Open mai1x9 opened 7 months ago
abhinavsingh
commented
1 month ago @mai1x9 apologies for delayed response. Yes, proxy.py supports full TLS interception, but:
1) It doesn't let you bypass out-of-bound mechanisms in place for certificate validation e.g. certificate pinning, stapling etc. 2) OSError can also happen if client is using deprecated SSL versions
mai1x9
commented
1 month ago @mai1x9 apologies for delayed response. Yes,
proxy.pysupports full TLS interception, but:
- It doesn't let you bypass out-of-bound mechanisms in place for certificate validation e.g. certificate pinning, stapling etc.
- OSError can also happen if client is using deprecated SSL versions
Thank you for reply @abhinavsingh but I am still facing lot of OSError. I am running on Windows 10, 22H2 version. Is there a way to fix this.
Also can you kindly provide the resources or starting point to build a code like proxy.py from scratch. I want to give a try writing my own code, but I am not getting any starting point from where I should look for TLS / SSL interception.
abhinavsingh
commented
1 month ago @mai1x9 To identify the root cause, lets identify the origin of failing requests. Does the origin of OSError requests come from browser or from your operating system directly.
I tried following and see where we can possibly improve upon:
proxy --plugins proxy.plugin.CacheResponsesPlugin --ca-key-file ca-key.pem --ca-cert-file ca-cert.pem --ca-signing-key-file ca-signing-key.pem --log-level d./helper/chrome_with_proxy.shand I see following logs from Chrome
[32534:42503:0514/200407.245142:ERROR:cert_verify_proc_builtin.cc(1052)] CertVerifyProcBuiltin for [clientservices.googleapis.com](http://clientservices.googleapis.com/) failed:
----- Certificate i=0 (CN=[upload.video.google.com](http://upload.video.google.com/)) -----
WARNING: Certificate does not have extended key usage
----- Certificate i=1 (CN=localhost) -----
ERROR: Does not have Basic ConstraintsSo looks like generated certificates are not complaint with https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.9 , something we might try to fix and see if it helps get past these OSErrors.
Hello there, I have been trying to use this library for TLS interception but I see lot of errors like file not found, SSLEofError, ssl v3 verification failed, unknown cert etc.. It keeps on throwing errors as i keep changing https websites (like stack-overflow, udemy, gmail, github etc..) I have checked other issues raised on tls / ssl related and I could see that the feature must be implemented or currently not supported etc.
Just want to know if I can really use this library and all tls issues are fixed or not. I could see limitations at: https://github.com/abhinavsingh/proxy.py#oserror-when-wrapping-client-for-tls-interception but had there been any new releases addressing these issues.
Apart from that lot of plugins used are based on http-bin or curl. But in reality practical example to https websites would be more good and it will be realistic.
Can I find a documentation where I have step by step right from generating ssl certs to adding them to browser and performing successful tls interception on a https website like stackoverflow.com or github.com.
Also I am interested to learn more on TLS interception especailly fixing errors, so i want to know if any good starting point/ resources to get acquainted on tls before i branch out code for development and request a PR.