Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Capture SSL certs from HTTP Proxy directly #138

Open
matteocargnelutti opened this issue Mar 31, 2023 · 2 comments
Open

Capture SSL certs from HTTP Proxy directly #138

matteocargnelutti opened this issue Mar 31, 2023 · 2 comments
Assignees
@matteocargnelutti
Labels
Architecture Feature Wishlist

Comments

@matteocargnelutti
Copy link
Collaborator

matteocargnelutti commented Mar 31, 2023
edited
Loading

The current implementation of SSL certs capture:

  • Happens out-of-band, in a distinct capture step
  • Uses crip

While the current setup is extremely convenient, it would be preferable - both conceptually and from a performance perspective - to pull the certificates directly from the proxy, especially since Portal gives us that flexibility.

Ideally the replacement is somewhat "drop in":

  • It should still account for captureCertificatesAsAttachment and attachmentsBypassLimits options
  • It should still add certs to Scoop.provenanceInfo.certificates
  • It should still only capture certs once per origin

captureCertificatesAsAttachmentTimeout and crip dependencies would be removed.

Progress:

#140
@leppert
Copy link
Collaborator

leppert commented Mar 31, 2023
edited
Loading

Here's the API: https://nodejs.org/api/tls.html#tlssocketgetpeercertificatedetailed

We'll end up with something in ScoopProxy, probably in this block, along the lines of

  onConnected (serverSocket, request) {
    const exchange = this.exchanges.find(ex => ex.requestParsed === request)
    const ip = serverSocket.remoteAddress
    const rule = this.findMatchingBlocklistRule(ip)
    if (rule) {
      serverSocket.destroy()
      this.blockRequest(request, ip, rule)
    } else if (exchange) {
      exchange.cert = response.socket.getPeerCertificate(true)
    }
}

@matteocargnelutti matteocargnelutti self-assigned this Mar 31, 2023
matteocargnelutti added a commit that referenced this issue Apr 11, 2023
@matteocargnelutti
(Tentative) Move SSL capture to ScoopProxy
5389649 
Implements #138

---

- Removes `crip` dependency, dedicated certificates capture step and associated options.
- Intercepts certificate chain at `ScoopProxy` level using `socket.getPeerCertificate()` to assemble a PEM on the fly. Runs once per origin.
- Removes duplicate processing of `noarchive` checks

---

**Still working through:** The certificates interception currently happens at `ScoopProxy.onResponse()` level. It should be in `ScoopProxy.onConnected()`, but in some cases it appears to be _"too early"_. TBD, but this version works.
@matteocargnelutti matteocargnelutti mentioned this issue Apr 11, 2023
Draft
3 tasks
@matteocargnelutti
Copy link
Collaborator Author

Update: Getting close, but stuck on hard-to-troubleshoot edge cases (#140 (comment)).

As this feature is not broken at the moment:

  • Setting PR as draft
  • Re-prioritization TBD

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@matteocargnelutti matteocargnelutti

Labels
Architecture Feature Wishlist
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@leppert @matteocargnelutti