Check Client Certificate in SSLBump

[test1964]

Hey,

How can I get client certificate details like "Issued By" ( to see if it my self signed certificate) in TLS.GO (Before tlsConn.Handshake() )

Thanks,

[andybalholm]

If you want to allow connections only from clients that have your certificate, just configure the tls.Config that is used to create tlsConn: Set ClientAuthType to RequireAndVerifyClientCert, and put your self-signed certificate in ClientCAs.

If you need to do something more complicated, I'm not sure how to go about it, because the client certificate isn't available yet before the handshake is started.

[test1964]

Hi, How can I handle that computer with certificate will be filter with sslbump and another computer without any certificate will surf without sslbump (bote come with same ip addr due nat and both working in tansparent mode)?

[andybalholm]

Are you talking about actual TLS client certificates, or about whether the client has your root certificate installed, so that it trusts sslbumped connections?

[test1964]

If client installed my root certificate I want to filter him but if client without my certificate I want to allow him to surf without any filter ( for example have TVbox that go out in port 443 and no need to filter it)

• maybe I can get user agent (if user use browser - filter if not do not filter)

[andybalholm]

The User-Agent header is only available after the TLS handshake, so that won't help.

You could set up all the browser-using clients to log into the proxy with a username and password, and only sslbump connections from those users. But of course that would make avoiding the filter very easy…

[test1964]

There is a way without define in client proxy? Can I after error in Handshake enable direct connection without need client to reload page?

[andybalholm]

No. When there is an error in the handshake, the client disconnects immediately.

[test1964]

So When user try to get any url in port 443 there is no any flag that I can analyze if it using my root certificate that installed in his computer?

• maybe need in application firewall level?

[andybalholm]

There is no way to know if the client has your root certificate installed other than to see whether it rejects your TLS handshake.

[test1964]

Maybe to check the ClientHello for some flags?

• found this in web:

  " The ClientHello may help categorizing things, as different browsers/devices support different algorithms"

  and this:

  "The SSL Hello message contains:

  • a timestamp. This is the local time of the client, even if the RFC doesn't require it to be accurate.
    • 28 random bytes
    • a list of cipher suites the client supports
    • the SSL version the client is using (e.g. TLS 1.0)
    • any extensions the client may support (including compression) "

[andybalholm]

You could use TLS fingerprints to whitelist the devices that shouldn't be filtered. Look in tls.log to figure out what the TLS fingerprint of your TV box is, and make a ja3 ACL that exempts it from sslbump. TLS fingerprints aren't documented in the README, but they are a feature that Redwood supports.

It would also theoretically be possible to build up a set of fingerprints of browsers, and bump only those connections. But it would be much more fragile—people would update their browsers and suddenly be unfiltered.

[test1964]

Thank you very much for the support and fast response. Bye