proxy not work

Question

proxy not work

iromise opened this issue 6 years ago · 13 comments

iromise commented 6 years ago

Just as the title shows. when I add proxy, the result won't show. I am sure that the http proxy is ok.

iromise commented 6 years ago

May be...

Answer 1 · 2018-06-30T15:08:34.000Z

you can't use cipherscan through proxy, it needs to be able to connect to the server under scan directly

Answer 2 · 2018-07-01T02:31:20.000Z

so what dose this mean when using command ./cipherscan

EXAMPLES:
./cipherscan -starttls xmpp jabber.ccc.de:5222
./cipherscan -servername youtube.com youtube.com:443
./cipherscan -proxy myproxy.example.com:8080 youtube.com:443

Answer 3 · 2018-07-01T10:39:36.000Z

because it's from the time the script was a simple wrapper around openssl

Answer 4 · 2018-07-01T10:45:19.000Z

hmm, but that shouldn't actually make the results completely absent, just incomplete...

what happens when you connect to the server using ./openssl s_client -connect server_under_test:443 -proxy (...)? (run it in the cipherscan directory)

Answer 5 · 2018-07-01T11:38:53.000Z

It works when I use openssl with proxy

➜  cipherscan git:(master) ✗ openssl s_client -proxy 127.0.0.1:8118 -connect google.com:443
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.google.com
   i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
 1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
   i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
---

Answer 6 · 2018-07-02T13:04:48.000Z

the ./ in command is important, it will run the openssl from local directory, not the system one, like using openssl does

cipherscan script defaults to the local one, it will use system one only if you specify it using OPENSSLBIN=$(which openssl) environment variable or -o option

Answer 7 · 2018-07-03T02:12:04.000Z

sorry to miss the ./, when I use

➜  cipherscan git:(master) ✗ sudo ./openssl s_client -proxy 127.0.0.1:8118 -connect google.com:443
[sudo] password for iromise: 
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
CONNECTED(00000003)
HTTP CONNECT failed

then i copy the openssl.cnf to the dir /usr/local/ssl/(not exist when use this command), and then I do it again, but it seems dose not work..

➜  cipherscan git:(master) ✗ sudo ./openssl s_client -proxy 127.0.0.1:8118 -connect google.com:443
CONNECTED(00000003)
HTTP CONNECT failed
140414114629312:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available

and at last when I use -o option, it works

➜  cipherscan git:(master) ✗ ./cipherscan -o $(which openssl) -proxy 127.0.0.1:8118 google.com:443
...............
Target: google.com:443

prio  ciphersuite                    protocols              pubkey_size  signature_algoritm       trusted  ticket_hint  ocsp_staple  npn                   pfs
1     ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2                256          sha256WithRSAEncryption  True     100800       False        grpc-exp,h2,http/1.1  X25519,253bits  None
2     ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2                256          sha256WithRSAEncryption  True     100800       False        grpc-exp,h2,http/1.1  X25519,253bits  None
3     ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2                256          sha256WithRSAEncryption  True     100800       False        grpc-exp,h2,http/1.1  X25519,253bits  None
4     ECDHE-ECDSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  256          sha256WithRSAEncryption  True     100800       False        grpc-exp,h2,http/1.1  X25519,253bits  None

I think it's better to say this in the help doc.

Answer 8 · 2018-07-03T11:30:51.000Z

any suggestion for the doc text?

Answer 9 · 2018-07-03T11:38:32.000Z

As the default openssl won't work

➜  cipherscan git:(master) ✗ ./openssl version  
OpenSSL 1.0.2-chacha (1.0.2i-dev)

the following doc

-proxy proxyhost:port Connect to the scan target via specified proxy
                    (req. OpenSSL 1.1.0 or bundled OpenSSL)

could be

-proxy proxyhost:port Connect to the scan target via specified proxy
                    (req. OpenSSL 1.1.0, e.g. use -o option to set a proper version openssl)

Answer 10 · 2018-07-03T12:00:51.000Z

hmm, and you have some settings in the openssl.cnf that relate to proxy? (like username/password)

I'm assuming that the one you copied into the /usr/local/ssl/ was the system one? (i.e. one from /etc)

Answer 11 · 2018-07-03T12:05:06.000Z

No, I do nothing about the openssl.cnf. It was the default one.

Answer 12 · 2018-07-03T18:28:49.000Z

maybe the openssl unnecessarily requires config file to be present for the proxy to work? I'd call that a bug...