certtool --generate-dh-params --sec-param high --outfile proxy-dh.pem
-- Use "SECURE" as GnuTLS priority string which disallows insecure algorithms.
+- Use "SECURE" (replacing "NORMAL") as GnuTLS priority string which disallows
+ insecure algorithms.
- Add -a option, authentication for tlsproxy via basic digest authentication.
- Add new debug level (-d 3) for even more debug output, including information
about the current TLS session.
- Allow rehandshakes for server connections (%SAFE_RENEGOTIATION is forced to
- prevent issues).
+ prevent security issues).
- Use pre-generated Diffie-Hellman parameters in proxy-dh.pem.
- Code cleanup.
- Better error handling.
problem, but if you only check if it's a HTTPS connection then this attack is
possible.
+Another issue is embedded active content, like JavaScript. If the website
+includes data from a different host (e.g. a different sub-domain), for which
+tlsproxy has no certificate, then an attacker can MITM that connection and
+inject JavaScript with unknown consequences into the browser.
+
KNOWN ISSUES
------------
- certificate-'hostname'-proxy.pem
- certificate-'hostname'-server.pem
+Be careful: The hostname must match exactly, i.e. `www.example.org` and
+`example.org` are treated differently by *tlsproxy*. This might be an issue,
+especiall when '-u' is used!
+
Requires GnuTLS' *certtool*.
SYNOPSIS
--------
-*tlsproxy-setup*
+*tlsproxy-setup* ['--force']
DESCRIPTION
It creates the following files in the current directory:
-- proxy-ca.pem
-- proxy-ca-key.pem
-- proxy-dh.pem
-- proxy-key.pem
-- proxy-invalid.pem
+- `proxy-ca.pem`
+- `proxy-ca-key.pem`
+- `proxy-dh.pem`
+- `proxy-key.pem`
+- `proxy-invalid.pem`
+
+If any of these files exist, the program is aborted.
Requires GnuTLS' *certtool*.
LOG(DEBUG1, "connection to server established");
/* If the -u option is used and we don't know this hostname's server
- * certificate then just pass through the connection and let the client
+ * certificate, then just pass through the connection and let the client
* verify the server certificate. */
if (global_passthrough_unknown) {
char path[TLSPROXY_MAX_PATH_LENGTH];
set -e
-if test "$#" -ne 0; then
- echo "Usage: $0"
+if test "$#" -ge 1 && test x"$*" != 'x--force'; then
+ echo "Usage: $0 [--force]" >&2
exit 1
fi
+# Prevent accidental overwrites.
+if test x"$1" != 'x--force'; then
+ for x in proxy-ca-key.pem proxy-ca.pem \
+ proxy-key.pem proxy-invalid.pem proxy-dh.pem; do
+ if test -f "$x"; then
+ echo "File '$x' already exists. Use --force to overwrite." >&2
+ exit 2
+ fi
+ done
+fi
+
+
tempfile=`mktemp`
trap 'rm -f "$tempfile"' EXIT
/* Length for path arrays. */
#define TLSPROXY_MAX_PATH_LENGTH 1024
-/* Paths to necessary TLS files: the CA, the server key and DH parameters. */
+/* Paths to proxy files: the CA, the server key and DH parameters. */
#define PROXY_CA_PATH "proxy-ca.pem"
#define PROXY_KEY_PATH "proxy-key.pem"
#define PROXY_DH_PATH "proxy-dh.pem"
test_invalid_certificate
echo missing proxy certificate
-mv certificate-localhost-proxy.pem .pem
+mv certificate-localhost-proxy.pem certificate-www.localhost-proxy.pem
client localhost 4712 invalid || abort 'client localhost 4712 invalid'
-mv .pem certificate-localhost-proxy.pem
+mv certificate-www.localhost-proxy.pem certificate-localhost-proxy.pem
test_proxy_successful
test_invalid_certificate
tlsproxy_add localhost server.pem
echo mitm missing server certificate
-mv certificate-localhost-server.pem .pem
+mv certificate-localhost-server.pem certificate-www.localhost-server.pem
client localhost 4712 invalid || abort 'client localhost 4712 invalid'
-mv .pem certificate-localhost-server.pem
+mv certificate-www.localhost-server.pem certificate-localhost-server.pem
test_proxy_successful
test_invalid_certificate
echo mitm missing proxy certificate
-mv certificate-localhost-proxy.pem .pem
+mv certificate-localhost-proxy.pem certificate-www.localhost-proxy.pem
client localhost 4712 invalid || abort 'client localhost 4712 invalid'
-mv .pem certificate-localhost-proxy.pem
+mv certificate-www.localhost-proxy.pem certificate-localhost-proxy.pem
test_proxy_successful
test_invalid_certificate
test_invalid_certificate
echo missing proxy certificate
-mv certificate-localhost-proxy.pem .pem
+mv certificate-localhost-proxy.pem certificate-www.localhost-proxy.pem
# "invalid" to prevent user error if the proxy certificate gets deleted (but
# the server certificate is still readable).
client localhost 4712 invalid || abort 'client localhost 4712 invalid'
-mv .pem certificate-localhost-proxy.pem
+mv certificate-www.localhost-proxy.pem certificate-localhost-proxy.pem
test_proxy_successful
test_invalid_certificate
tlsproxy_add localhost server.pem
echo mitm missing server certificate
-mv certificate-localhost-server.pem .pem
+mv certificate-localhost-server.pem certificate-www.localhost-server.pem
client localhost 4712 'test server bad' || abort 'client localhost 4712 test server bad'
-mv .pem certificate-localhost-server.pem
+mv certificate-www.localhost-server.pem certificate-localhost-server.pem
test_proxy_successful
test_invalid_certificate
echo mitm missing proxy certificate
-mv certificate-localhost-proxy.pem .pem
+mv certificate-localhost-proxy.pem certificate-www.localhost-proxy.pem
# "invalid" to prevent user error if the proxy certificate gets deleted (but
# the server certificate is still readable).
client localhost 4712 invalid || abort 'client localhost 4712 invalid'
-mv .pem certificate-localhost-proxy.pem
+mv certificate-www.localhost-proxy.pem certificate-localhost-proxy.pem
test_proxy_successful
test_invalid_certificate