Need Clarification about MITM Uses

[Chris Hoffman]

First, Ox, thank you for everything!

My Context: 

My littleshoot instance, in this example, is: my.poxy.api.foo

My actual api instance is: my.source.api.foo

Thanks to this topic, I am able to get my http proxy to work correctly:

http://my.poxy.api.foo:8000/test?q=bar

... returns the data from my own API, just as if I queried

http://my.source.api.foo/test?q=bar

Here is my server bootstrap:

HttpProxyServer server =

DefaultHttpProxyServer.bootstrap()

.withPort(8000)

.withChainProxyManager(new ChainedProxyManager() {

@Override

public void lookupChainedProxies(HttpRequest httpRequest,

Queue<ChainedProxy> chainedProxies) {}

})

.withManInTheMiddle(new SelfSignedMitmManager())

.withFiltersSource(filtersSource)

.start();

Additionally, I have this code for a 'dumb' health check:

private static final String SOURCE_API_HOST = "my.poxy.api.foo"

public HttpResponse requestPre(HttpObject httpObject) {

if (httpObject instanceof HttpRequest) {

HttpRequest httpRequest = (HttpRequest) httpObject;

log.info("requestPre: " + httpRequest.getUri());

if (httpRequest.getUri().equals("/health") && httpRequest.getMethod().equals(HttpMethod.GET)) {

return handleHealth();

} else if (httpRequest.getUri().equals("/test") && httpRequest.getMethod().equals(HttpMethod.GET)){

                        httpRequest.headers().set("Host", SOURCE_API_HOST);

                        return null;

               }

}

private HttpResponse handleHealth() {

String response = "{\n \"message\": \"OK\",\n \"http_status_code\": 200\n}\n";

return handleText(response);

}

... so that when I query http://my.poxy.api.foo:8000/health, I receive

{

• message: "OK",
• http_status_code: 200

}

My Problem

I want to do the same thing for HTTPS:

 

1)

When I enter:

https://my.poxy.api.foo:8000/test?q=bar

I want it to the data from my own API, just as if I queried:

https://my.source.api.foo/test?q=bar

2) 

Additionally, I want the proxy to also return "OK" for my health check:

https://my.poxy.api.foo:8000/health

Unfortunately, in both calls, my proxy server 'hangs.' That is: the log debug says that there is a connection from my browser, but the browser times out, as if there is no TLS session started.

Troubleshooting steps:

I originally thought that I needed to add 

.withSslEngineSource(new SelfSignedSslEngineSource(true))

... which did have the TLS start on the connection, however I continually see this stack trace in my log (when I am curling locally, in this case, but the same error arrives in the general case, from a foreign client):

12:01:17,308 [DEBUG] (LittleProxy-ClientToProxyWorker-0) org.littleshoot.proxy.impl.ClientToProxyConnection - (AWAITING_INITIAL): Enabling encryption of traffic from client to proxy

12:01:17,308 [DEBUG] (LittleProxy-ClientToProxyWorker-1) org.littleshoot.proxy.impl.ClientToProxyConnection - (AWAITING_INITIAL): Enabling encryption of traffic from client to proxy

12:01:17,312 [DEBUG] (LittleProxy-ClientToProxyWorker-0) org.littleshoot.proxy.impl.ClientToProxyConnection - (AWAITING_INITIAL): Enabling encryption with SSLEngine: 5f1c73cc[SSLEngine[hostname=null port=-1] SSL_NULL_WITH_NULL_NULL]

12:01:17,312 [DEBUG] (LittleProxy-ClientToProxyWorker-1) org.littleshoot.proxy.impl.ClientToProxyConnection - (AWAITING_INITIAL): Enabling encryption with SSLEngine: 44f686dc[SSLEngine[hostname=null port=-1] SSL_NULL_WITH_NULL_NULL]

12:01:17,322 [DEBUG] (LittleProxy-ClientToProxyWorker-0) org.littleshoot.proxy.impl.ClientToProxyConnection - (AWAITING_INITIAL): Created ClientToProxyConnection

12:01:17,322 [DEBUG] (LittleProxy-ClientToProxyWorker-1) org.littleshoot.proxy.impl.ClientToProxyConnection - (AWAITING_INITIAL): Created ClientToProxyConnection

12:01:17,322 [DEBUG] (LittleProxy-ClientToProxyWorker-0) org.littleshoot.proxy.impl.ClientToProxyConnection - (AWAITING_INITIAL) [id: 0x089927d0, /127.0.0.1:64860 => /127.0.0.1:8000]: Connected

12:01:17,322 [DEBUG] (LittleProxy-ClientToProxyWorker-1) org.littleshoot.proxy.impl.ClientToProxyConnection - (AWAITING_INITIAL) [id: 0xe5916223, /127.0.0.1:64861 => /127.0.0.1:8000]: Connected

12:01:17,418 [ERROR] (LittleProxy-ClientToProxyWorker-1) org.littleshoot.proxy.impl.ClientToProxyConnection - (AWAITING_INITIAL) [id: 0xe5916223, /127.0.0.1:64861 => /127.0.0.1:8000]: Caught an exception on ClientToProxyConnection

io.netty.handler.codec.DecoderException: java.lang.RuntimeException: Delegated task threw Exception/Error

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:257)

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:139)

at io.netty.channel.DefaultChannelHandlerContext.invokeChannelRead(DefaultChannelHandlerContext.java:338)

at io.netty.channel.DefaultChannelHandlerContext.fireChannelRead(DefaultChannelHandlerContext.java:324)

at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:785)

at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:126)

at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:485)

at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:452)

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:346)

at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:101)

at java.lang.Thread.run(Thread.java:745)

Caused by: java.lang.RuntimeException: Delegated task threw Exception/Error

at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1287)

at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)

at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:790)

at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:758)

at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:937)

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:881)

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:837)

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:226)

... 10 more

Caused by: java.lang.NullPointerException

    sun.security.ssl.HandshakeMessage$CertificateRequest.<init>(HandshakeMessage.java:1281)

at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:841)

at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:167)

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)

at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)

at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)

at java.security.AccessController.doPrivileged(Native Method)

at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1227)

at io.netty.util.concurrent.ImmediateExecutor.execute(ImmediateExecutor.java:35)

at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:963)

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:901)

... 12 more

Is Littleshoot even able to do what I am asking of it? 

If so, what am I missing?

Thank you, sincerely, for your time.

-CH

[Ox Cart]

Dear CH,

It's not immediately obvious to me what is the problem.  Wireshark would be useful here to debug the TLS handshake between browser and LittleProxy, and also between LittleProxy and your upstream service.

I will say that you shouldn't need to set an SslEngineSource when using MITM.

P.S. I would remove the ChainedProxyManager from your bootstrap, since you're not doing proxy chaining.  As long as you're using MITM, it doesn't have an effect anyway, it just confuses things a little.

Cheers,

Ox

[Chris Hoffman]

Thanks for your time, Ox.

I'll dive with wireshark and report back. 

--
You received this message because you are subscribed to the Google Groups "LittleProxy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to littleproxy...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Raju Boopathi]

HI Chris,

Were you able to fix the error. I am getting the same error.

Cheers
Raju