Re: Relayd TLS inspection and SNI

2021-05-21 Thread BS Daemon
Perhaps I will try squid or HaProxy. I was unaware I could filter by User_Agent 
in squid.
 
It may be appropriate to update the relevant documentation if the support is 
not possible:
 
*** relayd.conf.8.orig  Fri May 21 13:19:06 2021
--- relayd.conf.8   Fri May 21 13:23:09 2021
***
*** 500,506 
 filter TLS connections as a man-in-the-middle.  This combined
 mode is also called "TLS inspection".  The configuration requires
 additional X.509 certificate settings; see the ca key description
!    in the PROTOCOLS section for more details.
   When configured for "TLS inspection" mode, relayd(8) will listen for
   incoming connections which have been diverted to the local socket by PF.
--- 500,510 
 filter TLS connections as a man-in-the-middle.  This combined
 mode is also called "TLS inspection".  The configuration requires
 additional X.509 certificate settings; see the ca key description
!    in the PROTOCOLS section for more details. Note that this feature
!    currently does not support Server Name Identification (SNI) making
!    it inappropriate for use as a general Internet TLS Inspection
!    gateway.
!
   When configured for "TLS inspection" mode, relayd(8) will listen for
   incoming connections which have been diverted to the local socket by PF.
 
 
TLS Inspection (Man in the Middle) may be ancient, and certificate pinning may 
make it less useful some places, but there is still enough demand that many 
Internet security gateway vendors support it, even with TLS1.3.*, which I 
understand was one of the things which slowed its standardization.
 
Work has been done to deprecate TLS1.0 and TLS1.1 for some time. I'm guessing 
it will be at least a few years before TLS1.2 is deprecated or obsoleted (not 
used by clients), not months. **

For my purpose, I can probably work around pinning issues and TLS1.3 
certificate encryption by bypassing relayd based on IP as opposed to 
certificate content, or perhaps by restricting to TLS1.2. I don't think relayd 
TLS Intercept can make decisions based on the certificate anyway, at least I 
didn't notice reference in the documentation.
 
* 
https://www.zscaler.com/blogs/product-insights/tls-13-busting-myths-and-debunking-fear-uncertainty-doubt
* 
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/decryption-concepts/tlsv13-ssl-decryption-support.html

** https://datatracker.ietf.org/doc/rfc8996/
** https://www.ssllabs.com/ssl-pulse/
   as of today, 46.4% of surveyed sites support TLSv1.0
   and 54.1% of surveyed sites support TLSv1.2 as their best protocol.
 
Thanks!


> Sent: Friday, May 21, 2021 at 3:08 AM
> From: "Stuart Henderson" 
> To: misc@openbsd.org
> Subject: Re: Relayd TLS inspection and SNI
> On 2021-05-18, BS Daemon  wrote:
>> I like using the base OpenBSD utilities, and was
>> wondering if I'm doing something wrong, if relayd could be made to
>> support SNI for man-in-the-middle, or if there is an alternative
>> tool for doing this which would work.
>
> I can't help with relayd, but this does work with squid (and you can
> filter on user-agent in ACLs).
 
 
From: Martin [https://marc.info/?a=15813524301&r=1&w=2] Date: 2021-05-21 
7:26:16[https://marc.info/?l=openbsd-misc&r=1&b=202105&w=2]
> Hi,
> 
> MITM is an ancient attack technique and it is not a good idea because it 
> breaks \
> original cert chain. So client (application) will see that cert is different 
> on its \
> end. Most people and apps reject connection to a resource with fake cert 
> which you're \
> going to send to them.

> But you can use Squid for MITM as Stuart recommended, from my side 
> HaProxy/Nginx can \
> help you too to do this. For SNI Snort/Suricata can be useful but for TLS up 
> to v1.2 \
> only.
> 
> Sniffing the traffic that way is a bad idea, most of services uses TLSv1.3 
> with \
> encrypted SNI. So your work will disappear in months.
>
> Martin



Re: Relayd TLS inspection and SNI

2021-05-21 Thread Stuart Henderson
On 2021-05-21, Martin  wrote:
> Hi,
>
> MITM is an ancient attack technique and it is not a good idea because it 
> breaks original cert chain. So client (application) will see that cert is 
> different on its end. Most people and apps reject connection to a resource 
> with fake cert which you're going to send to them.

This is about providing monitored/filtered internet access to systems
that are particularly configured to use it. The way this works is that
you install the MITM-signing certificate on the machines accessing the
web via that proxy. Typically in that case browsers automatically
disable certificate pinning if the cert is signed by a locally
administered CA.

> But you can use Squid for MITM as Stuart recommended, from my side
> HaProxy/Nginx can help you too to do this. For SNI Snort/Suricata can be
> useful but for TLS up to v1.2 only.
>
> Sniffing the traffic that way is a bad idea, most of services uses
> TLSv1.3 with encrypted SNI. So your work will disappear in months.

There aren't many services which require TLSv1.3 with encrypted SNI
yet, so the interception proxy can restrict to TLS 1.2 to bypass this.




Re: Relayd TLS inspection and SNI

2021-05-21 Thread Martin
Hi,

MITM is an ancient attack technique and it is not a good idea because it breaks 
original cert chain. So client (application) will see that cert is different on 
its end. Most people and apps reject connection to a resource with fake cert 
which you're going to send to them.

But you can use Squid for MITM as Stuart recommended, from my side 
HaProxy/Nginx can help you too to do this. For SNI Snort/Suricata can be useful 
but for TLS up to v1.2 only.

Sniffing the traffic that way is a bad idea, most of services uses TLSv1.3 with 
encrypted SNI. So your work will disappear in months.

Martin

‐‐‐ Original Message ‐‐‐
On Friday, May 21, 2021 7:08 AM, Stuart Henderson  wrote:

> On 2021-05-18, BS Daemon b...@post.com wrote:
>
> >I like using the base OpenBSD utilities, and was
> >
> >
> > wondering if I'm doing something wrong, if relayd could be made to
> > support SNI for man-in-the-middle, or if there is an alternative
> > tool for doing this which would work.
>
> I can't help with relayd, but this does work with squid (and you can
> filter on user-agent in ACLs).




Re: Relayd TLS inspection and SNI

2021-05-21 Thread Stuart Henderson
On 2021-05-18, BS Daemon  wrote:
>I like using the base OpenBSD utilities, and was
> wondering if I'm doing something wrong, if relayd could be made to
> support SNI for man-in-the-middle, or if there is an alternative
> tool for doing this which would work.

I can't help with relayd, but this does work with squid (and you can
filter on user-agent in ACLs).