Option to ignore particular port and/or protocol for decryption

[vvyushmanov]

Hi!

I haven't found anything on this here, so here's my question. I know this is more in regards to mitmproxy, but maybe you'll be able to point me in right direction.

Our app uses HTTPS over TLS1.3 (port 443) and SIP TLS over TLS1.2 (port 5061). So, whenever I enable decryption, HTTPS packets are successfully decrypted, but TLS handshakes for SIP TLS on port 5061 fail.

Is there any way to passthrough a particular port and/or protocol?

[W] 25/Jan/2024 19:33:43 - [19:33:43.326][127.0.0.1:35508] Server TLS handshake failed. connection closed
[W] 25/Jan/2024 19:33:53 - stdlib/dataclasses.py:1203: ResourceWarning: unclosed <socket.socket fd=160, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('192.168.50.102', 48358), raddr=('******', 5061)>
ResourceWarning: Enable tracemalloc to get the object allocation traceback

[vvyushmanov]

I've followed mitmproxy documentation, tried the following options

1. --ignore-hosts .*:5061 - didn't work, for some reason, the port is not taken into consideration, although the docs state it should be
2. --tcp .*
3. --tcpraw

Basically, one of 2 options would resolve this: 1) A way to intercept/decode HTTPS (port 443) traffic ONLY 2) A way to give custom certificate for mitmproxy (which is possible, but it's unclear how to give a path to it within PCAPDroid)

[vvyushmanov]

I've also tried setting up external mitmproxy, and it seems to respect the --ignore-hosts=.*:5061 parameter. So, it looks like this (respecting the port, and not the host only) is something they've added relatively recently.

Is it possible to update the mitmproxy addon to respect the host:port parameters for allow/ignore host options?

[emanuele-f]

What about --ignore-hosts :5061? I would avoid adding a whitelist for this, working with an ip or domain decryption rule does not work for your use case?

[vvyushmanov]

Thanks for the reply!

Yeah, this is the exact option I was trying to use in the "mitmproxy additional options". It is working on the latest mitmproxy for Linux, but does not work on the version embedded with the addon.

I did some digging and found this issue on mitmproxy Github https://github.com/mitmproxy/mitmproxy/issues/6325 https://github.com/mitmproxy/mitmproxy/pull/6594 https://github.com/mitmproxy/mitmproxy/pull/6614

Turns out, this was fixed just recently. Can you please apply these fixes or update to the latest mitmproxy version?

[emanuele-f]

I saw other fixes done in 10.2.2 so I will update the addon to use the latest version. I will share a beta version here, officially this will be available in PCAPdroid 1.7.0

[emanuele-f]

The issue you had with the --ignore-hosts option was probably related to my patches to remove the aioquic_mitmproxy and mitmproxy_rs native module from mitmproxy. This is fixed in https://github.com/emanuele-f/mitmproxy/commit/88cc641c01b1893aeb4038205620fa6b5b7bcfdd .

For the mitmproxy 10.2.2 update, since the rework done in https://github.com/mitmproxy/mitmproxy/commit/6e38a56f4c399551c3fe3d399bddfa8083ccd0f1 introduces non-trivial conflicts with my patches, I've just backported the --ignore-hosts/--allow-hosts fixes to 10.1.6.

All the fixes are now available in v1.1 release of PCAPdroid-mitm. You can test it with the following beta apk: PCAPdroid_1.6.9-1bab9e0.apk. Let me know how it works for you

[vvyushmanov]

Hi!

I've tested both --ignore-hosts/--allow-hosts (--ignore-hosts .*:5061 and --allow-hosts .*:443) and the fix works! thx It successfully bypasses the packets on the remote 5061 port and does what I needed it to do :)

[emanuele-f]

Great! I've added this info to https://emanuele-f.github.io/PCAPdroid/tls_decryption#331-exclude-specific-hostsports . For now this is enough to address this task, if there are other needs in the future we can evaluate them