| Maxdamantus | Okay, so luckily that certificate expired at Apr 24 14:09:34 2009. | 06:16 |
|---|---|---|
| Maxdamantus | but if maemo has a clock set to a time before that, any SSL connection could be intercepted. | 06:17 |
| Maxdamantus | Presumably it's unused, unless there's something else in maemo that doesn't check the issuer expiry. | 06:18 |
| Maxdamantus | Ah, actually, it's not used by microb. I guess it just tests the expiry time before checking that a certificate is in the store (since I was getting an "expired" error before setting my clock back) | 06:20 |
| Maxdamantus | Damn, turns out Opera Mobile doesn't use SNI. | 11:23 |
| Maxdamantus | I thought I saw the host it was connecting to before. | 11:23 |
| Maxdamantus | microb uses it though. | 11:24 |
| bencoh | SNI support sounds quite mandatory to me nowadays ... | 11:24 |
| Maxdamantus | Anyway, this is what I've made so far: https://gist.github.com/Maxdamantus/e32ab94dbc5d9d43298428400020620e | 11:25 |
| bencoh | Maxdamantus: silly question, but why not use one of the already available small-footprint proxies? | 11:25 |
| Maxdamantus | bencoh: such as? | 11:25 |
| bencoh | tinyproxy or polipo | 11:26 |
| Maxdamantus | tinyproxy is an HTTP proxy | 11:26 |
| Maxdamantus | Nothing to do with SSL | 11:26 |
| bencoh | (tinyproxy might not have proper support for ssl, I don't quite remember) | 11:26 |
| * Maxdamantus looks at polipo | 11:26 | |
| Maxdamantus | Again sounds like an HTTP proxy. | 11:26 |
| bencoh | Tinyproxy is a light-weight HTTP/HTTPS proxy daemon | 11:26 |
| Maxdamantus | That's a fairly misleading description. | 11:27 |
| KotCzarny | you can have https proxy without any ssl | 11:27 |
| KotCzarny | just copy data as is | 11:27 |
| KotCzarny | i do it in my own proxy | 11:27 |
| KotCzarny | you need a proxy that does ssl management if you want to interact in any way | 11:27 |
| Wizzup | a thread for every socket? | 11:28 |
| Maxdamantus | Yes, that's the intention of my program above. | 11:28 |
| Maxdamantus | Wizzup: for now, yes. | 11:28 |
| Wizzup | well, looks lke you're having fun :) | 11:28 |
| Maxdamantus | I don't expect to be maintaining a large number of connections. | 11:28 |
| bencoh | you might be right about tinyproxy | 11:28 |
| Wizzup | I'd personally do it in go - since it links statically with the latest tls support and does all of this multiplexing easily, but I guess there's no point to suggesting it :P | 11:28 |
| Maxdamantus | also note that the program above is agnostic about a particular protocol. | 11:29 |
| Wizzup | sure, just tls + sni | 11:29 |
| bencoh | polipo caches content, so it probably handles ssl properly, though | 11:29 |
| bencoh | Maxdamantus: you can't really be protocol-agnostic when it comes to starttls | 11:29 |
| bencoh | and you'll eventually have to handle that as well | 11:29 |
| bencoh | (same goes for SNI, actually) | 11:30 |
| Maxdamantus | bencoh: well, it assumes that the entire socket is encapsulated in TLS. | 11:30 |
| Maxdamantus | otherwise it's protocol agnostic. | 11:30 |
| Maxdamantus | (though atm it doesn't forward ALPN) | 11:30 |
| Maxdamantus | also regarding proxying, opera mobile doesn't seem to have the option to use a proxy. | 11:31 |
| Maxdamantus | and I'm guessing if microb/firefox has that option, it will still want to use SSL over the proxy. | 11:31 |
| Wizzup | what if you set the env variables? | 11:31 |
| KotCzarny | in the worst case you have iptables | 11:32 |
| Maxdamantus | (ie, it'd rely on something like `CONNECT google.com:443`) | 11:32 |
| Wizzup | Maxdamantus: yes, indeed, it will do it's own tls over the proxy. | 11:32 |
| Maxdamantus | Wizzup: right, in which case polipo won't help, unless polipo actually does the funky TLS stuff that my program does. | 11:32 |
| Wizzup | Maxdamantus: but you can intercept it | 11:32 |
| Wizzup | yes | 11:32 |
| Maxdamantus | (funky stuff = generating/signing certificates on the fly) | 11:32 |
| Wizzup | why do you need to do that, though? | 11:33 |
| Wizzup | if you have your own CA, you can just install a wildcard cert, no? | 11:33 |
| Maxdamantus | Because if the browser makes a request to "google.com", the certificate used needs to have CN=google.com | 11:33 |
| Wizzup | (plus, generating keys + certs takes a -long- time) | 11:33 |
| Wizzup | Maxdamantus: wildcard should work? | 11:33 |
| Maxdamantus | TLD wildcards are illegal. | 11:34 |
| Wizzup | how do you think mitm proxies work? | 11:34 |
| Maxdamantus | ie, *.com and * are illegal. | 11:34 |
| Maxdamantus | Wizzup: they have to do what I do. | 11:34 |
