pknoth

pknoth

Looking for an `:ssl` option building an https proxy

Hi,

I am building an https proxy and need to forward the encrypted incoming payload of the requests, the proxy being a Man in the middle. I ended up building a gen_tcp server that replies to CONNECT queries from the client by connecting to the remote secure host and forwarding the payloads from both sides.

[gen_tcp listen, accepts...]

  def handle_info({:tcp, socket, payload}, %State{socket: socket, client_socket: nil} = state) do

   [set host, port...]

    with {:ok, client_socket} <-
           :ssl.connect(
             String.to_charlist(host),
             port || 443,
             [
               {:log_level, :all},
               {:packet, :raw},
               {:mode, :binary},
               {:verify, :verify_peer},
               {:cacerts, :public_key.cacerts_get()}
             ],
             @connect_timeout
           ) do
      :gen_tcp.send(socket, "HTTP/1.1 200 OK\r\n\r\n")

      :inet.setopts(socket, active: :once)
      :ssl.setopts(client_socket, active: :once)
      {:noreply, %{state | client_socket: client_socket, start: start}}
    end
  end

[...]

  def handle_info({:ssl, socket, payload}, %State{client_socket: socket} = state) do
    :ssl.setopts(socket, active: :once)
    :gen_tcp.send(state.socket, payload)
    {:noreply, state}
  end

  def handle_info({:tcp, socket, payload}, %State{socket: socket} = state) do
    :inet.setopts(socket, active: :once)
    :ssl.send(state.client_socket, payload)
    {:noreply, state}
  end

The problem here is that the incoming payload (from the remote server) is decrypted by the erlang :ssl library which makes the client receive clear messages instead of encrypted ones, raising an SSL error. Note that the forwarding looks fine with the HTTP version of the snippet.

Does anyone know if there is an :ssl.connect option that disables payload decrypt?

Thanks.

Marked As Solved

pknoth

pknoth

Thank you for your reply.

The issue was the proxy was performing the handshake instead of the client which caused the encryption/decrypt problem. The solution was to open a TCP connection toward the target server (not an SSL one) and let the client upgrade to TLS.

Also Liked

D4no0

D4no0

Makes complete sense if you are using :ssl on proxy.

In your case this is not a https proxy, but one at TCP/SSL level, as once the ssl handshake is complete, there is no way you can decrypt and filter the traffic on your proxy.

Where Next?

Popular in Questions Top

aadeshere1
I have a another noob question about loop. Since elixir is immutable, while loop is not directly possible. total = 10 while total != 0 ...
New
sergio
In Ruby, I can go: User.find_by(email: "foobar@email.com").update(email: "hello@email.com") How can I do something similar in Elixir? ...
New
marius95
Hello everyone, I try to use an Javascript Event Handler in my root.html.leex file. Therefore I created a function in the app.js file: ...
New
mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
jerry
Good day to you all. I have been struggling to get a query involving like and ilike to work. Can anyone assist me on this, please? pro...
New
LegitStack
I’m trying to make a websocket server in Phoenix or raw Elixir. I heard about gun, I think I could use cowboy, but since I’m not that sma...
New
jay1
Why is it that the mnesia database isn’t the most preferred database for use in Elixir/Phoenix?
New
alice
Hey, Just curious what are the main benefits of Elixir compared to Clojure? When is Elixir more useful than Clojure and vice versa? Th...
New
freewebwithme
Using vs code and installed ElixirLS: support and debugger. And I got an error popped up on start up says Failed to run ‘elixir’ comma...
New
Qqwy
Original source of discussion: This topic on the Pragmatic Programmers’ Functional Web Development with Elixir, OTP, and Phoenix forum. ...
New

Other popular topics Top

aadeshere1
I have a another noob question about loop. Since elixir is immutable, while loop is not directly possible. total = 10 while total != 0 ...
New
marius95
Hello everyone, I try to use an Javascript Event Handler in my root.html.leex file. Therefore I created a function in the app.js file: ...
New
Nvim
Anybody knows a comprehensive comparison of Django and Phoenix, thanks for the help. Where are they similar? Where do they differ the m...
New
fireproofsocks
Forgive me if this is obvious, but how does one delete a database record WITHOUT selecting it first? Ecto.Repo — Ecto v3.14.0 has exampl...
New
jay1
Why is it that the mnesia database isn’t the most preferred database for use in Elixir/Phoenix?
New
SoCreat
i’m a new one to elixir which editor can i use vs code? or atom? Thanks! :smiley:
New
RisingFromAshes
I’ve read in another post that it may be possible with a router helper - but I couldn’t find an appropriate one, and tbh, I’m still just ...
New
jason.o
In the code below, if the create action is not set to accept “extra_key” as an input, it errors out with a message shown above. Is there ...
New
dblack
I’ve got an issue with an app and I’ve no idea of how to troubleshoot it. I’m hoping someone here might have seen something similar. I p...
New
svb
Hi! Currently I want to submit a form by pressing the Enter key. However, since my input field is of type “textarea” this is just adds a...
New

We're in Beta

About us Mission Statement