Down negotiation for SSL 3.0 requests

dlundquist / sniproxy

Proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session.

BSD 2-Clause "Simplified" License

2.53k stars 397 forks source link

Down negotiation for SSL 3.0 requests #47

Closed reini1989 closed 10 years ago

reini1989 commented 10 years ago

Hi,

we there over at https://github.com/corporate-gadfly/Tunlr-Clone/issues/22 were asking ourselfes if it would be possible to answer to a SSL 3.0 Request instead of rejecting it with an error.

Something like:

Hey, here is Client. I want to use SSL 3.0
Hey Client, this is SNI Proxy. I force you to speak TLS 1.0
Hey SNI, alright. Here we go.

Is this at least possible?

dlundquist commented 10 years ago

When I was writing the TLS parser I didn't see a graceful way to do this. If you want to read over the TLS spec, I'm open to pull requests. We'll probably need to do something similar for HTTP once HTTP/2.0 is is wide spread use.

reini1989 commented 10 years ago

Last week I had a little view on your code and the TLS spec. I recognized this "close_tls_socket(int sockfd)" function in tls.c This functions sends a tls_alert before closing the connection. But as far as I could see this function does not get called before the connection is closed when handling a "no sni header because of ssl 3"-error.

What I did was changing the alert to "protocol_version" and calling the function explicitly when handling the ssl3-error.

As in the tls spec described the client recognizes that the "server" can't speak ssl3 and sends a new "client hello" with the tls-version specified in the tls-alert-message.

Im not at my dev machine right now so I can't pull my changes (besides I think it's more a quick'n'dirty change). Studies is stressful at the moment, I hope I will find some time later this week.

JustMe0815 commented 10 years ago

did you get something out of this? i run into the problem now too with my android and pandora

reini1989 commented 10 years ago

I am currently learning python and as my first sample application I want to build the DNS Proxy that was described in the Issue topic.But as I have to do other stuff too it will take some more weeks.As soon as I have something new I will post it in the Issue topic.

Date: Tue, 28 Jan 2014 09:27:15 -0800 From: notifications@github.com To: sniproxy@noreply.github.com CC: m.reinecke@live.de Subject: Re: [sniproxy] Down negotiation for SSL 3.0 requests (#47)

did you get something out of this? i run into the problem now too with my android and pandora

— Reply to this email directly or view it on GitHub.