Ninho

Problems accessing certain sites (Https aka TLS)

58 posts in this topic

Posted (edited)

Yes, I think that could be set up; but the way it works, there's still SSL/TLS encryption between the browser and the proxy, so you can't get rid of all the work on the browser's PC.

I suppose the trick would be to limit the browser to some less-CPU-demanding ciphers. You wouldn't need super-strong encryption on the browser side since the data would only be flowing over your own network, not the Internet. Perhaps RC4 would be a good choice, even though it's not a good choice for the Internet side anymore.

Edit: Well, I just learned something new. Turns out some of the newer Intel and AMD CPUs have AES-specific instructions, making AES faster than RC4! But, if you have one of those new CPUs, you have SSE2 also, so you can run newer browsers and probably don't even need this proxy. So for the browser side, RC4 is probably the best choice if you're reading this thread.

 

Edited by Mathwiz
0

Share this post


Link to post
Share on other sites

Posted (edited)

@Mathwiz

Have made various tests with "ProxHTTPSProxyMII", as far as it works wonderful with ECC encrypted websites. For "BYPASS URL" in the file "config.ini" I made the following entry "http://*", so that there is no error message in the browser for simple URL input. Furthermore, I have replaced the MSVCR100.dll file with the more recent version of Microsoft Visual C ++ 2010 Redist update from 09/08/2011 version 10.0.40219.325. It is important to know that Firefox and Java 8 have their own certificate management. Now with Windows and Firefox it is not a problem to install the included root certificate (CA.crt), but Java has its problem here, any malicious software would find its way to the computer, which was originally excluded in Java 8 (Older versions of Java must be configured accordingly!) by the restrection Only certified websites work with Java! Of course, regular websites that support Java 8 (Older versions of Java must be configured accordingly!) do not work with "ProxHTTPSProxyMII" anymore! Except this attributed root certificate would find its way into the certificate management of Java with impending consequences. The whole thing should be used with caution! Things like online banking, should absolutely be omitted! In the worst case, fake websites would also find their way in the Internet browser, so be careful! Here an additional software in the file "config.ini" should be automated under "BLACKLIST", regularly updated using the malware list of http://www.malwaredomainlist.com or adequate, in order to build at least a certain protection again.

:)

Edited by heinoganda
0

Share this post


Link to post
Share on other sites

Thanks for working on this! I'm handling Http:// (not secured) requests another way: I configured my browser to use ProxHTTPSProxyMII as its proxy only for https:, not for http:. Different technique but same result.

I've run into some web sites that don't work. Microsoft/Windows Update doesn't work because Microsoft uses its own root certificate that isn't in the supplied cacert.pem or the downloaded one. Rather than appending Microsoft's root certificate every time I download a new cacert.pem, I just put update.microsoft.com and www.update.microsoft.com in the SSL Pass-Thru section of config.ini. (Oddly, catalog.update.microsoft.com does work with the proxy; it uses a different certificate whose root is in cacert.pem.)

Adobe.com didn't work either, although I haven't yet figured out why. But generally, if a web site works without the proxy but doesn't work with it, SSL Pass-Thru is a quick and easy fix. Sites listed there are not decrypted and re-encrypted; instead, encrypted SSL data is passed through the proxy unchanged.

For the most part, I don't think the proxy compromises security, and in some cases it may actually improve it! I wouldn't be too worried about using it even with on-line banking sites. But SSLlabs.com reports that it's vulnerable to the Logjam attack, so if you're worried about that you can list your bank's site in SSL Pass-Thru.

I haven't been using this as an anti-malware filter, but the Blacklist section could certainly be used for that purpose if one wished.
 

0

Share this post


Link to post
Share on other sites

@Mathwiz, All : as the originator of this thread, just wanted to "plus-one" that the "ProxHTTPSProxyMII" (.exe compiled version) + Proxomitron is working here and has been easy to set-up and configure thanks to your added remarks and caveats, solving the original problem. Congratulations added for your rather remarkable searching... and finding skills !

1

Share this post


Link to post
Share on other sites

It seems the ProxHTTPSProxyMII teamed with The Proximitron can add the TLS 1.2. I was able to confirm it with IE 8.

