Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support multiple TLS layers #279

Open
3hhh opened this issue Nov 14, 2020 · 4 comments
Open

Support multiple TLS layers #279

3hhh opened this issue Nov 14, 2020 · 4 comments

Comments

@3hhh
Copy link

3hhh commented Nov 14, 2020

I noticed that sslsplit autossl currently only removes the topmost TLS layer instead of all.

E.g. when connecting to a https website over a https proxy the proxy layer will be removed, but the website layer will not.

I guess one can currently work around this limitation by chaining multiple sslplit instances.

A great tool in total though, thanks!
@sonertari
Copy link
Collaborator

sonertari commented Nov 14, 2020
edited
Loading

In autossl mode, when we detect a ClientHello on the ingress path, we upgrade that TCP connection to SSL/TLS. Also see the documentation of ssl_tls_clienthello_parse() in ssl.c. So, frankly, I don't understand your comment, granted I use autossl with SMTP only. If you think that we need to do more, can you point me to the relevant documentation or further details?

@3hhh
Copy link
Author

3hhh commented Nov 16, 2020

Let me rephrase:

user session -- (leading to) --> sslsplit pcap

TLS(proto) -- (leading to) --> proto
TLS(TLS(proto)) -- (leading to) --> TLS(proto) <-- And I'd prefer it to be proto. That's what this is about.

Chaining your sslproxy twice (or one proxy and one sslsplit) to get it done might work for the case above, but one would need to know the number of TLS tunnels beforehand in general.

So in code I'd expect recursion on the outcome of the TLS-decrypted session until sslsplit cannot do anything anymore.

Side note:
The https mode also fails in the above situation IIRC (there's not http inside after all, just another TLS layer). However mitmproxy isn't doing any better. ;-)

@sonertari
Copy link
Collaborator

sonertari commented Nov 16, 2020
edited
Loading

This is not related with autossl. Why did you mention autossl in your first post?

You are asking if we can decrypt multiple encryption layers. To achieve that, you could perhaps use sslproxy as the listening program, but you would need to modify its source code to support the mode of operation required by the original sslproxy.

Do you have a real life use case for this? Other than perhaps to debug your qcrypt project.

@3hhh
Copy link
Author

3hhh commented Nov 16, 2020

Do you have a real life use case for this?

I was recently debugging https connections of a web scraper framework tunelled via a https proxy.
But I guess these kind of double encryption layers tend to occur with corporate https proxies as well. Probably not so often though as most proxies don't use SSL (yet?).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sonertari @3hhh