Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Requesting ability to selectively disable MITM on per CONNECT basis #416

Open
JonathanHallKJR opened this issue Jul 17, 2018 · 2 comments
Open

Requesting ability to selectively disable MITM on per CONNECT basis #416

JonathanHallKJR opened this issue Jul 17, 2018 · 2 comments

Comments

@JonathanHallKJR
Copy link

Using LittleProxy with LittleProxy-mitm to proxy requests from a device under test.

Unfortunately the device regularly makes calls that result in error messages like the following:

[LittleProxy-0-ClientToProxyWorker-4] ERROR o.l.p.impl.ClientToProxyConnection - (NEGOTIATING_CONNECT) [id: 0x89f8bf74, L:0.0.0.0/0.0.0.0:8080 ! R:/127.0.0.1:51315]: Caught an exception on ClientToProxyConnection
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:418) ~[netty-all-4.0.36.Final.jar:4.0.36.Final]
...snip...
Caused by: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

I suspect it's certificate pinning on the device since I see a similar error with other MITM tools; It would be good if there additional code to allow the HttpFilter to turn off MITM handling for selected request.
@JonathanHallKJR
Copy link
Author

Would something like the following work?

  1. Add new method to HttpFilters boolean useMitm(HttpObject httpObject, MitmManager mitmManager);
  2. Add the new method to HttpFiltersAdapter with default implementation return (mitmManager != null);
  3. Change ProxyToServerConnection#initializeConnectionFlow perform the check prior to engaging Mitm: ie
booelan isMitmEnabled = currentFilters.useMitm(initialRequest, mitmManager)
if (isMitmEnabled)

That way a custom HttpFilter could reply false for all but selected hosts; when LittleProxy is processing the CONNECT request.

⚠️ Haven't build the above, but just tested changing isMitmEnabled to false in ProxyToServerConnection#initializeConnectionFlow's using the IDE's debugger. It seemed to behave how I'd expect.

@vietduc179
Copy link

Brother, did you implemented your method?

I suggest an other method:

  • Create two proxy instance: 8080 (With ChainedProxyManager) and 8081 (With mitm manager)
  • Use ChainedProxyManager to route request to FALLBACK_TO_DIRECT_CONNECTION or "127.0.0.1:8081"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JonathanHallKJR @vietduc179