search

abhinavsingh / proxy.py

๐Ÿ’ซ Ngrok FRP Alternative โ€ข โšก Fast โ€ข ๐Ÿชถ Lightweight โ€ข 0๏ธโƒฃ Dependency โ€ข ๐Ÿ”Œ Pluggable โ€ข ๐Ÿ˜ˆ TLS interception โ€ข ๐Ÿ”’ DNS-over-HTTPS โ€ข ๐Ÿ”ฅ Poor Man's VPN โ€ข โช Reverse & โฉ Forward โ€ข ๐Ÿ‘ฎ๐Ÿฟ "Proxy Server" framework โ€ข ๐ŸŒ "Web Server" framework โ€ข โžต โžถ โžท โž  "PubSub" framework โ€ข ๐Ÿ‘ท "Work" acceptor & executor framework
https://abhinavsingh.com/proxy-py-a-lightweight-single-file-http-proxy-server-in-python/
BSD 3-Clause "New" or "Revised" License
2.91k stars 568 forks source link

TLS Handshake failing #1421

Closed sandrich closed 2 weeks ago

sandrich commented 3 weeks ago

I had a similar request but I need a MITM proxy to add headers to the request for TLS encrypted endpoints. Normally TLS Interception using CA is the way to go. Just in our environment we cannot issue private CAs but the endpoints we need to serve are limited and we can issue new certificate for such domains.

As an example I can issue a certificate with domain name myservice.dummy.com then I expect it to work with

curl -x localhost:8899 https://myservice.dummy.com

unfortunately it fails with

2024-06-12 08:49:33,327 - pid:18 [D] acceptor.accept:115 - Accepting new work#49                                                                                                                                 
โ”‚ 2024-06-12 08:49:33,327 - pid:18 [D] tcp_server.__init__:119 - Work#49 accepted from 127.0.0.1:36562                                                                                                             
โ”‚ 2024-06-12 08:49:33,328 - pid:18 [D] selector_events.__init__:59 - Using selector: EpollSelector                                                                                                                 
โ”‚ 2024-06-12 08:49:33,328 - pid:18 [D] acceptor._work:248 - Started work#49.11.0 in thread#139951852787456                                                                                                         
โ”‚ 2024-06-12 08:49:33,330 - pid:18 [E] handler.run:347 - ssl.SSLError                                                                                                                                              
โ”‚ Traceback (most recent call last):                                                                                                                                                                               
โ”‚   File "/venv/lib/python3.9/site-packages/proxy/http/handler.py", line 333, in run                                                                                                                               
โ”‚     self.initialize()                                                                                                                                                                                            
โ”‚   File "/venv/lib/python3.9/site-packages/proxy/http/handler.py", line 65, in initialize                                                                                                                         
โ”‚     super().initialize()                                                                                                                                                                                         
โ”‚   File "/venv/lib/python3.9/site-packages/proxy/core/base/tcp_server.py", line 129, in initialize                                                                                                                
โ”‚     conn = self._optionally_wrap_socket(self.work.connection)                                                                                                                                                    
โ”‚   File "/venv/lib/python3.9/site-packages/proxy/core/base/tcp_server.py", line 240, in _optionally_wrap_socket                                                                                                   
โ”‚     conn = wrap_socket(conn, self.flags.keyfile, self.flags.certfile)                                                                                                                                            
โ”‚   File "/venv/lib/python3.9/site-packages/proxy/common/utils.py", line 232, in wrap_socket                                                                                                                       
โ”‚     return ctx.wrap_socket(                                                                                                                                                                                      
โ”‚   File "/usr/lib/python3.9/ssl.py", line 500, in wrap_socket                                                                                                                                                     
โ”‚     return self.sslsocket_class._create(                                                                                                                                                                         
โ”‚   File "/usr/lib/python3.9/ssl.py", line 1040, in _create                                                                                                                                                        
โ”‚     self.do_handshake()                                                                                                                                                                                          
โ”‚   File "/usr/lib/python3.9/ssl.py", line 1309, in do_handshake                                                                                                                                                   
โ”‚     self._sslobj.do_handshake()                                                                                                                                                                                  
โ”‚ ssl.SSLError: [SSL: HTTPS_PROXY_REQUEST] https proxy request (_ssl.c:1123)

I start the proxy with flags

--cert-file=/tls.crt
--key-file=/tls.key
--ca-file=/ca-certificates.crt

Where the tls.crt with 

-- truncated --
X509v3 Subject Alternative Name: 
                DNS:myservice.dummy.com
            X509v3 Certificate Policies: 
                Policy: 1.2.840.113635.100.5.15.2
                  User Notice:
                    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.
                  CPS: xxx

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:

            X509v3 Subject Key Identifier: 
                EB:56:1E:E4:30:72:42:CA:26:C2:D3:F5:8D:5B:D4:F0:A1:D6:93:E3
            X509v3 Key Usage: critical
                Digital Signature
            1.2.840.113635.100.6.86:

ca-certificates.crt contains the corporate certificate chain.