Chrome not working with the TLS transparent example

[krum110487]

I am on Chrome 81 (windows 10), also tried this on Chrome 43 (old npapi I have for work) both of them react the same. I tried setting the proxy system wide AND with --proxy-server=localhost:port

GO 1.14.2 (could this to be the issue)

also, I also registered the cert in windows.

For https I am getting this...

2020/04/30 09:21:33 Error accepting new connection - record overflow
2020/04/30 09:21:33 Cannot support non-SNI enabled clients

For the Http server I am getting this...

2020/04/30 09:30:53 [005] INFO: Got request / www.google.com GET http://www.google.com/
2020/04/30 09:30:53 [005] INFO: Sending request GET http://www.google.com/
2020/04/30 09:30:54 [005] INFO: Received response 302 Found
2020/04/30 09:30:54 [005] INFO: Copying response to client 302 Found [302]
2020/04/30 09:30:54 [005] INFO: Copied 231 bytes to client error=<nil>
2020/04/30 09:30:54 [006] INFO: Running 2 CONNECT handlers
2020/04/30 09:30:54 [006] INFO: on 0th handler: &{2 <nil> 0x694020} www.google.com:443
2020/04/30 09:30:54 [006] INFO: Assuming CONNECT is TLS, mitm proxying it
2020/04/30 09:30:54 [006] INFO: signing for www.google.com
2020/04/30 09:30:54 [006] INFO: Exiting on EOF

both of these are failing to return the site. If I check this site, SNI seems to be there for both. https://check-tls.akamaized.net/

I am not sure what is going wrong, and when it comes to TLS I am not sure how to best debug this, any advice would be awesome.

Has anyone else had success with chrome and this example?

[krum110487]

Ok a few things I learned.

A) if you try to use the --proxy-server on a chrome instance while another chrome instance is open, it will do NOTHING.

B) You can generate your own pem using this: go run C:\go\src\crypto\tls\generate_cert.go -ca --host 127.0.0.1,::1,localhost --start-date "Jan 1 00:00:00 1970" --duration=1000000h -rsa-bits 2048 But make sure that you update the codes in your own code to use those key and cert in the cert.go.

C) you HAVE to assign the cert as "Trusted Root Certification Authorities" and not "Personal" which I should have realized earlier, but ya know tis life... - OnWindows: RUN > MMC > File > Add Snap-in > Certificates > Right-Click "Trusted Root..." > Import PEM file mentioned above.

I STILL cannot get chrome to use the HTTPS server

2020/04/30 13:39:15 Server starting up! - configured to listen on http interface :3129 and https interface :3128
2020/04/30 13:39:18 Error accepting new connection - record overflow
2020/04/30 13:39:18 Cannot support non-SNI enabled clients

but that doesn't really matter since I am self-signing my certs, is there a way to say. If the certificate the proxy server gets back is invalid, then send back an error page?

for example, I don't mind how it works, but I would like a page like this to return a custom message of why it is a bad request, maybe with a link to optionally bypass it and allow it. https://expired.badssl.com/

is that possible, I am pretty new to understanding SSL and this Proxy process.

Thanks,

[krum110487]

I figured out just a little bit more...

If I use --proxy-server=https:\\localhost:3128 I get the message below, does this mean I was missing the https? or should I use something else?

2020/04/30 17:14:29 Error accepting new connection - record overflow
2020/04/30 17:14:29 Cannot support non-SNI enabled clients
2020/04/30 17:15:34 Error accepting new connection - record overflow
2020/04/30 17:15:34 Cannot support non-SNI enabled clients
2020/04/30 17:22:02 [005] INFO: Running 2 CONNECT handlers
2020/04/30 17:22:02 [005] INFO: on 0th handler: &{2 <nil> 0x694430} 127.0.0.1:443
2020/04/30 17:22:02 [005] INFO: Assuming CONNECT is TLS, mitm proxying it
2020/04/30 17:22:02 [005] INFO: signing for 127.0.0.1
2020/04/30 17:22:03 [006] INFO: req 127.0.0.1
2020/04/30 17:22:03 [006] INFO: Sending request CONNECT https://127.0.0.1//expired.badssl.com:443
2020/04/30 17:22:05 [006] WARN: Cannot read TLS response from mitm'd server dial tcp 127.0.0.1:443: connectex: No connection could be made because the target machine actively refused it.

It looks like the re-direct is including the local IP in the call.

And when I remove the https I get this again...

2020/04/30 17:23:43 Error accepting new connection - record overflow
2020/04/30 17:23:43 Cannot support non-SNI enabled clients

What do you think?

[nwpulei]

It's because you misused --proxy-server=https:\localhost:3128, in proxy-server mode, chrome sends a CONNECT http request to goproxy-transparent, which causes

Error accepting new connection - record overflow   
Cannot support non-SNI enabled clients

Let's say your chrome IP address is 192.168.1.10.

goproxy-transparent is 192.168.1.20, port default The router IP is 192.168.1.1 You need to set forwarding rules on the router

iptables -t nat -A PREROUTING -p tcp -s 192.168.1.10 --dport 80  -j DNAT --to-destination 192.168.1.20:3129
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.10 --dport 443 -j DNAT --to-destination 192.168.1.20:3128