While trying to get the thing working I noticed an interesting option in the The Proximitron version Naoko 4.5. In "config" - "HTTP" section there is "Use SSLeay/OpenSSL to filter secure pages (requires ssleay and libeay23 DLL files)".

It seems there is option to filter the HTTPS without ProxHTTPSProxyMII. But, I was unable to provide The Proximitron with the DLL libraries it would be satisfied with. So, perhaps just The Proximitron could do the TLS 1.2 conversion.

0

Share this post


Link to post
Share on other sites

Posted (edited)

10 hours ago, Sfor said:

While trying to get the thing working I noticed an interesting option in the The Proximitron version Naoko 4.5. In "config" - "HTTP" section there is "Use SSLeay/OpenSSL to filter secure pages (requires ssleay and libeay23 DLL files)".

 

Try one of the light installers here (I'm not sure which version The Proxomitron expects, though; start with the newest 1.1.0 and back up until one works):

Quote

You can get installers for the latest OpenSSL versions for Windows at https://slproweb.com/products/Win32OpenSSL.html. (Despite the name, they also have 64-bit versions available.)

 


 

Edited by Mathwiz
0

Share this post


Link to post
Share on other sites

It only works with 9.6 or the special build of 9.8 on the Proxomitron website. This feature is obsolete by almost ten years...I wouldn't bother.

0

Share this post


Link to post
Share on other sites
On Friday, January 06, 2017 at 10:07 AM, Mathwiz said:

For the most part, I don't think the proxy compromises security, and in some cases it may actually improve it! I wouldn't be too worried about using it even with on-line banking sites. But SSLlabs.com reports that it's vulnerable to the Logjam attack, so if you're worried about that you can list your bank's site in SSL Pass-Thru.



 

I've confirmed that the Logjam vulnerability can be fixed. Apparently the .exe version includes an old, vulnerable version of the OpenSSL libraries. So, I decided to try the Python version.
 

I downloaded and installed the latest XP-compatible Python version, 3.4.4. (Technically, there's a 3.4.5 also, but it's source code only; no Windows installer exists. So if you want Python 3.4.5, you'll have to build it from source yourself.) Then I downloaded the Python version of ProxHTTPSProxy and tried to run it from a command window, but it started complaining about missing packages.

So I had to learn how to install all the packages the author had used, using a Python tool called 'pip;' but eventually, it finally ran without complaining about any more missing packages. I then pulled up https://www.ssllabs.com/ssltest/viewMyClient.html in IE 8 and the news was good: "Your user agent is not vulnerable" to Logjam or any other attack tested for at that site! :D I got this good result with OpenSSL version 1.0.2j .DLLs.

For most folks, I don't think it's worth the trouble to download and install Python along with all those missing packages; it's easier to just put banking sites in the SSL Pass-Thru section (so they use the browser's security instead of the proxy's security), or just use a different browser for those sites. I did this just to confirm that the Logjam vulnerability was present due to the OpenSSL version the original author used.
 

Edited by Mathwiz
WYSIWIG editor locked up after entering one sentence
0

Share this post


Link to post
Share on other sites

In reference to Proxomitron and the ssleay and libeay23 DLL files. There is a special set of these two DLL files that were modified by Sidki some time back. Having used Proxomitron for over 10 years and when Scott R. Lemmon was still alive. I have been using the Sidki  set of filters. In November I tried using the latest set of the new ssleay32 and libeay32 DLL files just to see how they would work ... they didn't.

I put the Sidki modified files back into Proxomitron. When members started talking about Proxomitron here ... I searched for the files at the Proxomitron forum and could not find them. I will search again ... Sidki has long left the scene as he announced that he was leaving over five years ago. He did something with those DLLs that will only work in Proxomitron ... his filter set is still the best and JJoe and ProxRocks continue to modify and fix the Sidki last set of filters as problems arise.

I found this text from sidki, Oct 1 2006:

http://proxomitron.info/files/download/openssl-readme.txt

These DLLs were compiled after modifying some files, making them compatible
with 0.9.6 aware programs like Proxomitron.  All changed files are included
with this distribution.

