X-Git-Url: https://ruderich.org/simon/gitweb/?p=tlsproxy%2Ftlsproxy.git;a=blobdiff_plain;f=README;h=f72eca02910eb361426f9d2af293471039ac497e;hp=81bb4fcdd761dda8f120093c5ca8a22de66c15a9;hb=HEAD;hpb=4f17e2a1251d1b460c51fd37f70ea85cd59eb1fa diff --git a/README b/README index 81bb4fc..f72eca0 100644 --- a/README +++ b/README @@ -11,6 +11,7 @@ tlsproxy is licensed under GPL 3 (or later). REQUIREMENTS ------------ +- C89 compiler - GnuTLS library including development headers - certtool (from GnuTLS) to create TLS certificates @@ -23,7 +24,8 @@ This creates the following files: - `proxy-ca.pem`: CA which is used for all connections to the client - `proxy-ca-key.pem`: private key for the CA -- `proxy-key.pem`: private key for the server +- `proxy-dh.pem`: Diffie-Hellman parameters for the proxy +- `proxy-key.pem`: private key for the proxy - `proxy-invalid.pem`: special certificate used for invalid pages Then import the CA file `proxy-ca.pem` in your browser so it can validate the @@ -47,7 +49,7 @@ If the validation is successful the proxy uses the `certificate-*-proxy.pem` certificate to secure the connection to the client (signed by `proxy-ca.pem`). If an error occurs in the validation (missing `certificate-*.pem` files, -fingerprint changed, etc.) it's logged by the proxy (stdout) and the special +fingerprint changed, etc.) it's logged by the proxy (stderr) and the special `proxy-invalid.pem` certificate is used to send a 500 error message to the client. The connection to the server is closed so there's no chance that any client data is sent to the (possible) evil server. The invalid certificate is @@ -89,6 +91,11 @@ If you always verify the authentication of the connection this isn't a problem, but if you only check if it's a HTTPS connection then this attack is possible. +Another issue is embedded active content, like JavaScript. If the website +includes data from a different host (e.g. a different sub-domain), for which +tlsproxy has no certificate, then an attacker can MITM that connection and +inject JavaScript with unknown consequences into the browser. + KNOWN ISSUES ------------ @@ -96,3 +103,30 @@ KNOWN ISSUES - Firefox (at least Iceweasel 3.5.16 on Debian) fails to load the error page sent with the "invalid" certificate once the certificate has been accepted. As the user shouldn't accept the invalid certificate this is a minor issue. + + +AUTHORS +------- + +Written by Simon Ruderich . + + +LICENSE +------- + +tlsproxy is licensed under GPL version 3 or later. + +Copyright (C) 2011-2014 Simon Ruderich + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see .