Post Reply 
ProxHTTPSProxy, a Proxomitron SSL Helper Program
Jun. 07, 2010, 01:19 AM
Post: #106
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
(Jun. 06, 2010 08:55 PM)JJoe Wrote:  When the browser created the absolute links from the relative links in the html and http://bugzilla.mozilla.org:443/&taggedhere, wouldn't the tag be lost?

You are right. The tag would be lost when the browser is in http mode. It doesn't look that simple as I had imagined.

Fortunately we are now using the simpler list routine.
Add Thank You Quote this message in a reply
Jun. 08, 2010, 02:15 AM
Post: #107
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
0.4b tries to convert 'http://www.sslsite.com:443/' to 'https://www.sslsite.com/' for Referer header. Please let me know if it doesn't work.


Attached File(s)
.zip  ProxHTTPSProxy 0.4b.zip (Size: 8.33 KB / Downloads: 788)
Add Thank You Quote this message in a reply
Jun. 09, 2010, 08:45 PM (This post was last modified: Jun. 09, 2010 08:47 PM by JJoe.)
Post: #108
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
Python creates a file config.pyc that appears to break things at restart. After I delete it all works again.

I think its purpose is to speed up program load. After loading there would be no advantage to having it. When I delete it I also delete other pyc files, socks.pyc.

Is setting sys.dont_write_bytecode to True the best fix?
http://docs.activestate.com/activepython...y/sys.html

Anybody else seeing this?
Add Thank You Quote this message in a reply
Jun. 10, 2010, 01:26 AM
Post: #109
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
(Jun. 09, 2010 08:45 PM)JJoe Wrote:  Python creates a file config.pyc that appears to break things at restart.

How does that break things?
Add Thank You Quote this message in a reply
Jun. 10, 2010, 02:06 AM
Post: #110
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
(Jun. 10, 2010 01:26 AM)whenever Wrote:  
(Jun. 09, 2010 08:45 PM)JJoe Wrote:  Python creates a file config.pyc that appears to break things at restart.

How does that break things?

The symptom is https hangs. Proxo shows the request

Quote:Using Proxy - 127.0.0.1:8081
GET https://login.yahoo.com/config/login_verify2?&.src=ym HTTP/1.1
Host: login.yahoo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://login.yahoo.com/
HTTP/1.0 200 Connection established
HTTP/1.0 Proxy-agent: ProxHTTPSProxy/0.4b Python/2.6.5

ProxHTTPSProxy shows an exception

Quote:Exception happened during processing of request from ('127.0.0.1', 49164)
Traceback (most recent call last):
File "C:\Python26\lib\SocketServer.py", line 558, in process_request_thread
self.finish_request(request, client_address)
File "C:\Python26\lib\SocketServer.py", line 320, in finish_request
self.RequestHandlerClass(request, client_address, self)
File "C:\Python26\lib\SocketServer.py", line 615, in __init__
self.handle()
File "C:\Python26\lib\BaseHTTPServer.py", line 329, in handle
self.handle_one_request()
File "C:\Python26\lib\BaseHTTPServer.py", line 323, in handle_one_request
method()
File "C:\Users\E3\Programs\ProxHTTPSProxy 0.4b\ProxHTTPSProxy.py", line 132, i
n do_CONNECT
client_sock = ssl.wrap_socket(self.connection, certfile=cert_file, server_si
de=True)
File "C:\Python26\lib\ssl.py", line 350, in wrap_socket
suppress_ragged_eofs=suppress_ragged_eofs)
File "C:\Python26\lib\ssl.py", line 113, in __init__
cert_reqs, ssl_version, ca_certs)
SSLError: [Errno 336265218] _ssl.c:337: error:140B0002:SSL routines:SSL_CTX_use_
PrivateKey_file:system lib

Closing and restarting ProxHTTPSProxy doesn't fix it.
Deleting the file or files and restarting does.
Add Thank You Quote this message in a reply
Jun. 10, 2010, 02:28 AM
Post: #111
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
(Jun. 10, 2010 02:06 AM)JJoe Wrote:  The symptom is https hangs.

I didn't get that. It's strange deleting pyc file could solve your problem. I couldn't think of the reason.

Anybody else has the same problem?
Add Thank You Quote this message in a reply
Jun. 10, 2010, 03:02 AM (This post was last modified: Jun. 10, 2010 01:10 PM by JJoe.)
Post: #112
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
(Jun. 10, 2010 02:28 AM)whenever Wrote:  It's strange deleting pyc file could solve your problem.

My guess was that there is an error in the file, however.
Since my last post, I have shutdown and restarted many times. Deleting pyc files before shutdown did not, always, solve problem on restart. I still had start ProxHTTPSProxy, see exception, close ProxHTTPSProxy, delete file, and restart.

I will play with it more later. Got other things to get done.

Edit: Added "always".
Add Thank You Quote this message in a reply
Jun. 10, 2010, 01:18 PM
Post: #113
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
(Jun. 10, 2010 03:02 AM)JJoe Wrote:  I will play with it more later.

Behaviour continued this morning but not now. Machine has been restarted several times. ProxHTTPSProxy has worked without deleting pyc file.
Add Thank You Quote this message in a reply
Jul. 13, 2010, 03:44 AM (This post was last modified: Jul. 13, 2010 03:46 AM by JJoe.)
Post: #114
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
Have been wondering exactly how Python/ProxHTTPSProxy handles ssl.

After very little research, I have found http://mail.python.org/pipermail/python-...42166.html from Apr 2010.

Quote:I've found what looks like a security hole. The "ssl" module will validate the certificate chain, but it doesn't check that the certificate is valid for the domain.

Quote:The SSL module doesn't seem to let you read all the cert extensions,

Quote:Without host name checking, you lose all "man in the middle" protection in SSL.

