Jump to content

Problems accessing certain sites (Https aka TLS)


Recommended Posts

On Friday, January 13, 2017 at 4:36 PM, Mathwiz said:

1. I should point out it's rather easy to use ProxHTTPSProxy without the Proxomitron: just change the line


ProxAddr = http://localhost:8080

to


ProxAddr = http://localhost:8081

... so its front server connects directly to its rear server without trying to go through the Proxomitron.

2. I finally figured out which OpenSSL version is included in the standalone (.exe) version of ProxHTTPSProxy. It's OpenSSL 1.02a. As luck would have it, the Logjam vulnerability was fixed in the very next release (1.02b), so the .exe version is indeed vulnerable to that attack (the message from ssllabs.com isn't a false alarm).

3. If you install Python along with all the packages needed to run the Python version of ProxHTTPSProxy, the "cryptography" package will come along for the ride at some point. Turns out it includes OpenSSL 1.02j, so you don't actually need to install OpenSSL for either the .exe or the Python version!

The developers of the cryptography package have promised to update it whenever OpenSSL updates their product, so you should upgrade the cryptography package whenever that happens to stay on the most current OpenSSL version. I believe the command to do that is


pip install -U cryptography

from an XP command prompt. (This assumes Python is in your path.)

 


 

2 hours ago, Sfor said:

But the IE does not connect to http://www.google.pl/ in such a case.

 

With Proximitron in the middle, the http connection is redirected to https without problems, so there is no "Bad Request" message, then.

Make sure IE isn't set to use the Proxomitron (localhost / 8080) for http connections. It has to get through on http in order to receive the redirect to https.

Also, try Heinoganda's ProxHTTPSProxy version (with the updated Python cryptography package); otherwise you'll probably get a 417 error when Google.pl redirects you to https (unless you have google.pl in your SSL Pass-Thru section).
 

Link to comment
Share on other sites


Have ProxHTTPSProxy with Python version 3.5.0 (with XP Mod) also successfully tested. Now I hope that the module PYINSTALLER, based on VS2015, will be updated. For Windows XP I have a functioning on the Fly Proxy Switcher integrated (default only on secure redirection). In the ProxHTTPSProxy.py script, I added the entry import cryptography so that this module is included in the package generation with PYINSTALLER. At this point, thanks @Mathwiz for his information.

@Sfor

With my package, https://www.google.pl works perfectly.

:)

Link to comment
Share on other sites

On 20.01.2017 at 5:02 PM, Mathwiz said:


 

Make sure IE isn't set to use the Proxomitron (localhost / 8080) for http connections. It has to get through on http in order to receive the redirect to https.

Also, try Heinoganda's ProxHTTPSProxy version (with the updated Python cryptography package); otherwise you'll probably get a 417 error when Google.pl redirects you to https (unless you have google.pl in your SSL Pass-Thru section).
 

Well, the IE proxy setting just for https was enough to solve the problem. It was not necesary to add the passtrough entry.

Link to comment
Share on other sites

Have "ProxHTTPSProxy", with Python version 3.4.4, made to an executable program (x86) Rev2, added on the Fly Proxyswitcher (wininet.dll initialization with Python script) and cacert.pem Updater. Tested under Windows XP and Windows 7 with positive result. Furthermore I have it not to a single file but in a directory generated where possibly various modules are interchangeable. If anyone has interest please write a PM to me.

:)

Link to comment
Share on other sites

OpenSSL version 1.0.2k has been released, which means there should be a new version of the Python cryptography package soon.

The issues fixed in 1.0.2k are listed here. Luckily, nothing looks too serious to me, so folks using Heinoganda's packages (which include OpenSSL version 1.0.2j) probably don't need to worry about upgrading immediately.

Link to comment
Share on other sites

The last package (Rev2) was created with the following modules (command pip freeze for version of modules):

appdirs==1.4.0
cffi==1.9.1
colorama==0.3.7
cryptography==1.7.2
future==0.16.0
idna==2.2
packaging==16.8
pefile==2016.3.28
pyasn1==0.1.9
pycparser==2.17
PyInstaller==3.2

pyOpenSSL==16.2.0  > last version info
pyparsing==2.1.10
pypiwin32==219
PySocks==1.6.5
six==1.10.0
urllib3==1.20

:)

Link to comment
Share on other sites

Have new build generated by ProxHTTPSProxy (Rev2b), with small changes sript so with more simultaneous connections the proxy does not come to timouts, various python modules updated and the config.ini supplemented by some entries. If anyone has interest please write a PM to me.

