HTTPS and offline cache working with LittleProxy #174
Conversation
It's derived from the OWASP Zed Attack Proxy Project, which is licensed under the Apache License, Version 2.0. The certificate authority is created lazily with Bouncy Castle. The key store type is PKCS12, which has to be implemented by every vendor. The server certificates won't be cached, but the connection is already cached. It lacks upstream certificate validation(!) and a proper exception handling.
|
I like this. It looks like it's an implementation of previous PR #171, but implemented with Bouncy Castle instead of the internal sun classes. A couple questions:
|
There was a problem hiding this comment.
Just curious... why mark this new class @deprecated? Is there a replacement we should use instead? The listed deprecation reason doesn't seem like a real reason to deprecate the class.
There was a problem hiding this comment.
Just curious... why mark this new class @deprecated
I've modified the API and this class shows the reason for. Use
HostNameMitmManager instead of CertificateSniffingMitmManager please.
First: it's simpler to impersonate by host name. Second: long lists of
subject alternative names are truncated somewhere. A bug? But: it's
important to store the complete upstream cert to present it to the
user anyway.
Please give me both, the host name and the SSL session in the manager.
With my Laptop, Core 2 Duo, 2.4GHz, Linux: regulary 50 - 150ms 9339 2015-01-24 09:13:23,402 INFO [MoCuishle-ClientToProxyWorker-0] It benefits from connection caching. High load to one site - less
|
The commons-collections was in test scope and built with Eclipse.
|
I really think this additionally caching is obsolete. It feels not better for me. Please double check this in your environments. |
A MITM manager must never be instantiated without a valid key store.
Despite this, I see you did indeed add caching :) I like the guava cache implementation and I think it's a worthwhile addition. I did add a couple in-line comments for you to review. I think this is a GREAT PR, thank you for putting it together! It's going to be a big help for browsermob-proxy once our littleproxy integration is complete. |
Cache could be given by a parameter for singleton or possibly null
|
A proxy must never install a manager without a valid certificate authority, but exceptions with dynamic certificates could be handled differentially. Enhanced documentation
|
@ganskef -- it looks like the bcprov-jdk16 artifact is pretty out-of-date (Feb 2011) and not actively maintained. bcprov-jdk15on works with Java 1.5+ and is actively maintained (latest release Jul 2014). Would it be possible to update this PR to work with the jdk15on versions of bouncy castle? |
|
Also, could you add some unit tests? That would have the secondary benefit of showing people how to use the new functionality. |
In off line mode a CONNECT to the server must be suppressed. This causes some fields to be null.
ganskef
changed the title
|
Hello Myle, yes, I'm working on it. Its not so easy. I need a SSL enabled server and I'm thinking about more composition than inheritance. I plan tests for Regards Frank Am 01.03.2015 um 07:47 schrieb myleshorton:
|
|
Hi @ganskef -- I see the MITM functionality has been removed from this PR, but where did it go? I'm very excited about that and I would love to help you test it :) Regarding the rest of the PR, I wanted to ask: what functionality is it implementing? I see it is now titled "HTTPS and offline cache" (instead of the previous title "HTTPS impersonation"), but what exactly is the offline cache doing? What is the use case you have in mind? Since the purpose of this PR has completely changed, could you at least squash the commits related to the MITM impersonation, since they are not part of this change anymore? The extra noise makes understanding the offline caching change a bit confusing. For future reference, if you want to implement a different feature, it's usually easiest and cleanest to just create a new PR and close the old one (if you no longer want to merge it). |
The purpose is to store traffic while Online and spool it in an Offline mode.
|
Hello Jason, this PR targets the following issues:
What should I do? I'm helpless. Please, give me some suggestions. Should I close this request and create new PRs more dedicated? Should I delete the forked LittleProxy to get a clean master? Should I create a branch for each feature like I've done in PR #175? Regards Frank |
The hosts must be unreachable to show, what happens. Now it's necessary to bootstrap an AdressResolver to suppress the server handshake.
|
@jekh sorry, I've forgotten an issue:
|
Proxy to server connections needs peer informations to connect Server Name Indication (SNI) enabled sites. The client has to send an extension server_name: [host_name: developer.chrome.com] for example within the handshake.
Conflicts: src/main/java/org/littleshoot/proxy/impl/ProxyToServerConnection.java
…isk#210 Conflicts: src/main/java/org/littleshoot/proxy/MitmManager.java src/main/java/org/littleshoot/proxy/SslEngineSource.java src/main/java/org/littleshoot/proxy/extras/SelfSignedMitmManager.java src/main/java/org/littleshoot/proxy/impl/ProxyToServerConnection.java
|
nice work @ganskef . I think your https://github.com/ganskef/LittleProxy-mitm project should be atleast mentioned in the MITM part of the readme of this project. What do you think @jekh? |
Not closing client connections even when all servers have disconnected except for sslEngine is not null, elsewhere it breaks Man-In-The-Middle.
- Current version (SNAPSHOT) - some common use cases - subscribe forum hint - removed incomplete revision history
With adamfisk#122 context of the client connection only was made available to filters. It makes it possible to access the pipeline change codecs and decoders, if needed. This commit provides the server context on connection succeded too.
|
I will create a separate branch for this, since I've started to mix incidents in the master. So I'm going to close this pull request. |
4 participants
It's derived from the OWASP Zed Attack Proxy Project, which is licensed
under the Apache License, Version 2.0. The certificate authority is
created lazily with Bouncy Castle. The key store type is PKCS12, which
has to be implemented by every vendor. The server certificates won't be
cached, but the connection is already cached. It lacks upstream
certificate validation(!) and a proper exception handling.