Hello -- I have been working on the creation of a MITM plugin of sorts using OpenSSL v1.0.1.c. My code basically is handed stream payloads (e.g. in this case full SSL/TLS packets or groups of packets). I must then MITM them and extract application data as required. I cannot use sockets directly here, so I'm attempting to implement this using BIOs. (Note: MITM CA is installed for me client side)
It seemed I was on the right track in my implementation, but I'm not stuck. It looks like servers are rejecting my negotiations with an "Protocol Version" (70) TLS alert. What I'm hoping for here is a) is the path I'm going down correct, and b) any ideas on what to look for?! Here is the rundown of my implementation (C=local client/real data, R=remote server/real data, MS: MITM server context/session, MC: MITM client context/session) Outgoing 'ClientHello': 1) Create new MS, read and clone certificate. Throw this server away 2) Create new MC, do_handshake() -> write MITM 'ClientHello' to R Incoming 'ServerHello': 1) MC read Incoming 'Certificate': 1) MC read Incoming 'Done' 1) MC read 2) New MS using cloned/MITM certificate 3) MS accept cached original 'ClientHello' -> write MITM 'ServerHello+Cert+Done' to C Outgoing 'KeyExchange': 1) MS read Outgoing 'ChangeCipherSpec': 1) MS read Outgoing 'Finished': 1) MS read 2) Write pending MC MITM 'KeyExchange+ChangeCipherSpec+Finished' to R Incoming 'ChangeCipherSpec': 1) MC read Incoming 'Finished': 1) MC read After the init/handshake process (above), data is simply passed through: Outgoing: C -> MS -> {decrypted} -> MC -> {encrypted} -> R Incoming; R -> MC -> {decrypted} -> MS -> {encrypted} -> C Sorry for the long email. It's a complex problem, this is the best way I could think of describing it. Would love any feedback / tips / etc. I can get!