Quote:All major browsers make this check. Most Python users will expect the SSL module to do the checks a browser does. If the user went to the trouble to provide a certificate authority file, and specified CERT_REQUIRED, they presumably want their connections fully validated.

and then

http://stackoverflow.com/questions/10872...ith-python from July-Dec 2009.

Quote:Python by default just accepts and uses SSL certificates when using HTTPS, so even if a certificate is invalid, Python libraries such as urllib2 and Twisted will just happily use the certificate.

Quote:Unfortunately, neither Python nor Twisted comes with a the pile of CA certificates required to actually do HTTPS validation, nor the HTTPS validation logic. Due to a limitation in PyOpenSSL, you can't do it completely correctly just yet, but thanks to the fact that almost all certificates include a subject commonName, you can get close enough.

Does anybody know if any of these complaints are not current and valid?

Should developers be interested in the solution that was offered in the stackoverflow thread on Dec 17 '09 at 12:48?

Quote:PycURL does this beautifully.
Add Thank You Quote this message in a reply
Jul. 13, 2010, 09:50 AM
Post: #115
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
(Jul. 13, 2010 03:44 AM)JJoe Wrote:  Does anybody know if any of these complaints are not current and valid?

Found this at http://svn.python.org/projects/python/ta.../Misc/NEWS
Code:
- Server-side SSL support and cert verification added, by Bill
  Janssen.

but I am not sure if it refers to the host name check.

BTW, many sites are using self signed certificate, to make things simple currently ProxHTTPSProxy is not verifying certificate chain.
Add Thank You Quote this message in a reply
Jul. 13, 2010, 10:38 PM
Post: #116
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
(Jul. 13, 2010 09:50 AM)whenever Wrote:  Found this at http://svn.python.org/projects/python/ta.../Misc/NEWS
Code:
- Server-side SSL support and cert verification added, by Bill
  Janssen.

That appears to be in a section titled and dated

Quote:What's New in Python 2.6 alpha 1?
=================================

*Release date: 29-Feb-2008*

I think, it came before the complaints.

(Jul. 13, 2010 09:50 AM)whenever Wrote:  BTW, many sites are using self signed certificate, to make things simple currently ProxHTTPSProxy is not verifying certificate chain.

As I thought but you might want to add a note about this to the first post.
Add Thank You Quote this message in a reply
Jul. 13, 2010, 11:31 PM
Post: #117
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
(Jul. 13, 2010 10:38 PM)JJoe Wrote:  
(Jul. 13, 2010 09:50 AM)whenever Wrote:  BTW, many sites are using self signed certificate, to make things simple currently ProxHTTPSProxy is not verifying certificate chain.

As I thought but you might want to add a note about this to the first post.


the non-verification actually sounds like a *good* idea to me...
i might be thinking incorrectly, but these "certificates" are a PITA *at the local level* but should *only* be an issue at the "dns hop level"...

when i go to a bank site, that "web content" might bounce around through eight or nine "non-local" servers, those "certificates", in my opinion, correct me if i'm mistaken, are to be "honored" by those "non-local" servers required to get that content to me...

once that content is here, *i could care less about the PITA certificate!*...


is this logic flawed?
Add Thank You Quote this message in a reply
Jul. 14, 2010, 01:33 AM
Post: #118
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
(Jul. 13, 2010 10:38 PM)JJoe Wrote:  I think, it came before the complaints.

So it is not fixed yet in release 2.7 of Python.

If you upgrade your Python installation regularly and at some time ProxHTTPSProxy throw an Expection when you visit a site whose certificate doesn't accord with its host name, we can know that issue is fixed.

(Jul. 13, 2010 10:38 PM)JJoe Wrote:  As I thought but you might want to add a note about this to the first post.

done.

(Jul. 13, 2010 11:31 PM)ProxRocks Wrote:  when i go to a bank site, that "web content" might bounce around through eight or nine "non-local" servers, those "certificates", in my opinion, correct me if i'm mistaken, are to be "honored" by those "non-local" servers required to get that content to me...

The problem is if we don't verify the certificates, those contents might be sniffed/modified by a man-in-the-middle attack, just like what ProxHTTPSProxy does.
Add Thank You Quote this message in a reply
Jul. 14, 2010, 04:48 AM (This post was last modified: Jul. 14, 2010 04:49 AM by JJoe.)
Post: #119
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
(Jul. 14, 2010 01:33 AM)whenever Wrote:  So it is not fixed yet in release 2.7 of Python.

I don't think any of the complaints are. I have not really looked, tho.

Issue1589 has been reopened. I understand some of what Janssen is saying and think I might agree with some but surely it's in Python's best interest to have a Python.org solution for this.

Janssen Wrote:I think that, where it's appropriate, you can do that. Just don't put it in the SSL module.

I doubt anybody really cares where they put it but make sure it includes wildcards for as long as sites use them. Wink

(Jul. 13, 2010 11:31 PM)ProxRocks Wrote:  is this logic flawed?

What Whenever said.

Bank->Server A->Server B->local trusted filtering proxy->Browser

Under your https scheme:
When Server A peeks, Server B would know and could take action.
When Server B peeks...

Current https practice is, the browser will warn us about the local trusted filtering proxy that it can see and we will ignore it.
So, the local trusted filtering proxy must warn us about any remote nosy server that it hides from the browser or we won't know about it.
A non-filtering proxy or benign server doesn't cause alarm because it doesn't alter or decode the ssl data.
Add Thank You Quote this message in a reply
Jul. 14, 2010, 11:18 AM
Post: #120
RE: ProxHTTPSProxy, a Proxomitron SSL Helper Program
okay, i can agree to that...

that very notion is in fact why i do *NOT* 'trust' the "Tor network"...
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: