<div dir="ltr">Hi,<div><br></div><div>I'm maintaining a small HTTP proxy library that allows you to eavesdrop HTTP requests. Someone reported a bug which I cannot recreate, so I'm trying my luck here. [repost from golang-nuts, where I didn't get an answer].</div>
<div><br></div><div><div style="font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif">It seems to work on my machine, but a user still complain. <a href="https://github.com/elazarl/goproxy/issues/15" style="color:rgb(102,17,204);margin:0px;padding:0px;border:0px;vertical-align:baseline;text-decoration:none" target="_blank">https://github.com/elazarl/goproxy/issues/15</a></div>
<div style="font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif"><br></div><div style="font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif">
I could use two forms of help:</div><div style="font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif"><br></div><div style="font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif">
1) Test it on your environment and report the results.</div><div style="font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif"><br></div><div style="font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif">
$ mkdir ~/gopath2</div><div style="font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif">$ GOPATH=~/gopath2 go get <a href="http://github.com/elazarl/goproxy/examples/eavesdropper" target="_blank">github.com/elazarl/goproxy/examples/eavesdropper</a></div>
<div style="font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif">$ # add ~/gopath2/src/<a href="http://github.com/elazarl/goproxy/ca.cert" target="_blank">github.com/elazarl/goproxy/ca.cert</a> as a root CA to your browser</div>
<div style="font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif">$ ~/gopath2/bin/eavesdropper</div><div style="font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif">
# use HTTP proxy at localhost:8080, browse to a https site, and see if you get warnings</div><div style="font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif"><br>
</div><div style="font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif">
2) Generally speaking, I don't really know too much cryptography in general, or TLS/SSL in particular. If you do, have a look at the code and explain my mistakes.</div><div style="font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif">
Most of the logic is here: <a href="https://github.com/elazarl/goproxy/blob/master/signer.go" style="color:rgb(102,17,204);margin:0px;padding:0px;border:0px;vertical-align:baseline;text-decoration:none" target="_blank">https://github.com/elazarl/goproxy/blob/master/signer.go</a></div>
</div><div><div style="margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif;font-size:13px"><br></div><div style="margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif;font-size:13px">
The way it does that is:</div><div style="margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif;font-size:13px">1) goproxy have a builtin CA certificate, hard coded into a variable. It's generated with <a href="http://golang.org/src/pkg/crypto/tls/generate_cert.go" style="margin:0px;padding:0px;border:0px;vertical-align:baseline;text-decoration:none;color:rgb(102,17,204)" target="_blank">http://golang.org/src/pkg/crypto/tls/generate_cert.go</a></div>
<div style="margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif;font-size:13px">2) Given a CONNECT <a href="http://foo.com:443/" style="margin:0px;padding:0px;border:0px;vertical-align:baseline;text-decoration:none;color:rgb(102,17,204)" target="_blank">foo.com:443</a> proxy request, it would:</div>
<div style="margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif;font-size:13px">3) Generate a certificate for <a href="http://foo.com/" style="margin:0px;padding:0px;border:0px;vertical-align:baseline;text-decoration:none;color:rgb(102,17,204)" target="_blank">foo.com</a> and sign it with the builtin CA,</div>
<div style="margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif;font-size:13px">4) Submit this certificate with the certificate chain: [new_cert, CA], using crypto/tls package.</div>
</div></div>