Post Reply 
ProxHTTPSProxyMII: Development
Jun. 19, 2014, 04:28 AM
Post: #46
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
(Jun. 19, 2014 04:13 AM)JJoe Wrote:  First, I want to retest the socket error. I still had ProxHTTPSProxy in the chain.

I haven't seen the socket error while testing without ProxHTTPSProxy.
I did, however, just experience a long stall while signing in at yahoo without ProxHTTPSProxy.

So the error may not be a problem.

Dead TiredSleep
Add Thank You Quote this message in a reply
Jun. 20, 2014, 02:20 AM (This post was last modified: Jun. 21, 2014 01:45 AM by JJoe.)
Post: #47
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
(Jun. 19, 2014 04:05 AM)whenever Wrote:  JJoe, would you like to write a new readme and update the instructions on configuring the script to work with Proxomitron?

Is this close?

Edit: See attachment


Attached File(s)
.txt  readmedraft1.txt (Size: 4.69 KB / Downloads: 632)
Add Thank You Quote this message in a reply
Jun. 20, 2014, 10:43 AM
Post: #48
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
Well done! Thumbs Up

(Jun. 20, 2014 02:20 AM)JJoe Wrote:  The client (probably a browser) believes the front server is the target server (probably a https website).

The client knows the front server is a proxy because we have to explicitly set it.

(Jun. 20, 2014 02:20 AM)JJoe Wrote:  More detail:
...

I know what you mean but I think the "converts the connection to https" and the vice versa are not accurate. They are different connections living in the different places in the chain. What about using ProxHTTPSProxy.png to describe the details?

BTW, I wasn't able to build an exe version. Sad I am still working on it. Banging Head
Add Thank You Quote this message in a reply
Jun. 20, 2014, 01:59 PM
Post: #49
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
(Jun. 20, 2014 10:43 AM)whenever Wrote:  Well done! Thumbs Up

Not yet! Wink I just wanted some comment before continuing.

(Jun. 20, 2014 10:43 AM)whenever Wrote:  
(Jun. 20, 2014 02:20 AM)JJoe Wrote:  The client (probably a browser) believes the front server is the target server (probably a https website).

The client knows the front server is a proxy because we have to explicitly set it.

(Jun. 20, 2014 02:20 AM)JJoe Wrote:  More detail:
...

I know what you mean but I think the "converts the connection to https" and the vice versa are not accurate. They are different connections living in the different places in the chain.

I worried about that part. You are correct, of course.

(Jun. 20, 2014 10:43 AM)whenever Wrote:  What about using ProxHTTPSProxy.png to describe the details?

Accepted and easier. Smile!
My tradition is that readme is a stand-alone text document.

More later.
Add Thank You Quote this message in a reply
Jun. 21, 2014, 02:18 AM (This post was last modified: Jun. 22, 2014 05:23 AM by JJoe.)
Post: #50
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
Second published Wink draft.
I need to take a break. So...
Is there anything missing and etc?

Edit: Moved to attachment.


Attached File(s)
.txt  readmedraft2.txt (Size: 5.48 KB / Downloads: 688)
Add Thank You Quote this message in a reply
Jun. 22, 2014, 05:17 AM
Post: #51
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
Third published draft.

Code:
ProxHTTPSProxy creates two local servers, "front" and "rear",
to provide modern secure https connections for the Proxomitron local proxy.

Show ProxHTTPSProxy.png

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

To run ProxHTTPSProxy.py:

Install the latest Python 3.x from  https://www.python.org/download/
Install the latest OpenSSL from     http://www.slproweb.com/products/Win32OpenSSL.html
                                    OpenSSL needs "Visual C++ 2008 Redistributables"
Install pyOpenSSL                   https://pypi.python.org/pypi/pyOpenSSL/0.14
Install urllib3                     https://pypi.python.org/pypi/urllib3
Install colorama                    https://pypi.python.org/pypi/colorama

Use a direct connection while installing these libraries!

