Is it possible to use SSL_connect() and related API of OpenSSL, for "http" connections ALSO? My program reads the hostname from the command prompt in linux terminal as argument to command, and I don't want to write two different codes switching between "http" and "https" for fetching web-pages..... So just using SSL connection API functions, is there a way to connect to a web server on port 80 without encryption? For the sake of reusing same code simply.
Related
I am implementing a Web proxy (in C), with the end goal of implementing some simple caching and adblocking. Currently, the proxy supports normal HTTP sites, and also supports HTTPS sites by implementing tunneling with HTTP CONNECT. The proxy works great running from localhost and configured with my browser.
Despite all of this, I'll never be able to implement my desired features as long as the proxy can not decrypt HTTPS traffic. The essence of my question is: what general steps do I need to take to be able to decrypt this traffic and implement what I would like? I've been researching this, and there seems to be a good amount of information on existing proxies that are capable of this, such as Squid.
Currently, my server uses select() and keeps all client ids in an fd_set. When a CONNECT request is made, it makes a TCP connection to the specified host, and places the file descriptor of both the client and the host into the fd_set. It also places the tuple of fd's into a list, and the list is scanned whenever more data is ready from select() to see if data is coming from an existing tunnel. The data is then read and forwarded blindly. I am struggling to see how to intercept this data at all, due to the nature of the CONNECT verb requiring opening a simple TCP socket to the desired host, and then "staying out of it" while the client and host set up their own SSL sockets. I am simply asking for the right direction for how I can go about using the proxy as a MITM attacker in order to read and manipulate the data coming in.
As a brief aside, this project is solely for my own use, so no security or advanced functionality is needed. I just need it to work for one browser, and I am happy to get any warnings from the browser if certificate-spoofing is the best approach.
proxy can not decrypt HTTPS traffic
You are trying to mount a man-in-the-middle attack. SSL is designed to prevent that. But - there is a weak point - a list of trusted certificate authorities.
I am simply asking for the right direction for how I can go about using the proxy as a MITM attacker in order to read and manipulate the data coming in.
You can get inspiration from Fiddler. The Fiddler has its own CA certificate (certification authority) and once you add this CA certificate as trusted, then Fiddler generates server certificates for each connection you use on the fly.
It comes with serious security consideration, your browser will trust any site. I've even seen using the Fiddler core inside a malware, so be careful
My application has an existing ssh connection to a remote server. This application has an socket on the localhost. How can I start a login shell using this existing connection, simular to
ssh user#host
does.
Of course my application has to use some api when a program connects to the socket and wants to start a remote shell. (I can use The Secure Shell (SSH) Transport Layer Protocol https://www.rfc-editor.org/rfc/rfc4253 for that), thats not the problem. My problem is how to redirect stdin and stdout and stderr from the terminal/konsole to the socket.
Can someone give a hint about that? Thanks in advance.
(I have an fuse fs which provides sftp access to different folders on the server, it would be awesome when it can also offer terminal access to the server and possibly a chat session using ssh-chat... user has toc click on a desktop file my fuse fs provides, and the right program is started to make the connection to socket and start the terminal. This of course only works in a graphical environment)
I need one server to receive ip requests from clients(there are not in the same intranet), and I can
route all the response packets to a special gateway server, and then I send the response packages to
clients after some processing. it is like VPN, but I want to do some development based one
opensource project, so i can control it myself.
any suggestion? thanks!
There is OpenVPN which is as the name already suggests open source.
You could set up the server on the local one as a kind of proxy (or reverse-proxy depending on your viewpoint) and have the clients connect to it.
It depends what protocol you're using, maybe it has explicit proxy capability or you can get an existing proxy program, or just proxy it using a simple socket forwarder program.
I want to implement proxy support (SOCKS5 and HTTP CONNECT method) in my application. There are two parts that needs to be implemented:
Detection of proxy details (protocol, host, port): I am using libproxy for that.
Connecting to the the proxy server and telling it to relay the packets. Get the connected socket and then use it in your application.
Is there library for the #2 part?
You might be able to hack libmicrohttpd into doing what you want without too much effort, at least as far as the user end. I'm not aware of anything that does what you want straight out of the box.
Now there is proxysocket (https://github.com/brechtsanders/proxysocket/) to do exactly that.
Supports SOCKS4, SOCKS5 and HTTP CONNECT.
The result is a normal connected socket so you don't have to rewrite the rest of your application.
libcurl can receive webpage via proxy. You can send raw http header to it, and let it talk to the proxy
Is there a way to open a TCP Socket back to a non-standard Silverlight port such as port 80?
I don't quite understand the restrictions on Silverlight ports.
I would like to open a connection back to the server of origin using any port. I can serve a policy file from port 943 if needed.
Microsoft restricted the ports to a range well outside the "well known ports." This prevents Silverlight from communicating directly to most web-based resources like HTTP, POP, SMTP, etc.
The most common way to get around this is to set up a "proxy" service on your domain. The proxy accepts requests, forwards them through the port on the service you're using, and returns the result.
The allowed port range (after the policy server check) is 4502 through 4532 to my knowledge. Using port 80 would be an HttpWebRequest or the like.