:)

Link to comment
Share on other sites

  • 2 months later...
  • 2 weeks later...

I have an opportunity to play a bit with an application Insert GT. It is capable of checking customer data within online goverment public database. The application developer provides such a service on it's own servers running Microsoft Azure. Yesterday the service connection stopped working in Windows XP.

I tested the issue with both ProxHTTPSProxy and Burp Suite Free Edition. The service worked with both of them, but...

The Insert GT does not use the system HTTPS proxy setting. I had to use the global proxy for all protocols for the application to use the proxy.

As expected ProxHTTPSProxy did the job for https, but the http connections stopped working.

In case of the Burp Suite Free Edition both http and https are working correctly.

Link to comment
Share on other sites

  • 5 months later...

Have new build generated by ProxHTTPSProxy (Rev2i), various python modules and CA certificates (cacert.pem) updated. If anyone has interest please write a PM to me.

Info:

 

"ProxHTTPSProxy_PSwitch.exe" for on the fly switch to ProxHTTPSProxy.

In the file "ProxySwitch.bat" can insert the desired settings for proxies (corresponds to the settings under IE / corresponding default for https already exists). If "ProxHTTPSProxy_PSwitch.exe" is running, "ProxySwitch.bat" is first executed (existing settings are first saved in the registry and then the new values are entered). After that, "Application\InitialWindowsProxy.exe" is executed (corresponds to the wininet.dll function where IE and Firefox are always running at program start, not on Google Chrome and other programs), where an on the Fly switch is enabled. Ultimately, "Application\ProxHTTPSProxy.exe" where the actual proxy is started. When the command line window of ProxHTTPSProxy is closed, "ProxySwitch.bat" is run again, where the proxy settings are reset to the saved original settings, then again "Application\InitialWindowsProxy.exe" and finally "Application\deltmp.bat" where a temporary Python Folder in the TEMP directory is deleted.

bild15w736xf0sd.jpg

bild2qp4l9esdn8.jpg

bild3x1l7ndat40.jpg

:)

Edited by heinoganda
Link to comment
Share on other sites

  • 3 months later...

I have recognised that actual the given lower RSA ciphers are marked as "weak" if you testing the connection with Qualys SSL Lab.

So I tried to configure the connection parameters in the py script - but have no success (I don't programming Python...).

In "ProxHTTPSProxy.py" line 58 is the expression "sslparams = dict(cert_reqs="REQUIRED", ca_certs=CA_CERTS)"

This are parameters for the URLLIB3 "PoolManager", it can modifyed with parameters "ssl_version=" and "ciphers=")

The "ssl_version" works for me. With "ssl_version=ssl.PROTOCOL_TLSv1" I will get a connection with the given TLS version (also with "ssl.PROTOCOL_TLSv1_1" / "ssl.PROTOCOL_TLSv1_2").

But with the "ciphers" I am fully lost. Something like this is what I find out, but cant get any connection for testing (only errors):

'ciphers=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+HIGH:RSA+3DES:ECDH+RC4:DH+RC4:RSA+RC4:!aNULL:!eNULL:!EXP:-MD5:RSA+RC4+MD5'

I have tried some expressions, only one cipher string, no luck.

So my question: any suggestion for help?

Link to comment
Share on other sites

  • 4 months later...
On 6/8/2018 at 8:28 PM, heinoganda said:

Have new build generated by ProxHTTPSProxy (Rev2k), various python modules and CA certificates (cacert.pem) updated. If anyone has interest please write a PM to me.

:)

Do you have seen that urllib3 is updated to v 1.23 too?

There is a importand fix:

Quote

Fixed pyOpenSSL-specific ssl client authentication issue when clients attempted to auth via certificate + chain (Issue #1060)

I think this was the reason why some intermediate certificates must be copied by hand in the cacert.pem

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...