Assuming that Python installed to c:\Python34:
c:\Python34\Scripts>pip install pyopenssl
c:\Python34\Scripts>pip install urllib3
c:\Python34\Scripts>pip install colorama

For new Python users:
Window's command-prompt window should eventually resemble cmdexe.png without
the highlighting of the commands that you will enter.

Double-click on ProxHTTPSProxy.py file to start.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

To use ProxHTTPSProxy proxies:

Add ProxHTTPSProxy's "CA.crt" to the browser's store of trusted certificate authorities.
Set the browser to use the ProxHTTPSProxy front server for secure connections.
    The front server's default address is 127.0.0.1 on port 8079.
Add the ProxHTTPSProxy rear server to the Proxomitron's list of external proxies.
    The default entry is 127.0.0.1:8081 ProxHTTPSProxy
    , http://proxomitron.info/45/help/External%20Proxy%20Dialog.html .
Add
    $OHDR(Tagged:Proxomitron FrontProxy/*)$SETPROXY(127.0.0.1:8081)(^)|
    to the beginning of the entry in Proxomitron's "Bypass URLs that match this expression" field, http://proxomitron.info/45/help/CfgT2.html#foo .
    If the field is empty, add
    $OHDR(Tagged:Proxomitron FrontProxy/*)$SETPROXY(127.0.0.1:8081)(^)

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

Q and A:

Why is the browser complaining?
ProxHTTPSProxy's "CA.crt" must be in the browser's store of trusted certificate authorities.

Can ProxHTTPSProxy use another port?
Modify "ProxHTTPSProxy.ini" and associated settings in the Proxomitron.

Will the ProxHTTPSProxy certificate store be updated?
Download and replace the "cacert.pem" file in ProxHTTPSProxy with one from http://curl.haxx.se/docs/caextract.html .
Consider emptying the certs folder in the ProxHTTPSProxy folder.

How will the Proxomitron know which connections are https?
By testing for the "Tagged" request header, like $OHDR(Tagged:Proxomitron FrontProxy/*) .

How do I view a site that has a bad certificate?
The Proxomitron can still do https and it may not care. Try a header filter, like

[HTTP headers]
In = FALSE
Out = TRUE
Key = "Tagged: Use Proxomitron for https://badcert.com"
URL = "badcert.com$OHDR(Tagged:Proxomitron FrontProxy/*)$USEPROXY(false)$RDIR(https://badcert.com)"

, after adding the ssl files to the Proxomitron, http://proxomitron.info/files/index.html .
This filter also removes the "Tagged" header.

Redirects of "Tagged" connections, $RDIR(http://local.ptron/killed.gif), don't work?
Use an expression like $USEPROXY(false)$RDIR(http://local.ptron/killed.gif).
Also, before redirecting "Tagged" connections to external resources consider removing the "Tagged" header.

How does the "Bypass URLs that match this expression" entry work?
The Proxomitron always executes some commands in this field.
Putting the entry there allows the Proxomitron to use the rear server when in Bypass mode.
This undocumented feature brings many possibilities but remember, an actual match triggers bypass of filtering!
$OHDR(Tagged:Proxomitron FrontProxy/*) checks for the header that indicates an https request.
$SETPROXY(127.0.0.1:8081) is executed when found.
(^) expression never matches.

Any additional instructions for the current sidki set?
1. Redirect connections to http resources with an expression like $USEPROXY(false)$SET(keyword=i_proxy:0.)$RDIR(http://local.ptron/killed.gif).
2. Add the following two lines to Exceptions-U
   $OHDR(Tagged:Proxomitron FrontProxy/*)$SET(keyword=$GET(keyword)i_proxy:3.)(^)
   ~(^$TST(keyword=i_proxy:[03].))$OHDR(Tagged:Proxomitron FrontProxy/*)$SET(keyword=$GET(keyword)i_proxy:3.)(^)

Why is this better than using the Proxomitron's ssl routine?
The Proxomitron's ssl routine is dated.
The many alerts from the browser and the Proxomitron may cause some users to disable all alerts.

