Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Capture SSL certs from HTTP Proxy directly #138

Open
matteocargnelutti opened this issue Mar 31, 2023 · 2 comments
Open

Capture SSL certs from HTTP Proxy directly #138

matteocargnelutti opened this issue Mar 31, 2023 · 2 comments
Assignees
@matteocargnelutti
Labels
Architecture Feature Wishlist

Comments

@matteocargnelutti
Copy link
Collaborator

matteocargnelutti commented Mar 31, 2023
edited
Loading

The current implementation of SSL certs capture:

  • Happens out-of-band, in a distinct capture step
  • Uses crip

While the current setup is extremely convenient, it would be preferable - both conceptually and from a performance perspective - to pull the certificates directly from the proxy, especially since Portal gives us that flexibility.

Ideally the replacement is somewhat "drop in":

  • It should still account for captureCertificatesAsAttachment and attachmentsBypassLimits options
  • It should still add certs to Scoop.provenanceInfo.certificates
  • It should still only capture certs once per origin

captureCertificatesAsAttachmentTimeout and crip dependencies would be removed.

Progress:

#140
@leppert
Copy link
Collaborator

leppert commented Mar 31, 2023
edited
Loading

Here's the API: https://nodejs.org/api/tls.html#tlssocketgetpeercertificatedetailed

We'll end up with something in ScoopProxy, probably in this block, along the lines of

  onConnected (serverSocket, request) {
    const exchange = this.exchanges.find(ex => ex.requestParsed === request)
    const ip = serverSocket.remoteAddress
    const rule = this.findMatchingBlocklistRule(ip)
    if (rule) {
      serverSocket.destroy()
      this.blockRequest(request, ip, rule)
    } else if (exchange) {
      exchange.cert = response.socket.getPeerCertificate(true)
    }
}

@matteocargnelutti matteocargnelutti self-assigned this Mar 31, 2023
matteocargnelutti added a commit that referenced this issue Apr 11, 2023
@matteocargnelutti
(Tentative) Move SSL capture to ScoopProxy
5389649 
Implements #138

---

- Removes `crip` dependency, dedicated certificates capture step and associated options.
- Intercepts certificate chain at `ScoopProxy` level using `socket.getPeerCertificate()` to assemble a PEM on the fly. Runs once per origin.
- Removes duplicate processing of `noarchive` checks

---

**Still working through:** The certificates interception currently happens at `ScoopProxy.onResponse()` level. It should be in `ScoopProxy.onConnected()`, but in some cases it appears to be _"too early"_. TBD, but this version works.
@matteocargnelutti matteocargnelutti mentioned this issue Apr 11, 2023
Draft
3 tasks
@matteocargnelutti
Copy link
Collaborator Author

Update: Getting close, but stuck on hard-to-troubleshoot edge cases (#140 (comment)).

As this feature is not broken at the moment:

  • Setting PR as draft
  • Re-prioritization TBD

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@matteocargnelutti matteocargnelutti

Labels
Architecture Feature Wishlist
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@leppert @matteocargnelutti