Can I selectively try intercepting HTTPS and when not possible just transparently proxy it so HTTPS doesn't fail somehow? I don't understand why it doesn't work yet.

Question

Can I selectively try intercepting HTTPS and when not possible just transparently proxy it so HTTPS doesn't fail somehow? I don't understand why it doesn't work yet.

Opened this issue a year ago · 0 comments

Hello. While HTTP works HTTPS doesn't and I had used charles proxy so far so I know what I want but sadly I don't know much about the terms.

In charles proxy, I had a client certificate and SSL Proxying switch. In that program, I didn't have a way to selectively do SSL proxying. I could either use it globally or not. When enabled it could decode HTTPS stuff and show me more information on some HTTPS requests but only if I had used this patch (and the client certificate comes from here too): https://github.com/SciresM/3DS-SSL-Patch
(Well, most importantly, HTTPS for 3DS would work fine with all that)

If I didn't use that thing, I would instead see these same HTTPS requests fail (EVEN IF I NEVER TOUCHED THE REQUEST OR RESPONSE MYSELF IN ANY WAY) and their method become CONNECT instead of the normal GET, POST etc.

I get that it became CONNECT but why does it even fail since there is a tunnel now and proxy is doing its job as expected? I don't know. I just though, if it cannot decrypt then it should just let it pass without touching the request and response data and everything would be okay right? Well... I am not sure how it really works out but it didn't happen. In the end I even got the status code but there was an alert code in TLS info section: "unknown_ca (48) - CA certificate could not be matched with a known, trusted CA"

Yeah, the SSL patch mentioned that. It disables the verification: "This is a patch for the 3DS SSL module to disable Root CA Verification."

But I still don't get it. Why can't the mitm proxy just use CONNECT and step away? Why 3DS won't trust it no matter what? What even is proxy doing wrong? A professional proxy would work, so what is wrong with my mitm proxy? I don't want to break HTTPS as a whole, I just want to capture IF I CAN CAPTURE but if I can't, I want HTTPS to work transparently.

For charles, I added this certificate as "client certificate". Well for mitm, I didn't even see a way to specify a client certificate to begin with. So I added it as a certificate_authority. Now obviously HTTPS is broken. Well, even if I left it at default, HTTPS was broken anyway.

Can it handle my use case? Is this behaviour possible? Do I need some weird middleware to do it manually?

I actually wanted to change URL of where the request would go for HTTP freely while trying to decrypt HTTPS to see its endpoint but not touching HTTPS requests and responses (well, only block them or let them pass with CONNECT) but I can't do it due to this HTTPS issue.

Sorry for the wall of text where I describe how badly I am confused. Here is what I used:

import OpenSSL
from mitm import MITM, protocol, middleware

with open("ClCertA.p12", "rb") as f: # This file is linked above.
    p12 = OpenSSL.crypto.load_pkcs12(f.read(), b"3ds") # my version is 23.1.1 (OpenSSL.__version__)

mitm = MITM(
    host="192.168.1.114",
    port=8080,
    protocols=[protocol.HTTP],
    middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
    certificate_authority = p12.get_ca_certificates(),
)

mitm.run()