Re: TLS intercepting proxy [MitM]
Thanks Uwe Werler! I have not yet estabilished chain described in first message, but it is due to lack of time I didn't tried. Firefox runs as firefox user. I have actually MitM on relayd *using divert* with this pf-magic: cat /etc/pf_kop.conf ext_if="bge0" int_if="lo0" set state-policy floating pass out quick log on $ext_if inet proto tcp to any port 443 user firefox route-to lo0 pass in quick log on lo0 inet proto tcp to any port 443 divert-to 127.0.0.1 port 8443 pass in pass out Thanks for all, especially Uwe Werler! I am going to try make chain described in first message in day or two.
Re: TLS intercepting proxy [MitM]
On Tue, Nov 24, 2015 at 01:05:34AM +0100, Stefan Wollny wrote: > Am 11/23/15 um 23:41 schrieb Lampshade: > >Hello, > >I would like to use privoxy to scrub/delete > >some informations in application layer (HTTP) going out from my PC. > >Problem is that a lot of connections are secured with TLS, so privoxy can > >not filter them. > >Is there any way to do something like that: > >Firefox -> decrypt [MitM] -> privoxy -> encrypt securely -(NIC)-> Internet? > >It is my PC, so I can install new certificate or something like that, > >but neverthless I don't know how to achieve that result. > >Is this possible using relayd? > >Is it possible with other tool in ports or something that I can compile from > >source? > > > It is about 2 years old but should give you a starting poing: > http://www.reykfloeter.com/post/41814177050/relayd-ssl-interception > "There are some known limitations:" ... I didn't know about vendors and their own CAs with pre-installed private keys at this point. This makes it useable for everyone! When superfish was found, I published the following gist: https://gist.github.com/reyk/4b42858d1eab3825f9bc Something similar should work with #eDellRoot as well. Reyk
Re: TLS intercepting proxy [MitM]
Am 24.11.2015 14:52:58, schrieb Jiri B: > > With a little bit pf-magic this works like this: > > pass out log on $ext_if proto tcp to any port 443 route-to lo0 > > pass out log on > > $ext_if proto tcp to any port 443 user _relayd > > pass in log on lo0 proto tcp to > > any port 443 divert-to 127.0.0.1 port 8443 > Have you actually tested this? The traffic source is the > box itself, don't forget, thus not forwarding between two > ifaces. > > Yep. 'cause I tested relayd from within my box itself.
Re: TLS intercepting proxy [MitM]
> With a little bit pf-magic this works like this: > pass out log on $ext_if proto tcp to any port 443 route-to lo0 > pass out log on > $ext_if proto tcp to any port 443 user _relayd > pass in log on lo0 proto tcp to > any port 443 divert-to 127.0.0.1 port 8443 Have you actually tested this? The traffic source is the box itself, don't forget, thus not forwarding between two ifaces. j.
Re: TLS intercepting proxy [MitM]
Em 24-11-2015 11:17, Lampshade escreveu: > I know that relayd can decrypt traffic, then log, then encrypt. You know that this ain't the only thing it can do, right? > The thing is that I want to > send decrypted traffic to another process (privoxy), and then re-encrypt it. Now this, I don't think is possible. At least not without hacking privoxy itself. But hey, if you are gonna hack privoxy, why not hack it to work with divert and do the mitm itself? > I have also problem with Reyk's config because I can not divert outgoing > traffic using pf. > I have tried with rdr-to and nat-to, but it removes destination IP address in > packets. > I want to intercept and alter traffic on the same box that I run Firefox. > Is this possible using pf and relayd or I must use something else? How are you writing the rules? I think it can be done using the self keyword. You can also have success using the user directive. Cheers, Giancarlo Razzolini
Re: TLS intercepting proxy [MitM]
Am 24.11.2015 14:17:41, schrieb Lampshade: > Ok, I know that relayd can decrypt traffic, then log, then encrypt. The thing is that I want to > send decrypted traffic to another process (privoxy), and then re-encrypt it. > I have also problem with Reyk's config because I can not divert outgoing traffic using pf. > I have tried with rdr-to and nat-to, but it removes destination IP address in packets. > I want to intercept and alter traffic on the same box that I run Firefox. > Is this possible using pf and relayd or I must use something else? > With a little bit pf-magic this works like this: pass out log on $ext_if proto tcp to any port 443 route-to lo0 pass out log on $ext_if proto tcp to any port 443 user _relayd pass in log on lo0 proto tcp to any port 443 divert-to 127.0.0.1 port 8443
Re: TLS intercepting proxy [MitM]
On Tue, Nov 24, 2015 at 02:17:41PM +0100, Lampshade wrote: > I want to intercept and alter traffic on the same box that I run Firefox. > Is this possible using pf and relayd or I must use something else? IIRC this is not possible. j.
Re: TLS intercepting proxy [MitM]
Ok, I know that relayd can decrypt traffic, then log, then encrypt. The thing is that I want to send decrypted traffic to another process (privoxy), and then re-encrypt it. I have also problem with Reyk's config because I can not divert outgoing traffic using pf. I have tried with rdr-to and nat-to, but it removes destination IP address in packets. I want to intercept and alter traffic on the same box that I run Firefox. Is this possible using pf and relayd or I must use something else?
Re: TLS intercepting proxy [MitM]
Am 11/23/15 um 23:41 schrieb Lampshade: Hello, I would like to use privoxy to scrub/delete some informations in application layer (HTTP) going out from my PC. Problem is that a lot of connections are secured with TLS, so privoxy can not filter them. Is there any way to do something like that: Firefox -> decrypt [MitM] -> privoxy -> encrypt securely -(NIC)-> Internet? It is my PC, so I can install new certificate or something like that, but neverthless I don't know how to achieve that result. Is this possible using relayd? Is it possible with other tool in ports or something that I can compile from source? It is about 2 years old but should give you a starting poing: http://www.reykfloeter.com/post/41814177050/relayd-ssl-interception Best, STEFAN
TLS intercepting proxy [MitM]
Hello, I would like to use privoxy to scrub/delete some informations in application layer (HTTP) going out from my PC. Problem is that a lot of connections are secured with TLS, so privoxy can not filter them. Is there any way to do something like that: Firefox -> decrypt [MitM] -> privoxy -> encrypt securely -(NIC)-> Internet? It is my PC, so I can install new certificate or something like that, but neverthless I don't know how to achieve that result. Is this possible using relayd? Is it possible with other tool in ports or something that I can compile from source?