Maxdamantus | Okay, so luckily that certificate expired at Apr 24 14:09:34 2009. | 06:16 |
---|---|---|
Maxdamantus | but if maemo has a clock set to a time before that, any SSL connection could be intercepted. | 06:17 |
Maxdamantus | Presumably it's unused, unless there's something else in maemo that doesn't check the issuer expiry. | 06:18 |
Maxdamantus | Ah, actually, it's not used by microb. I guess it just tests the expiry time before checking that a certificate is in the store (since I was getting an "expired" error before setting my clock back) | 06:20 |
Maxdamantus | Damn, turns out Opera Mobile doesn't use SNI. | 11:23 |
Maxdamantus | I thought I saw the host it was connecting to before. | 11:23 |
Maxdamantus | microb uses it though. | 11:24 |
bencoh | SNI support sounds quite mandatory to me nowadays ... | 11:24 |
Maxdamantus | Anyway, this is what I've made so far: https://gist.github.com/Maxdamantus/e32ab94dbc5d9d43298428400020620e | 11:25 |
bencoh | Maxdamantus: silly question, but why not use one of the already available small-footprint proxies? | 11:25 |
Maxdamantus | bencoh: such as? | 11:25 |
bencoh | tinyproxy or polipo | 11:26 |
Maxdamantus | tinyproxy is an HTTP proxy | 11:26 |
Maxdamantus | Nothing to do with SSL | 11:26 |
bencoh | (tinyproxy might not have proper support for ssl, I don't quite remember) | 11:26 |
* Maxdamantus looks at polipo | 11:26 | |
Maxdamantus | Again sounds like an HTTP proxy. | 11:26 |
bencoh | Tinyproxy is a light-weight HTTP/HTTPS proxy daemon | 11:26 |
Maxdamantus | That's a fairly misleading description. | 11:27 |
KotCzarny | you can have https proxy without any ssl | 11:27 |
KotCzarny | just copy data as is | 11:27 |
KotCzarny | i do it in my own proxy | 11:27 |
KotCzarny | you need a proxy that does ssl management if you want to interact in any way | 11:27 |
Wizzup | a thread for every socket? | 11:28 |
Maxdamantus | Yes, that's the intention of my program above. | 11:28 |
Maxdamantus | Wizzup: for now, yes. | 11:28 |
Wizzup | well, looks lke you're having fun :) | 11:28 |
Maxdamantus | I don't expect to be maintaining a large number of connections. | 11:28 |
bencoh | you might be right about tinyproxy | 11:28 |
Wizzup | I'd personally do it in go - since it links statically with the latest tls support and does all of this multiplexing easily, but I guess there's no point to suggesting it :P | 11:28 |
Maxdamantus | also note that the program above is agnostic about a particular protocol. | 11:29 |
Wizzup | sure, just tls + sni | 11:29 |
bencoh | polipo caches content, so it probably handles ssl properly, though | 11:29 |
bencoh | Maxdamantus: you can't really be protocol-agnostic when it comes to starttls | 11:29 |
bencoh | and you'll eventually have to handle that as well | 11:29 |
bencoh | (same goes for SNI, actually) | 11:30 |
Maxdamantus | bencoh: well, it assumes that the entire socket is encapsulated in TLS. | 11:30 |
Maxdamantus | otherwise it's protocol agnostic. | 11:30 |
Maxdamantus | (though atm it doesn't forward ALPN) | 11:30 |
Maxdamantus | also regarding proxying, opera mobile doesn't seem to have the option to use a proxy. | 11:31 |
Maxdamantus | and I'm guessing if microb/firefox has that option, it will still want to use SSL over the proxy. | 11:31 |
Wizzup | what if you set the env variables? | 11:31 |
KotCzarny | in the worst case you have iptables | 11:32 |
Maxdamantus | (ie, it'd rely on something like `CONNECT google.com:443`) | 11:32 |
Wizzup | Maxdamantus: yes, indeed, it will do it's own tls over the proxy. | 11:32 |
Maxdamantus | Wizzup: right, in which case polipo won't help, unless polipo actually does the funky TLS stuff that my program does. | 11:32 |
Wizzup | Maxdamantus: but you can intercept it | 11:32 |
Wizzup | yes | 11:32 |
Maxdamantus | (funky stuff = generating/signing certificates on the fly) | 11:32 |
Wizzup | why do you need to do that, though? | 11:33 |
Wizzup | if you have your own CA, you can just install a wildcard cert, no? | 11:33 |
Maxdamantus | Because if the browser makes a request to "google.com", the certificate used needs to have CN=google.com | 11:33 |
Wizzup | (plus, generating keys + certs takes a -long- time) | 11:33 |
Wizzup | Maxdamantus: wildcard should work? | 11:33 |
Maxdamantus | TLD wildcards are illegal. | 11:34 |
Wizzup | how do you think mitm proxies work? | 11:34 |
Maxdamantus | ie, *.com and * are illegal. | 11:34 |
Maxdamantus | Wizzup: they have to do what I do. | 11:34 |
