pknoth
Looking for an `:ssl` option building an https proxy
Hi,
I am building an https proxy and need to forward the encrypted incoming payload of the requests, the proxy being a Man in the middle. I ended up building a gen_tcp server that replies to CONNECT queries from the client by connecting to the remote secure host and forwarding the payloads from both sides.
[gen_tcp listen, accepts...]
def handle_info({:tcp, socket, payload}, %State{socket: socket, client_socket: nil} = state) do
[set host, port...]
with {:ok, client_socket} <-
:ssl.connect(
String.to_charlist(host),
port || 443,
[
{:log_level, :all},
{:packet, :raw},
{:mode, :binary},
{:verify, :verify_peer},
{:cacerts, :public_key.cacerts_get()}
],
@connect_timeout
) do
:gen_tcp.send(socket, "HTTP/1.1 200 OK\r\n\r\n")
:inet.setopts(socket, active: :once)
:ssl.setopts(client_socket, active: :once)
{:noreply, %{state | client_socket: client_socket, start: start}}
end
end
[...]
def handle_info({:ssl, socket, payload}, %State{client_socket: socket} = state) do
:ssl.setopts(socket, active: :once)
:gen_tcp.send(state.socket, payload)
{:noreply, state}
end
def handle_info({:tcp, socket, payload}, %State{socket: socket} = state) do
:inet.setopts(socket, active: :once)
:ssl.send(state.client_socket, payload)
{:noreply, state}
end
The problem here is that the incoming payload (from the remote server) is decrypted by the erlang :ssl library which makes the client receive clear messages instead of encrypted ones, raising an SSL error. Note that the forwarding looks fine with the HTTP version of the snippet.
Does anyone know if there is an :ssl.connect option that disables payload decrypt?
Thanks.
Marked As Solved
pknoth
Thank you for your reply.
The issue was the proxy was performing the handshake instead of the client which caused the encryption/decrypt problem. The solution was to open a TCP connection toward the target server (not an SSL one) and let the client upgrade to TLS.
Also Liked
D4no0
Makes complete sense if you are using :ssl on proxy.
In your case this is not a https proxy, but one at TCP/SSL level, as once the ssl handshake is complete, there is no way you can decrypt and filter the traffic on your proxy.








