Login | Register
My pages Projects Community openCollabNet

Discussions > dev > [maxq-dev] MaxQ - SSL support

maxq
Discussion topic

Back to topic list

[maxq-dev] MaxQ - SSL support

Author christophe <careless at s-core dot com>
Full name christophe <careless at s-core dot com>
Date 2003-03-14 15:06:03 PST
Message Hi,

some time ago I wrote SSL support for MaxQ. I've dug up my code again, and
hereby supply it again to be included in MaxQ. I've not yet checked in the code
to allow everyone to review the code. There might still be some bugs here and
there (cfr. HTTPClient & SSL extension), but the big picture will be clear. I'll
clean up and double check / test my code further as soon as I find some time.

The reason for writing SSL support was because of a number of https
links in my webpages, and having to manually change all these links (if at all
possible, as some back-end logic verified that you were actually connected
through ssl and/or generates https links on the fly) is not quite feasible. The
current version allows recording of both http links and https links. They all go
through the same proxy (e.g. 127.0.0.1 on port 8090); an internal SSL server
(default port 8888) is also started up to intercept/forward SSL requests.

I'll explain how I've implemented it:

Original MaxQ set-up:

browser -> http link ->
(HTTP) -> maxq (8090) ->
(HTTP) -> website (80) -> (record HTTP connection)


New MaxQ set-up:

browser -> http link ->
(HTTP) -> maxq (8090) ->
(HTTP) -> website (80) -> (record HTTP connection)

browser -> https link -> (browser sends CONNECT to proxy) ->
(HTTP) -> maxq (8090) ->
(HTTPS) -> (open SLL socket to) maxq SSL server (8888)

(HTTP) -> return "HTTP/1.0 200 Connection established" to -> browser
(at this point the original HTTP socket (by means of CONNECT) is upgraded to an
SSL socket, because of the 200 message we sent back to the browser)

browser -> (HTTPS byte stream) -> maxq (8090) ->
(HTTPS byte forwarding between 8090 and 8888 (our local SSL server) ->

(once the SSL handshake is complete the browser will now be sending requests to
our local SSL server, assuming that it is the real website; the difference
being that the user will have to accept a custom generated SSL certificate
which of course does not correspond to the real SSL certificate; then again, if
we are doing tests, we don't really care about this invalid SSL certificate,
although you could see it as a sort of an SSL man-in-the-middle attack)

so at this point, in our local SSL server, we can record all user activity to
the SSL links. the only thing that is then left to do, is to forward all the
incoming requests on our SSL server to the real SSL website, and then return
the server output from those sites to the browser via our local SSL server:

(record HTTPS connection) -> establish connection to the real website (443) ->
(HTTPS) -> forward the request from the browser to that website (443)

Voila, that's it. I currently have this set-up working locally here, and I'm
pleased with the result. I see both http and https links in my recording
window. And then afterwards, I can replay those to simulate user behaviour
(keeping in mind that if you work with custom SSL certificates you have to add
them in your cacerts file!). My current set-up is maxq 0.93 + jsse1.0.3_01 +
httpclient-jsse-patch + jdk1.3.1.

I've also included a (rudimentary) picture of how maxq has been extended and
I've also included the source files that I've modified. A simple diff will show
you what has changed. Things you'll have to set-up yourself (for now, as it's
not yet checked in) are a keystore with a custom ssl certificate + applying a
jsse patch to httpclient.zip + include jsse libraries to allow ssl connections.

Feel free to comment if you see any problems with this solution.

Greetz,
Christophe



--------------------​--------------------​---------
This mail sent through IMP: http://horde.org/imp/
Attachments

« Previous message in topic | 1 of 1 | Next message in topic »

Messages

Show all messages in topic

[maxq-dev] MaxQ - SSL support christophe <careless at s-core dot com> christophe <careless at s-core dot com> 2003-03-14 15:06:03 PST
Messages per page: