The Un-Official Proxomitron Forum

Full Version: OpenSSL & SSL Authentication Questions
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Greetings Proxomitron Gurus!

I'm new here. Please try to be kind if I violate any forum etiquette or customs (e.g. this is a long post with quite a few questions and hopefully I have not made *too many* assumptions)

After rediscovering Proxomitron I began researching which OpenSSL dlls to use in Proxomitron these days. I'm still unsure which to use in Proxomitron itself and/or with make-proxcert. Prospects include:

OpenSSL 0.9.6m [from OpenSSL Win32 Installer Team], Both files Modified: March 18, 2004
libeay32.dll: SHA-256 932663d5f3fc13d6f6a182663c4dca326eec0db22bd5f4307bb84c2e8dac7282
ssleay32.dll: SHA-256 74f66c4badb7481baed0278d9245e330e2bb9f20e327ce2d1199c9b826d182f5

OpenSSL-0.9.8-patched [from unknown source], Both files Modified: July 06, 2005
libeay32.dll: SHA-256 40bf950dcdb88deb66a355fe9838049c2b77f80872763f66238c71311352910e
ssleay32.dll: SHA-256 ac0aa31a5914f4fffc8b826851374642eab1e12a25878a971d5d1f87d2be77e9

OpenSSL- [readme claims sidki, Sep 29 2006], Modified: September 26, 2006
libeay32.dll: SHA-256 492d02e478ac8ce340b8b9e2120bb8735cc25ce673d5841793ccedd02eecff46
ssleay32.dll: SHA-256 d23ce7a7397dd229c6d7770c642b15f3b6f570ade70a1befb85526bee9ca3a53

From Shining Light Productions' website:

OpenSSL 0.9.8y © 1998-2007 The OpenSSL Project, Both files Modified: February 06, 2013
libeay32.dll: SHA-256 733714803dc313a9481fcc0a5fdd33ad3574c1571f753f15299dd0df06656d9f
ssleay32.dll: SHA-256 c6d3b8b4c671191b9b3f514b47bb0afb4d712b8fd56d13af1c6c9bc476debb96

OpenSSL 1.0.1f © 1998-2005 The OpenSSL Project, Both files Modified: January 06, 2014
libeay32.dll: SHA-256 eb75fdef63d8af4995e36b1522873556f3f9d146cc971ecb990b2b2cec7d3767
ssleay32.dll: SHA-256 a23652f9761abf79ca8231794c6027f42d705e3403bd7c599e3b769ac0da835b

I'd like to use the latest OpenSSL 1.0.1f, but would really appreciate any recommendations, pointers, links, experiences, etc anyone is willing to offer. BTW does anyone know the details of netlaw's June 2003 OpenSSL_add_all_algorithms modifications? Hail sidki, feel like adding all the security patches between September 26, 2006 and February 06, 2013 Big Teeth <joking>

Additionally does anyone know if there are any limitations on OpenSSL versions in phoenix (aka whenever's) ProxHTTPSProxy? Will the slproweb Light packages suffice? How about the Win64 versions on an x64 OS... just curious?

Also I'm very interested in following up on a digression ProxRocks posted in the "ProxHTTPSProxy, a Proxomitron SSL Helper Program" thread (Post: #126)

Quote:...while i haven't played around with ProxHTTPSProxy for some time now, it has been my high hopes that it would become the wave of the future for anyone (ie, "us geeks") wishing to take matters into their own hands and "at their own risk" AXE the STUPID certificate-check CRAP...

the whole scheme is a crock of crap, we all know that malware sites can "buy" their own signed certificate (aka, "Certificate Authority breach"), so why propagate the MYTH that "certificates" correlate to "safety"?...

Note: Some references & resources pertaining to the following paragraphs are at the end of this post.

When I first came across phoenix (aka whenever's) ProxHTTPSProxy in the forums I too had high hopes, although slightly different ones than ProxRocks. At first I'd hoped ProxHTTPSProxy might permit certificate verification and/or enable local storage and comparison of verified certificates. I even thought *perhaps* it might be able to do some kind of certificate pinning like Microsoft's EMET or some more 'advanced' certificate checks (e.g. comparing certificate fingerprints against Steve Gibson's Fingerprints page or using less centralized approaches like Perspectives or Convergence.)

Apparently I had somehow managed to skim right past the big red “Warning: Currently ProxHTTPSProxy is not doing any kind of certificate check, use it as your own risk!” Banging Head

After reading ProxRocks' digression and a great article "Technical Architecture shapes Social Structure" I did a little more research and thinking. As much as the Carnegie Mellon Perspectives' approach and it's derivatives Convergence and Convergence "Extra" may be improvements on the Certificate Authority scheme, in principal, I've come around to ProxRocks' position “the whole scheme is a crock of crap” Nevertheless, in my opinion something needs to fill the authentication void.

I'd personally rather see an approach like Monkeysphere; but humbly ask - Does anyone know of any "parent proxy" that they use, or could be used, to help fill the SSL authentication void in Proxomitron? If not, does anyone have the skill(s) and motivation to implement some kind of SSL authentication into a Proxomitron add-on/parent proxy? I don't have the coding (or even scripting) skills myself Sad but I've tried to compile some places to start -below- if anyone is interested.

Lastly, somewhat digressing here, view the source of IIUC that's tracking script inside https on a security/privacy resource's webpage... probably (hopefully!) relatively benign.

Thanks to any and all that read this far! And thanks to all those who've participated on this forum, both past and present.

References & Resources:

Microsoft EMET 4.x's Certificate Trust Feature

Perspectives [“decentralized” SSL certificate checks from “network notary servers”]

Convergence [Perspectives like SSL certificate checks from “dynamic set of Notaries”]

Convergence "Extra" [Convergence fork that checks using “private” notaries]

Monkeysphere [uses PGP web of trust model to assess https certificates]

TACK [“A proposal for a dynamically activated public key pinning framework”]

Skip Cert Error [Seems better than ignoring all certificates imho]

Use one of the two openssl files at .
The patches sidki used and info are in the zip.

IIRC, OpenSSL 0.9.8a and later are incompatable with the Proxomitron. Some users of programs that were orphaned by the changes to OpenSSL considered creating software to bridge but no. The OpenSSL folks just might break it again. Advice was that any effort should be spent on new programs.

Quote:ProxHTTPSProxy? Will the slproweb Light packages suffice?

I'd choose the "Win32 OpenSSL v1.0.0L Light". However, I just noticed, I have run ProxHTTPSProxy without slproweb OpenSSL installed. I have python installed with pyOpenSSL-0.13.1.win32-py2.7 instead.

There are libraries that could extend ProxHTTPSProxy https abilities but I haven't been able to convince myself that that is the thing to do. A browser in http mode may not do things that it should do while the mitm proxy is handling the https connection and and ??.

I know the current https scheme can fail but so can proxies, vpns, toothpaste, seatbelts, airplanes, parachutes, etc. Proper use and fingers crossed seems to be the best course.

I would like browsers that will always accept known friendly mitms. The browser could even have some cute icon display when using the mitm. Wink

As to better security, privacy, etc...

My world has some people who believe they have the right or responsibility to be able to know what others are doing. Any solution has to get by these people.

Have fun
Reference URL's