This module will be used to perform some TLS inspection. The goal is to grab the client hello and dial the requested server on the same listening port. Once it's dial, there are two options:
either pass the clienthello to the server and patch the two connections
generate a new clienthello, grab the serverhello, generate certificates on the fly by copying the
features:
inspect mode: double handshake generating a new certificate on the fly
bypass mode: forwarding handshake depending on SNI
connect-to: use address instead of SNI for the remote address
endpoint: don't re-encrypt the traffic
generate own CA
output CA certificate
set server certificate/key
I tried to do a PoC but it's really hard:
- start a tcp server
- wait for a tcp connection
- duplicate a reader from the tcp connection to a buffer
- wrap tcp connection into a tls connection
- register callback for client hello
- start handshake
- when callback triggers
- send servername from clienthello to dedicated buffer goroutine
- read the entire buffer from the goroutine
- dial tcp connection from servername
- send the buffered first bytes which should be the client hello to the new tcp socket
- pipe the conn (not the tls conn) to the new tcp socket read/write
Edit:
Merge the new module with tcp-server since the module currently just sends the bytes through the channel.
tehmoon
commented
4 years ago
This module will be used to perform some TLS inspection. The goal is to grab the client hello and dial the requested server on the same listening port. Once it's dial, there are two options:
features:
I tried to do a PoC but it's really hard:
Edit:
Merge the new module with tcp-server since the module currently just sends the bytes through the channel.