Why is this better than using half-ssl?
The purpose of half-ssl is to hide the secure connection from the browser.
Half-ssl routines are often an incomplete solution.
The Proxomitron's ssl routine is dated.  
The many alerts may cause some users to disable all alerts.
Cookies and other data may be incorrectly assigned.
Browsers should not treat secure data the same as insecure data.

Should I filter https?
Be aware and careful! But...
So many ordinary everyday sites (yahoo, google, etc) and servers are now using https that you may not have a choice.
However, use a direct connection when you don't want any mistakes made.
Remember, use at your own risk!

Have fun!


Attached File(s)
.png  ProxHTTPSProxy.png (Size: 30.16 KB / Downloads: 711)
.png  cmdexe.png (Size: 46.98 KB / Downloads: 681)
Add Thank You Quote this message in a reply
Jun. 22, 2014, 12:14 PM
Post: #52
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
Finally got an exe version working. http://proxfilter.net/ProxHTTPSProxy0.8d.zip 4.5MB.

The only external dependency is OpenSSL, and the "Visual C++ 2008 Redistributables" that OpenSSL needs. You need to restart your computer after OpenSSL installation to make its binary work.

JJoe, thanks for the document work. I will check it later. Time to have a break now.
Add Thank You Quote this message in a reply
Jun. 22, 2014, 05:25 PM
Post: #53
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
(Jun. 22, 2014 12:14 PM)whenever Wrote:  Finally got an exe version working. http://proxfilter.net/ProxHTTPSProxy0.8d.zip 4.5MB.

Cheers Firefox will not import the new "CA.crt", however.

firefox Wrote:This is not a certificate authority certificate, so it can't be imported into the certificate authority list.

I have found

https://support.mozilla.org/en-US/questions/687567

and

http://stackoverflow.com/questions/13332...h-makecert
Add Thank You Quote this message in a reply
Jun. 23, 2014, 09:37 AM
Post: #54
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
(Jun. 22, 2014 05:17 AM)JJoe Wrote:  Will the ProxHTTPSProxy certificate store be updated?
...
Consider emptying the certs folder in the ProxHTTPSProxy folder.

This is not needed for updating the "cacert.pem". You only HAVE TO do it after you change the "CA.crt", which is used to sign those site certificates.

(Jun. 22, 2014 05:25 PM)JJoe Wrote:  Firefox will not import the new "CA.crt", however.

Thanks for the clue. Please download again and let me know it works now. The installation part of the doc could be simplified if it works.

Would you advise a new name for this proxy or just keep it as is?
Add Thank You Quote this message in a reply
Jun. 23, 2014, 04:00 PM (This post was last modified: Jun. 24, 2014 02:17 AM by JJoe.)
Post: #55
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
(Jun. 23, 2014 09:37 AM)whenever Wrote:  You only HAVE TO do it after you change the "CA.crt", which is used to sign those site certificates.

I had not considered that. It is a 10 year cert.
I saw the cache as a possible privacy issue. It will show browsing history.

(Jun. 23, 2014 09:37 AM)whenever Wrote:  
(Jun. 22, 2014 05:25 PM)JJoe Wrote:  Firefox will not import the new "CA.crt", however.

Thanks for the clue. Please download again and let me know it works now. The installation part of the doc could be simplified if it works.

Glad it worked! CheersApplause

(Jun. 23, 2014 09:37 AM)whenever Wrote:  Would you advise a new name for this proxy or just keep it as is?

Other proxies are using the first ProxHTTPSProxy.
The two ProxHTTPSProxys have different abilities.
The first ProxHTTPSProxy can use socks, http, and https proxies.
The second can only use https proxies but supports verification.
If both groups of users seek help, one name could be a problem.

I would change it but I don't think it has to be a new name.
I have been using ProxHTTPSProxyMII for the second version.
Also, I have changed __version__ to 0.8dpy, "py" to distinguish it from the new "exe" version.

But, whatever you decide is perfectly ok.
You won't have to use the readme either. Smile!

