search

elazarl / goproxy

An HTTP proxy library for Go
BSD 3-Clause "New" or "Revised" License
6.02k stars 1.09k forks source link

Custom CA will not Work #449

Open ajcypherint opened 3 years ago

ajcypherint commented 3 years ago

Since the GoproxyCa is a global variable it adds it self to the tlsConfig.Certificates it will break a custom MITM CA. This part of the code loads the hard coded cert and breaks custom CA.

initial load of global

All new Custom CA are then Appended to the .Certificates instead of replacing .Certificate array element 0. append

If you want a custom CA to work define your own TLSConfigFromCA that removes the first certificate https://github.com/elazarl/goproxy/blob/8e322dfb79c43cc078201ade94238d8c7191dfe7/https.go#L447

by adding after above line

config.certificates=config.certificates[1:]

thus removing the offending certificate so maybe:

func TLSConfigFromCA(ca *tls.Certificate) func(host string, ctx *ProxyCtx) (*tls.Config, error) {
    return func(host string, ctx *ProxyCtx) (*tls.Config, error) {
        var err error
        var cert *tls.Certificate

        hostname := stripPort(host)
        config := defaultTLSConfig.Clone()
        ctx.Logf("signing for %s", stripPort(host))

        genCert := func() (*tls.Certificate, error) {
            return signHost(*ca, []string{hostname})
        }
        if ctx.certStore != nil {
            cert, err = ctx.certStore.Fetch(hostname, genCert)
        } else {
            cert, err = genCert()
        }

        if err != nil {
            ctx.Warnf("Cannot sign host certificate with provided CA: %s", err)
            return nil, err
        }

        config.Certificates = append(config.Certificates, *cert)
        config.Certificates = config.Certificates[1:]
        return config, nil
    }
}
guzzijones commented 3 years ago

delete this.

elazarl commented 3 years ago

@ajcypherint can't you just change goproxy GoproxyCa to your liking?

ajcypherint commented 3 years ago

Yes. Close this issue. The problem was with our internal certificate.

On Mon, Sep 13, 2021, 2:35 AM Elazar Leibovich @.***> wrote:

@ajcypherint https://github.com/ajcypherint can't you just change goproxy GoproxyCa to your liking?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/elazarl/goproxy/issues/449#issuecomment-917884612, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMFSSNSRSCM7N3YB5BKWBY3UBWLU7ANCNFSM5C6OZFLQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.