client write key and a server write key, as described in the TLS specification (Key Calculation).
Yes. In SSL you and the server both have a public and a private key which is used to encrypt/decrypt sent and received data.