Wizzup | really? | 11:34 |
Wizzup | mhm | 11:34 |
Maxdamantus | Wizzup: that's almost certainly what "mitmproxy" does. | 11:34 |
Wizzup | well, I guess you can re-use the same key | 11:34 |
Wizzup | then it doesn't take long | 11:34 |
Maxdamantus | (mitmproxy being some debugging utility written in Python, seems unsuitable for running locally on N900) | 11:34 |
Maxdamantus | Yes, I use the same key. | 11:34 |
Maxdamantus | but have to generate different certificates. | 11:35 |
Wizzup | maybe I'll do it in go for fun some time | 11:35 |
Maxdamantus | The "CAKEY.pem" passed in to my program is meant to be the key for the CA certificate, and it also uses that same key for all generated certificates. | 11:36 |
Maxdamantus | It could theoretically take in a second key for the latter, but that seems unnecessary. | 11:37 |
KotCzarny | generating certs is not a big problem if you just need it for few frequent sites | 11:37 |
Wizzup | you could use transparent socks proxy if n900 supports it | 11:37 |
Wizzup | (with iptables) | 11:37 |
Maxdamantus | and when/if I get it working properly, I'd rather just keep the key in memory instead of storing it on the filesystem, so don't want to generate too many keys on boot. | 11:37 |
Wizzup | Maxdamantus: just generate a new intermediate? | 11:38 |
Maxdamantus | Wizzup: there's no intermediate. | 11:38 |
Wizzup | then generate one ;) | 11:38 |
Maxdamantus | How does an intermediate help? | 11:38 |
Wizzup | if you want to keep the keys in memory... | 11:38 |
Wizzup | eh, whatever :) | 11:39 |
Maxdamantus | The intermediate would need to be signed by the trusted certificate's key. | 11:39 |
sicelo | opera mobile *can* use a proxy. it's in about:opera, or some such | 11:39 |
sicelo | opera:config | 11:40 |
Maxdamantus | Oh, cool. | 11:40 |
Maxdamantus | Okay, guess I'll adapt it to use that tomorrow. | 11:41 |
Maxdamantus | That should solve the lacking SNI issue too. | 11:41 |
Maxdamantus | since whatever it sends to the proxy should have the hostname. | 11:41 |
Maxdamantus | and yeah, that treats the proxy as an HTTP proxy and just uses "CONNECT github.com:443 HTTP/1.1 | 11:44 |
Maxdamantus | " | 11:44 |
Maxdamantus | eh, spaces. | 11:44 |
bencoh | hmm, mitmproxy looks pretty handy for android app REing | 11:47 |
Maxdamantus | also simplifies getting the browser to actually connect to the proxy. | 11:53 |
Maxdamantus | was intending on adding netfilter rules that did something like forward all :443 traffic to the proxy, unless the source is some particular address, which the proxy would bind to for outgoing connections. | 11:54 |
Maxdamantus | btw, https://github.com/kr/mitm might already be a sufficient Go implementation. | 11:58 |
Maxdamantus | Have to be careful with all these things though, given how explicit you have to be in OpenSSL to actually get validation to work. | 12:01 |
Maxdamantus | eg, checking that the certificate is valid and checking that the CN in the certificate matches what you're connecting to are different things. | 12:03 |
Maxdamantus | even though the hostname is specified in two places already (`BIO_set_conn_hostname` (for DNS lookup) and `SSL_set_tlsextl_host_name` (SNI)) | 12:05 |
DocScrutinizer05 | BYEBYE Merkel | 15:59 |
DocScrutinizer05 | hurry up a bit! don't forget to take you rocks with you | 15:59 |
KotCzarny | dont worry, refugees are there to stay | 16:00 |
DocScrutinizer05 | I don't care too much about any refugees | 16:01 |
KotCzarny | well, not refugees, hostile tools of national identity disintegration | 16:01 |
KotCzarny | also, 2021? is that a joke? | 16:10 |
KotCzarny | 2 more years of the fun | 16:13 |
DocScrutinizer05 | alas you got a few points there | 16:29 |
* DocScrutinizer05 is tempted to run the streets shouting "HURRY UP! GET LOST!" | 16:30 | |
DocScrutinizer05 | "I WONT SURVIVE ANOTHER 2 YEARS OF THAT NARCOTIC" | 16:30 |
DocScrutinizer05 | there's hope she can't pull off the chancellorship 2 years as lame duck | 16:34 |
halftux | does somebody know where I could find these automated generated maemo diff files to debian source packages? | 20:51 |
sicelo | which ones? | 20:52 |
halftux | libsoup2.4 | 20:55 |
halftux | from original maemo source | 20:56 |
halftux | there was an url were you could generate diff files from debian to maemo but I forget | 20:57 |
sicelo | no idea. :-/ | 21:12 |
DocScrutinizer05 | halftux, sicelo: it's dead since ages | 23:16 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!