[TlsInterception] Bypass interception for upstreams we are unable to intercept

abhinavsingh / proxy.py

💫 Ngrok FRP Alternative • ⚡ Fast • 🪶 Lightweight • 0️⃣ Dependency • 🔌 Pluggable • 😈 TLS interception • 🔒 DNS-over-HTTPS • 🔥 Poor Man's VPN • ⏪ Reverse & ⏩ Forward • 👮🏿 "Proxy Server" framework • 🌐 "Web Server" framework • ➵ ➶ ➷ ➠ "PubSub" framework • 👷 "Work" acceptor & executor framework

https://abhinavsingh.com/proxy-py-a-lightweight-single-file-http-proxy-server-in-python/

BSD 3-Clause "New" or "Revised" License

2.99k stars 573 forks source link

[TlsInterception] Bypass interception for upstreams we are unable to intercept #1018

Open abhinavsingh opened 2 years ago

abhinavsingh commented 2 years ago

Several clients throw TLSV1_ALERT_UNKNOWN_CA alert. Example:

cloudresourcemanager.googleapis.com

Several clients throw ssl.SSLEOFError EOF occurred in violation of protocol (_ssl.c:997) alert. Example:

gateway.icloud.com
gs-loc.apple.com
p25-content.icloud.com
p57-content.icloud.com

Proxy should be able to auto-detect (which it already does when handling exceptions) such scenarios and bypass interception for such upstream endpoints.

abhinavsingh commented 2 years ago

We must also inspect the diff between upstream vs generated certificate. We must try to copy as much information as possible in generated certificates. E.g. list of all common names.