Could you add support for TLS socket

[talamaska]

This is very nice module, but it limits to non-secure tcp connections. Could you add support for TLS socket, as it is the workaround for secure tcp sockets

[moll]

Hey, thanks!

I actually thought I did that... at least TLSSockets should be intercepted and treated as if they are non-secure sockets because otherwise you'd have to fake certificates and disable strict checking in your client side code.

Do you have something else in mind when you wish for support for TLS sockets?

[talamaska]

Well if you write your own tls server you would have the certificates, and you could attach them to the tls, secure connection and make the handshake

[moll]

Mkay. So I could get a better understanding of how this might work, how would you use it? Do you have some code that depends on the returned certificate info and you're trying to test that?

[talamaska]

As I said I have tcp server, and there should be a native app that makes some requests. But for that to be tested i would need a test app, someone to make a native app and some time, basically the server security is untestable now. Of course I could write a node.js tcp client, But it doesn't feel right.

On 10 June 2014 17:57, Andri Möll notifications@github.com wrote:

Mkay. So I could get a better understanding of how this might work, how would you use it? Do you have some code that depends on the returned certificate info and you're trying to test that?

— Reply to this email directly or view it on GitHub https://github.com/moll/node-mitm/issues/3#issuecomment-45624601.

Best Regards, Zlati Pehlivanov

[moll]

Sorry, I'm not exactly getting how you'd use Mitm.js in this case.

Let me get this straight — do I assume correctly when I say you've got an external TCP server somewhere that, let's say, provides an API. Then you have some JavaScript code that will hit that server and handle the responses. Now you'd like to use Mitm.js to test those response handlers in JavaScript?

Or is the TCP server the one in JavaScript and you'd just like to make requests against an in-process TCP server?

[talamaska]

The TCP server is also node.js. I read the description of the module and it says "Intercept and mock outgoing Node.js network TCP connections" I want to do that but for secured connection.

[moll]

If the server you're testing against is in the same process, then you'd be better off making requests directly against that. If not, then Mitm.js is indeed the tool to use.

However, sorry, I don't yet exactly follow you which specific functionality is missing currently that you wish to use? Would you mind describing that (pseudo-code is fine)?

I think when you do Tls.connect with Mitm it'll actually be intercepted as well. Is that not the case?

[defunctzombie]

The issue I am running into allowing certain https requests to continue to the original source (bypass). Right now these bypassed requests seem to be trying to make https connections to the endpoint which is not allowed by the host I am trying to reach.

[moll]

Thanks again, @defunctzombie. Your fix for that is live as v1.0.1.

@talamaska: Mind clarifying a few details I asked before? Thanks!

[talamaska]

I don't really remember what i had in mind when I was commenting and reporting. So I see you have tls, but i don't see how I would setup the security certificates. I don't want to bypass to tcp. I want to especially test my server against certificate based attack, lets say.

[moll]

@talamaska: I haven't tried, but theoretically you should be able to do that with TCP intercepting. After all, mitm.on("connection") gives you a plain TCP socket to work with. If you could pipe that to test-local hostile TLS servers, you could test your app's behavior with invalid certificates.

But then again, Mitm was overwriting Tls.connect to return a non-encrypted client back that won't do any certificate checking. Yeah, Mitm would have to somehow not do that for you to test certificate handling.

[papandreou]

As a side point, it seems like the fact that a client cert is used is discoverable when mitm'ing an https request, as the second argument passed to connect and connection listeners will contain an agent property which in turn has the cert, key, and ca properties. That'll help me test that some of my code is connecting using the correct client cert.

[moll]

I'll close this for now as there's nothing actionable here, but we can continue discussing. If there's something Mitm can directly make easier when testing TLS connections, please let me know!