Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for SNI and dynamic certificate #98

Open
wants to merge 35 commits into
base: master
Choose a base branch
from
Open

Support for SNI and dynamic certificate #98

wants to merge 35 commits into from

Conversation

htnhan
Copy link
Contributor

@htnhan htnhan commented Oct 3, 2018

  • Dynamically generate a certificate based on client request using
    Server Name Idicator
  • Sign the new certificate with either a static CA certificate, or
    with a newly generated CA
  • Add config options to specify a path to static CA certificate
  • *** NOTE ***: This version only works on windows platform

Nhan Huynh and others added 29 commits September 14, 2018 17:59
Support for SNI and dynamic certificate
abca316 
- Dynamically generate a certificate based on client request using
  Server Name Idicator
- Sign the new certificate with either a static CA certificate, or
  with a newly generated CA
- Add config options to specify a path to static CA certificate
- *** NOTE ***: This version only works on windows platform
@htnhan
De-couple SSL support from HTTPListener
03ed32d
@htnhan
ProxyListener to support SSL and handle SSL traffic
ac6a865
@htnhan
certutil should only run on windows
772902e
@htnhan
Fix issue: ssl_remote_sock is undefined on Non-SSL sockets
5ca752b
@htnhan
make_socket() now has a fallback in case SSLContext() fails
f49a91b
@htnhan
rename make_socket() to wrap_socket()
63c1c58
@htnhan
SSLWrapper now initialize everything in __init__()
71da060
@htnhan
Use proper logging levels
fcf6b5e
@htnhan
Clean up logic
1987f43
@htnhan
Fix: failed logic to check make sure both certfile and keyfile exist
a9e6005
@htnhan
Fix missing :
ed762b4
@htnhan
Fix: Invalid syntax -- random back ticks
d648c8d
@htnhan
Various renames
b923868
@htnhan
We now use traceback.format_exc() output
430c5be
@htnhan
More cleanup regarding ssl_utils and __init__.py
19b027d
@htnhan
Pass network mode config to the listners
f477c5d
@htnhan
Remove old code
51d5f32
@htnhan
Various fixes to add a fallback when failing to generate a cert
88a4b7f
@strictlymike
Merge branch 'master' into feature-sni-and-dynamic-cert
45ccd7f 
Conflicts:
	fakenet/configs/default.ini
	fakenet/listeners/HTTPListener.py
@strictlymike
Exceptions and logging
b53c91e
@strictlymike
Exceptions and logging
01be068
@htnhan
Fix: Handling case https://<ipaddress>
472fe25
@htnhan
SSLWrapper should only be initialized once per listener
675a65d
@htnhan
Listeners now create the SSLWrapper once per startup
4a13e66
@htnhan
Use ignore_errors instead of catch all except
e2395b3
@htnhan
New template for HTTPS tests
f34814f
@htnhan
New test cases for HTTPS
054389e
@htnhan
ProxyListener does not use UseSSL config keyword
52b5b9f
@gaelmuller
Copy link

Great Pull Request 👍

Is there any specific reason this was not merged ?

I also don't understand why it is noted as working only on Windows. I tested it in a Linux multihost setup and it works great (with some minor fixes gaelmuller@549e89a)

@htnhan
Copy link
Contributor Author

htnhan commented Nov 10, 2019

@gaelmuller This works well on windows systems because we can use certutil to import our own root CA cert into Windows trust store. That will make SSL clients trust everything we sign. However, on Linux, there are a few issues:

  1. With multihost mode: You have to add your own cert into the client cert chain somehow. Current implementation allows you to configure a static cert which can be used to sign other certs as request coming in. This works as intended. Since it requires additional steps, I don't consider it "working out of the box" on linux.

  2. Within singlehost mode: I am not aware of a generic system wide tool to "trust" a signing cert. Also, I can't support most/all distribution, so I also don't consider this feature working out of the box.

@strictlymike
Copy link
Collaborator

This also lacked any fallback for when SNI can't access ssl.SSLContext due to Python version < 2.7.9 (which was still true for supported LTS releases of Ubuntu at the time this PR was considered). So, merging this branch would have broken some use cases of FakeNet on supported distros. The project still needs to migrate to Python3, which might resolve this specific issue.

@tinajohnson
Merge branch 'master' into feature-sni-and-dynamic-cert
81ef1df
@tinajohnson
Update SNI branch to Python 3
22a6f6c 
- Replaced expired CA certificate
- Changed certificate sigining algorithm to SHA256
- Added extensions to generated X509 certificates to support
  interaction with latest browsers

Thanks to Nhan Huynh for implementing this feature :)
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 15, 2023
View reviewed changes
fakenet/listeners/ssl_utils/__init__.py
else:
ctx.sni_callback = self.sni_callback
ctx.load_cert_chain(certfile=self.ca_cert, keyfile=self.ca_key)
return ctx.wrap_socket(s, server_side=True)

Check failure

Code scanning / CodeQL

Use of insecure SSL/TLS version High

Insecure SSL/TLS protocol version TLSv1 allowed by
call to ssl.SSLContext
Loading
.
Insecure SSL/TLS protocol version TLSv1_1 allowed by
call to ssl.SSLContext
Loading
.
fakenet/listeners/ssl_utils/__init__.py Dismissed Show dismissed Hide dismissed
@tinajohnson
Copy link
Contributor

@htnhan Could you sign Google's CLA agreement? You can find it here: https://cla.developers.google.com/clas

Thanks, Nhan!

@htnhan
Copy link
Contributor Author

htnhan commented Dec 16, 2023

@htnhan Could you sign Google's CLA agreement? You can find it here: https://cla.developers.google.com/clas

Thanks, Nhan!

Signed.

Thank you @tinajohnson for merging this :)

@mr-tz
Copy link

mr-tz commented Jan 8, 2024

🥳

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@htnhan @gaelmuller @strictlymike @tinajohnson @mr-tz