| Wizzup | really? | 11:34 |
| Wizzup | mhm | 11:34 |
| Maxdamantus | Wizzup: that's almost certainly what "mitmproxy" does. | 11:34 |
| Wizzup | well, I guess you can re-use the same key | 11:34 |
| Wizzup | then it doesn't take long | 11:34 |
| Maxdamantus | (mitmproxy being some debugging utility written in Python, seems unsuitable for running locally on N900) | 11:34 |
| Maxdamantus | Yes, I use the same key. | 11:34 |
| Maxdamantus | but have to generate different certificates. | 11:35 |
| Wizzup | maybe I'll do it in go for fun some time | 11:35 |
| Maxdamantus | The "CAKEY.pem" passed in to my program is meant to be the key for the CA certificate, and it also uses that same key for all generated certificates. | 11:36 |
| Maxdamantus | It could theoretically take in a second key for the latter, but that seems unnecessary. | 11:37 |
| KotCzarny | generating certs is not a big problem if you just need it for few frequent sites | 11:37 |
| Wizzup | you could use transparent socks proxy if n900 supports it | 11:37 |
| Wizzup | (with iptables) | 11:37 |
| Maxdamantus | and when/if I get it working properly, I'd rather just keep the key in memory instead of storing it on the filesystem, so don't want to generate too many keys on boot. | 11:37 |
| Wizzup | Maxdamantus: just generate a new intermediate? | 11:38 |
| Maxdamantus | Wizzup: there's no intermediate. | 11:38 |
| Wizzup | then generate one ;) | 11:38 |
| Maxdamantus | How does an intermediate help? | 11:38 |
| Wizzup | if you want to keep the keys in memory... | 11:38 |
| Wizzup | eh, whatever :) | 11:39 |
| Maxdamantus | The intermediate would need to be signed by the trusted certificate's key. | 11:39 |
| sicelo | opera mobile *can* use a proxy. it's in about:opera, or some such | 11:39 |
| sicelo | opera:config | 11:40 |
| Maxdamantus | Oh, cool. | 11:40 |
| Maxdamantus | Okay, guess I'll adapt it to use that tomorrow. | 11:41 |
| Maxdamantus | That should solve the lacking SNI issue too. | 11:41 |
| Maxdamantus | since whatever it sends to the proxy should have the hostname. | 11:41 |
| Maxdamantus | and yeah, that treats the proxy as an HTTP proxy and just uses "CONNECT github.com:443 HTTP/1.1 | 11:44 |
| Maxdamantus | " | 11:44 |
| Maxdamantus | eh, spaces. | 11:44 |
| bencoh | hmm, mitmproxy looks pretty handy for android app REing | 11:47 |
| Maxdamantus | also simplifies getting the browser to actually connect to the proxy. | 11:53 |
| Maxdamantus | was intending on adding netfilter rules that did something like forward all :443 traffic to the proxy, unless the source is some particular address, which the proxy would bind to for outgoing connections. | 11:54 |
| Maxdamantus | btw, https://github.com/kr/mitm might already be a sufficient Go implementation. | 11:58 |
| Maxdamantus | Have to be careful with all these things though, given how explicit you have to be in OpenSSL to actually get validation to work. | 12:01 |
| Maxdamantus | eg, checking that the certificate is valid and checking that the CN in the certificate matches what you're connecting to are different things. | 12:03 |
| Maxdamantus | even though the hostname is specified in two places already (`BIO_set_conn_hostname` (for DNS lookup) and `SSL_set_tlsextl_host_name` (SNI)) | 12:05 |
| DocScrutinizer05 | BYEBYE Merkel | 15:59 |
| DocScrutinizer05 | hurry up a bit! don't forget to take you rocks with you | 15:59 |
| KotCzarny | dont worry, refugees are there to stay | 16:00 |
| DocScrutinizer05 | I don't care too much about any refugees | 16:01 |
| KotCzarny | well, not refugees, hostile tools of national identity disintegration | 16:01 |
| KotCzarny | also, 2021? is that a joke? | 16:10 |
| KotCzarny | 2 more years of the fun | 16:13 |
| DocScrutinizer05 | alas you got a few points there | 16:29 |
| * DocScrutinizer05 is tempted to run the streets shouting "HURRY UP! GET LOST!" | 16:30 | |
| DocScrutinizer05 | "I WONT SURVIVE ANOTHER 2 YEARS OF THAT NARCOTIC" | 16:30 |
| DocScrutinizer05 | there's hope she can't pull off the chancellorship 2 years as lame duck | 16:34 |
| halftux | does somebody know where I could find these automated generated maemo diff files to debian source packages? | 20:51 |
| sicelo | which ones? | 20:52 |
| halftux | libsoup2.4 | 20:55 |
| halftux | from original maemo source | 20:56 |
| halftux | there was an url were you could generate diff files from debian to maemo but I forget | 20:57 |
| sicelo | no idea. :-/ | 21:12 |
| DocScrutinizer05 | halftux, sicelo: it's dead since ages | 23:16 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!