Do you want to have a "py" and an "exe" package?
http://prxbx.com/forums/showthread.php?t...8#pid16488

Looking forward to ProxHTTPSProxyMIII!!! Wink Evil Look

Will test and more.

Edit: Clarity and more
Add Thank You Quote this message in a reply
Jun. 25, 2014, 08:58 AM
Post: #56
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
(Jun. 23, 2014 04:00 PM)JJoe Wrote:  I had not considered that. It is a 10 year cert.

For anyone who worries that a site could use that CA to fake https, I added a function that the program will create a new CA if you delete the bundled one.

(Jun. 23, 2014 04:00 PM)JJoe Wrote:  I have been using ProxHTTPSProxyMII for the second version.

You got it! Smile!

(Jun. 23, 2014 04:00 PM)JJoe Wrote:  You won't have to use the readme either. Smile!

I will definitely use it, until you think the program is ready to be out of beta. I don't have much time to fully test it and have to count on you.

v0.9 adds bypass function. The python version is attached, and the exe version here: http://proxfilter.net/ProxHTTPSProxyMII0.9.zip .


Attached File(s)
.zip  ProxHTTPSProxyMII 0.9py.zip (Size: 172.3 KB / Downloads: 653)
Add Thank You Quote this message in a reply
Jun. 26, 2014, 03:01 AM (This post was last modified: Jun. 26, 2014 02:02 PM by JJoe.)
Post: #57
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
The PY version is very good. Thumbs Up

The exe is having problems, however.
After commenting out "yahoo.com" and "yimg.com" in "ProxHTTPSProxy.ini" Wink and emptying certs cache,
yahoo.com eventually loads without some yimg resources. To get more resources, I remove ".yimg.com.crt" from the cert cache and load a missing image to create a new cert.

Sometimes, the cert I remove is missing the Private Key but not always.

ProxHTTPSProxy log window shows:


.txt  log.txt (Size: 13.07 KB / Downloads: 828)


Edit: Moved log to attachment
Add Thank You Quote this message in a reply
Jun. 26, 2014, 03:51 AM
Post: #58
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
(Jun. 26, 2014 03:01 AM)JJoe Wrote:  The exe is having problems, however.

It looks like it failed to speak SSL. Could you please try to import the exe CA to the store again?

(Jun. 26, 2014 03:01 AM)JJoe Wrote:  Sometimes, the cert I remove is missing the Private Key but not always.

The exe version uses OpenSSL command line to create certs, and my current routine is not reliable if multiple threads are doing the same thing. So don't empty those certs unless you change the CA. Smile!
Add Thank You Quote this message in a reply
Jun. 26, 2014, 06:04 AM
Post: #59
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
(Jun. 26, 2014 03:51 AM)whenever Wrote:  It looks like it failed to speak SSL. Could you please try to import the exe CA to the store again?

Done but I see the same behavior. It seems like exe works best with IE11.

Past time to quit.Sleep
Add Thank You Quote this message in a reply
Jun. 26, 2014, 10:40 PM
Post: #60
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
A little more info...

These errors occured while using IE11, visiting site for first time with a clean install of ProxHTTPSProxy 0.9 exe.

Code:
[16:18:22] "GET https://farm6.staticflickr.com/5489/14482714055_1583998180_s.jpg
HTTP/1.1" 200 7415
[16:18:23] [F] [X509: KEY_VALUES_MISMATCH] key values mismatch (_ssl.c:2532) on
connection.
[16:18:24] "GET https://farm6.staticflickr.com/5499/14426902271_b481280526_s.jpg
HTTP/1.1" 200 5822
[16:18:24] [F] [SSL] PEM lib (_ssl.c:2532) on connection.
[16:18:24] [F] [SSL] PEM lib (_ssl.c:2532) on connection.
[16:18:24] [F] [SSL] PEM lib (_ssl.c:2532) on connection.

The images did load after reloading the page, however. These errors have not been seen again.

So, I may be seeing two kinds of errors while using the exe.
1. Incomplete cert generated.
2. Good cert generated but somehow misapplied.
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: