Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[Self-Signed] Ability to ignore cert checks for upstream servers #536

Closed
sam-kleiner opened this issue Apr 8, 2021 · 10 comments · Fixed by #1446
Closed

[Self-Signed] Ability to ignore cert checks for upstream servers #536

sam-kleiner opened this issue Apr 8, 2021 · 10 comments · Fixed by #1446
Labels
Good First Issue Issues for new contributors to pick-up Task Tasks & chores related to proxy.py

Comments

@sam-kleiner
Copy link

sam-kleiner commented Apr 8, 2021
edited by abhinavsingh
Loading

Is your feature request related to a problem? Please describe.
I am unable to use proxy.py when the upstream is using a self signed cert when using mitm mode. I have no issues using this with properly signed certs.

Describe the solution you'd like
An option to ignore upstream certificates when using mitm mode.

--ignore-upstream-ssl

Describe alternatives you've considered
An option to specify certs to verify against when calling the upstream on a per domain basis

--upstream-verify localhost=/path/to/cert --upstream-verify nginx.local=/path/to/cert2

Additional context
The following error occurs when trying to mitm an upstream with an unsigned cert.

proxy-http-mitm            | 2021-04-08 14:07:18,681 - pid:9 [E] run:359 - ssl.SSLError
proxy-http-mitm            | Traceback (most recent call last):
proxy-http-mitm            |   File "/usr/local/lib/python3.8/site-packages/proxy/http/handler.py", line 353, in run
proxy-http-mitm            |     teardown = self.run_once()
proxy-http-mitm            |   File "/usr/local/lib/python3.8/site-packages/proxy/http/handler.py", line 338, in run_once
proxy-http-mitm            |     teardown = self.handle_events(readables, writables)
proxy-http-mitm            |   File "/usr/local/lib/python3.8/site-packages/proxy/http/handler.py", line 152, in handle_events
proxy-http-mitm            |     teardown = self.handle_readables(readables)
proxy-http-mitm            |   File "/usr/local/lib/python3.8/site-packages/proxy/http/handler.py", line 298, in handle_readables
proxy-http-mitm            |     upgraded_sock = plugin.on_request_complete()
proxy-http-mitm            |   File "/usr/local/lib/python3.8/site-packages/proxy/http/proxy/server.py", line 352, in on_request_complete
proxy-http-mitm            |     return self.intercept()
proxy-http-mitm            |   File "/usr/local/lib/python3.8/site-packages/proxy/http/proxy/server.py", line 524, in intercept
proxy-http-mitm            |     self.wrap_server()
proxy-http-mitm            |   File "/usr/local/lib/python3.8/site-packages/proxy/http/proxy/server.py", line 551, in wrap_server
proxy-http-mitm            |     self.server.wrap(text_(self.request.host), self.flags.ca_file)
proxy-http-mitm            |   File "/usr/local/lib/python3.8/site-packages/proxy/core/connection/server.py", line 44, in wrap
proxy-http-mitm            |     self._conn = ctx.wrap_socket(
proxy-http-mitm            |   File "/usr/local/lib/python3.8/ssl.py", line 500, in wrap_socket
proxy-http-mitm            |     return self.sslsocket_class._create(
proxy-http-mitm            |   File "/usr/local/lib/python3.8/ssl.py", line 1040, in _create
proxy-http-mitm            |     self.do_handshake()
proxy-http-mitm            |   File "/usr/local/lib/python3.8/ssl.py", line 1309, in do_handshake
proxy-http-mitm            |     self._sslobj.do_handshake()
proxy-http-mitm            | ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1123)
proxy-http-mitm            | Exception in thread Thread-5:
proxy-http-mitm            | Traceback (most recent call last):
proxy-http-mitm            |   File "/usr/local/lib/python3.8/threading.py", line 932, in _bootstrap_inner
proxy-http-mitm            |     self.run()
proxy-http-mitm            |   File "/usr/local/lib/python3.8/threading.py", line 870, in run
proxy-http-mitm            |     self._target(*self._args, **self._kwargs)
proxy-http-mitm            |   File "/usr/local/lib/python3.8/site-packages/proxy/http/handler.py", line 365, in run
proxy-http-mitm            |     self.shutdown()
proxy-http-mitm            |   File "/usr/local/lib/python3.8/site-packages/proxy/http/handler.py", line 167, in shutdown
proxy-http-mitm            |     self.flush()
proxy-http-mitm            |   File "/usr/local/lib/python3.8/site-packages/proxy/http/handler.py", line 210, in flush
proxy-http-mitm            |     self.selector.register(
proxy-http-mitm            |   File "/usr/local/lib/python3.8/selectors.py", line 352, in register
proxy-http-mitm            |     key = super().register(fileobj, events, data)
proxy-http-mitm            |   File "/usr/local/lib/python3.8/selectors.py", line 241, in register
proxy-http-mitm            |     raise KeyError("{!r} (FD {}) is already registered"
proxy-http-mitm            | KeyError: "<socket.socket fd=14, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=0, laddr=('172.31.0.5', 8899), raddr=('172.31.0.1', 62848)> (FD 14) is already registered"
@abhinavsingh
Copy link
Owner

@sam-kleiner Thanks for bringing this to my notice. Indeed currently hostname check is hardcoded here

proxy.py/proxy/core/connection/server.py

Line 42 in 06a84ae

ctx.check_hostname = True

In future release I will look to expose these via existing (or new) proxy plugin callbacks. I think we must also add

ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE

but need to experiment before confirmation.

Can you try and hardcode ctx.check_hostname = False for now and see if it works for self-signed upstreams? If it doesn't also try to add ctx.verify_mode = ssl.CERT_NONE.

Please let me know, will look into how to expose them via plugins.

@abhinavsingh abhinavsingh changed the title Ability to ignore upstream certs Ability to ignore cert checks for self-signed upstream servers Apr 10, 2021
@abhinavsingh
Copy link
Owner

@sam-kleiner Another quick option which came to me while updating title of this issue:

  1. We can add a boolean command line flag which indicates whether to bypass cert check for self-signed upstreams
  2. Core can then detect such cases internally and do the needful
  3. This is simply avoid need of exposing this configuration dynamically via plugin callback.

Ofcourse, if we opt for such a solution, this is a hardcoded use case hidden behind a flag rather than a dynamic configuration ability. Wdyt?

@abhinavsingh
Copy link
Owner

--upstream-verify localhost=/path/to/cert --upstream-verify nginx.local=/path/to/cert2

This is an even better option :). Looking to address this for upcoming v2.4.0 release.

@abhinavsingh abhinavsingh mentioned this issue Nov 5, 2021
Closed
@abhinavsingh abhinavsingh changed the title Ability to ignore cert checks for self-signed upstream servers [Self-Signed] Ability to ignore cert checks for upstream servers Nov 8, 2021
@abhinavsingh abhinavsingh mentioned this issue Nov 11, 2021
Closed
@abhinavsingh abhinavsingh removed their assignment Nov 22, 2021
@abhinavsingh abhinavsingh added Good First Issue Issues for new contributors to pick-up Task Tasks & chores related to proxy.py and removed Enhancement labels Nov 25, 2021
@lyz04551
Copy link

lyz04551 commented Apr 14, 2022
edited
Loading

hi, do we have a boolean command line flag which indicates whether to bypass cert check for self-signed upstreams now? thanks for your reply. @abhinavsingh

@abhinavsingh
Copy link
Owner

hi, do we have a boolean command line flag which indicates whether to bypass cert check for self-signed upstreams now? thanks for your reply. @abhinavsingh

Hi Lyz,

Unfortunately no. I never got to supporting this officially. Having said that, I will try to spend sometime coming weekend and see what can we do to get this out quickly.

Thanks for bring this back to my attention.

Best
Abhinav

@lyz04551
Copy link

@abhinavsingh Thank you very much for your timely reply. This project is very meaningful and helpful to my project, so if you updated the code of cert check for self-signed upstreams, please remind me. Thank you!

@thiagobenine
Copy link

Any update on this?

@abhinavsingh
Copy link
Owner

@thiagobenine @lyz04551 Thank you for bringing this back. It got off the radar somehow. Lemme jump onto this over the coming weekend. Hopefully we'll have something out soon. Best

@abhinavsingh abhinavsingh pinned this issue Jun 8, 2022
@noorul
Copy link

noorul commented Sep 28, 2023

@thiagobenine We have a use case to do this on condition. Any plans to work on this?

@abhinavsingh abhinavsingh unpinned this issue Apr 13, 2024
@abhinavsingh abhinavsingh mentioned this issue Aug 10, 2024
Merged
@abhinavsingh
Copy link
Owner

@noorul @thiagobenine @lyz04551 @sam-kleiner PR #1446 will address this concern.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
Good First Issue Issues for new contributors to pick-up Task Tasks & chores related to proxy.py
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

TLS intercept self-signed servers using --insecure-tls-interception abhinavsingh/proxy.py
5 participants
@abhinavsingh @noorul @thiagobenine @lyz04551 @sam-kleiner