The original changes were done by netlaw in June 2003, bringing back
OpenSSL_add_all_algorithms.

OpenSSL 0.9.8a brought a major change in the way SSL_METHOD is initialized,
apparently breaking backwards compatibility again, see:
http://www.openssl.org/news/changelog.html

For this reason the included DLLs stick to 0.9.8, but include two security
patches, implemented in the official 0.9.8c revision and above:

Patch for RSA Signature Forgery.
http://www.openssl.org/news/patch-CVE-2006-4339.txt

Patch for Potential SSL 2.0 rollback.
http://www.openssl.org/news/patch-CAN-2005-2969.txt

In case of future major vulnerabilies, if you found a patch from a trusted
source, or even a way to make DLL initialization backwards compatible again,
you can reach me at configbugs at gmail dot com.  Asking someone with profound
C++ knowledge may be the better choice tho. ;-)

A general description and installation hints are on my SSL download page:
http://www.geocities.com/sidki3003/prox-ssl.html

--
sidki, Oct 1 2006

The Sidki files are on this page under Add Ons ... just found them.
 

http://proxomitron.info/files/index.html

...
 

Edited by monroe
spacing, spelling
0

Share this post


Link to post
Share on other sites

The modified 0.9.8 package contains three small source files--one for OpenSSL_add_all_algorithms and one for each of the two patches. Very simple.

If I can recreate the modified package using MSVC6, then it should be easy to update it with three more 2007 patches listed at http://web.archive.org/web/*/http://www.openssl.org/news/*.

The changelog states:

Changes between 0.9.8 and 0.9.8a [11 Oct 2005]
*) Initialize SSL_METHOD structures at compile time instead of during
   runtime, thus removing the need for a lock.
   [Steve Henson]

We can probably port the old init code (with lock) forward, or do it in the DLL init. If so, we might be able to go all the way to 0.9.8zh....


Edited by jumper
Improved formatting
1

Share this post


Link to post
Share on other sites

Just a suggestion ... if you have a few free minutes, why not sign up over at the Proxomitron forum and then under the Sidki topic ... maybe bring this subject up or ask a few questions. As I mentioned earlier ... JJoe and ProxRocks are still there and will show up in a 'few minutes' or a 'few days' to reply. It seems to still be the only active part of the forum.

 

The Un-Official Proxomitron Forum

http://prxbx.com/forums/

Proxomitron Config Sets
Sidki

http://prxbx.com/forums/forumdisplay.php?fid=44

... just to add, I can be of no help here ... what you mentioned earlier is not clear to me or 'just over my head'.
 

Edited by monroe
add
0

Share this post


Link to post
Share on other sites

1. I should point out it's rather easy to use ProxHTTPSProxy without the Proxomitron: just change the line

ProxAddr = http://localhost:8080

to

ProxAddr = http://localhost:8081

... so its front server connects directly to its rear server without trying to go through the Proxomitron.

2. I finally figured out which OpenSSL version is included in the standalone (.exe) version of ProxHTTPSProxy. It's OpenSSL 1.02a. As luck would have it, the Logjam vulnerability was fixed in the very next release (1.02b), so the .exe version is indeed vulnerable to that attack (the message from ssllabs.com isn't a false alarm).

3. If you install Python along with all the packages needed to run the Python version of ProxHTTPSProxy, the "cryptography" package will come along for the ride at some point. Turns out it includes OpenSSL 1.02j, so you don't actually need to install OpenSSL for either the .exe or the Python version!

The developers of the cryptography package have promised to update it whenever OpenSSL updates their product, so you should upgrade the cryptography package whenever that happens to stay on the most current OpenSSL version. I believe the command to do that is

pip install -U cryptography

from an XP command prompt. (This assumes Python is in your path.)
 

1

Share this post


Link to post
Share on other sites

Have "ProxHTTPSProxy", with Python version 3.4.4, made to an executable program (x86). Tested under Windows XP and Windows 7 with positive result. Furthermore I have it not to a single file but in a directory generated where possibly various modules are interchangeable. If anyone has interest please write a PM to me.

:)

1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.