All,
It is possible to use IIS (or similar) to handle the ssl side of https communications. Is there something similar that can handle the ssl side of a TCP/IP message?
Basically I have a client device sending a non-http message over a TCP connection and want a server that can handle the crypto and certificate side of SSL for me and forward the plain text on to another server.
The openSSL s_server command seems correct but the documentation states "It's intended for testing purposes only" while I need something robust. Is the documentation out of date?
Thanks,
Patrick
You are after the stunnel program:
Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both Unix and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon's code.
I don't think the documentation is out of date. "For testing purposes only" is their release from liability.
It sounds like you want an SSL tunnel. You could setup a tunnel to the SSL server, send the packets through the tunnel, and then have that server forward the result on. There are lots of tutorials on using SSH to setup tunnels over SSL.
Related
I am trying to connect a client to a secure (SSL/TLS) IMAP server. The client code cannot handle SSL/TLS correctly, so I am trying to see if a proxy server can be used in the middle. I was thinking something like the following:
IMAP Client <------- Plain Text Requests -------> Proxy <------- SSL/TLS Requests -------> SSL/TLS protected IMAP server.
I think this is possible but I am curious on what products can be used for the proxy? And, is this a normal deployment option?
Thanks much,
Ash
Use stunnel. With it you can do direct TLS (i.e. imaps, port 993) and also TLS upgrade of a plain IMAP connection (port 143) using the STARTTLS command. See the documentation for more details.
This is insane. An obvious fix is to find out why your client software cannot handle TLS. Deploying proxies or standalone tunnels makes little sense.
Seriously, if your "client" cannot even establish a TLS connection, it's either severely misconfigured, has damaged installation, or so bad that it won't reliably work even after you deploy this bandaid.
I've been wanting to setup a linux VirtualBox instance and use iptables to route traffic from other VMs through it and on to an external SOCKS proxy server. However, I have recently read that transparent proxies like this break HTTPS transmissions and that this is part of the design – to prevent man-in-the-middle attacks. If I want this to work, I'll need to configure the proxy inside the browsers of the VM clients for port 443. Are there any other options I could explore to achieve my goal?
To access a SOCKS server each TCP connection must be prefixed with the necessary SOCKS header. That means, that a simple redirect is not possible. You need instead a protocol converter like redsocks or transocks (never used these, but from the description they do what you need).
Apart from that it is not a problem to simply redirect HTTPS traffic or use these protocol converters, as long as you don't change the SSL stream itself. The only problem is if transparent proxies try to intercept and re-route this traffic to other sites (like redirecting to a capture portal) or try to decrypt the connection in order to analyse it (like in firewalls). These kind of interceptions will be noticed from the browser, because either the name in the certificate does not match the target name and/or the issuer of the certificate is not trusted.
Would like to write SSL Socket client server application on the same machine (both server and clients are running same machine). Should I use SSL certificate file (.pem file ) or not required.
Just I want encrypt the data before sending via socket.
Can we encrypt the data without .pem file?
Please advice me.
-Bala
SSL has two major steps:
check the identity of the peer, e.g. make sure you talk to the right one and not an imposter (e.g. man in the middle). This is done with certificates.
encrypt the connection, so that anybody listening on the wire cannot understand what's going on. Obviously encryption helps nothing if somebody is actively listening on the wire, because you failed in step#1. In this case you have no end-to-end encryption but an end-to-imposter and imposter-to-end encryption :)
Considering these arguments: do you still want to skip checking the certificate?
If you want it is doable, just look for anonymous authentication, e.g. ADH or aNULL with openssl.
1 question about Stunnel. I would like to use Stunnel as a FIX (Financial Information eXchange) gateway for internet, to support both SSL and non-SSL connection. Is Stunnel able to do without any encryption? I just had a try with plain socket but it looked Stunnel rejected the connection saying 'invalid protocol' or something.
It's possible to use SSL/TLS without encryption using cipher suites with null encryption (e.g. TLS_RSA_WITH_NULL_SHA), which are normally disabled by default, but could be set via the ciphers option of Stunnel. However, you would still be using SSL/TLS, which isn't what you seem to be looking for.
It looks like you're more generally looking for what's usually called a TCP bouncer. You should be able to find a number of implementations around.
I've got a local application (which I didn't write, and can't change) that talks to a remote web service. It uses HTTPS, and I'd like to see what's in the traffic.
Is there any way I can do this? I'd prefer a Windows system, but I'm happy to set up a proxy on Linux if this makes things easier.
What I'm considering:
Redirecting the web site by hacking my hosts file (or setting up alternate DNS).
Installing an HTTPS server on that site, with a self-signed (but trusted) certificate.
Apparently, WireShark can see what's in HTTPS if you feed it the private key. I've never tried this.
Somehow, proxy this traffic to the real server (i.e. it's a full-blown man-in-the-middle "attack").
Does this sound sensible? Can WireShark really see what's in HTTPS traffic? Can anyone point me at a suitable proxy (and configuration for same)?
Does Fiddler do what you want?
What is Fiddler?
Fiddler is a Web Debugging Proxy which
logs all HTTP(S) traffic between your
computer and the Internet. Fiddler
allows you to inspect all HTTP(S)
traffic, set breakpoints, and "fiddle"
with incoming or outgoing data.
Fiddler includes a powerful
event-based scripting subsystem, and
can be extended using any .NET
language.
Fiddler is freeware and can debug
traffic from virtually any
application, including Internet
Explorer, Mozilla Firefox, Opera, and
thousands more.
Wireshark can definitely display TLS/SSL encrypted streams as plaintext. However, you will definitely need the private key of the server to do so. The private key must be added to Wireshark as an SSL option under preferences. Note that this only works if you can follow the SSL stream from the start. It will not work if an SSL connection is reused.
For Internet Explorer this (SSL session reuse) can be avoided by clearing the SSL state using the Internet Options dialog. Other environments may require restarting a browser or even rebooting a system (to avoid SSL session reuse).
The other key constraint is that an RSA cipher must be used. Wireshark can not decode TLS/SSL stream that use DFH (Diffie-Hellman).
Assuming you can satisfy the constraints above, the "Follow SSL Stream" right-click command works rather well.
You need to setup a proxy for your local application and if it doesnt honour proxy settings, put a transparent proxy and route all https traffic into it before going outside. Something like this can be the "man" in the middle: http://crypto.stanford.edu/ssl-mitm
Also, here's brief instructions on how to archive this with wireshark: http://predev.wikidot.com/decrypt-ssl-traffic
You should also consider Charles. From the product description at the time of this answer:
Charles is an HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet. This includes requests, responses and the HTTP headers (which contain the cookies and caching information).
For using https proxy to monitor, it depends on the type of handshake. If you local application does not check the server's certificate by CA's signature which you can not fake, and the server does not check your local application's certificate ( or if you have one to setup on https proxy) then you can set up a https proxy to monitor the https traffic. Otherwise, I think it is impossible to monitor traffic with https proxy.
Another way you can try is to add instrumentation probe at the routines of your client program where it send and receive messages from its https library. It needs some reverse engineering work, but should work for you for all situations.
I would recommend WireShark, it is the best tool to follow on different pieces of traffic. Although, I am not sure what can you see with SSL turned on. Maybe, if you supply it with a certificate?