SSL and MITM

539 views
Skip to first unread message

Brian Krupp

unread,
Jan 7, 2015, 10:07:00 PM1/7/15
to littl...@googlegroups.com
Is it possible to have littleproxy use a provided CA and issue new certificates signed by the CA for each site?  I'm looking for similar functionality that you would find in BurpSuite.

Jovan Jovanovic

unread,
Jan 16, 2015, 5:54:23 PM1/16/15
to littl...@googlegroups.com
Yes it is. First you need to install your CA into the Root Keystore of your OS. Then you need to generate for each domain separate public/private key and sign them by your CA. Personally I prefer .p12 format which holds both public and private keys. Take a look at SelfSignedSslEngineSource - initializeKeyStore(). This the place where you can import your .p12 certificates. 
Then how I did, I had a separate keystore per domain (and per .p12 cert) so when implementing MitmManager I had something like this:

public SSLEngine clientSslEngineFor(SSLSession serverSslSession) {
    HttpRequest request = (HttpRequest) serverSslSession.getValue("request");
    String host = request.headers().get("Host");
    if ("www.netflix.com".equals(host))
    localProxySslEngineSource =  new LocalProxySslEngineSource("localproxy_netflix.jks", true, true, host);
    else if ("www.linkedin.com".equals(host))
     localProxySslEngineSource =  new LocalProxySslEngineSource("localproxy_linkedin.jks", true, true, host);  
        ...
        return localProxySslEngineSource.newSslEngine();

Brian Krupp

unread,
Jan 19, 2015, 9:48:05 PM1/19/15
to littl...@googlegroups.com
Thanks Jovan, I actually ended up doing this a different way where I generate the CA via openssl, and then each certificate is generated on the fly programmatically and signed by the CA.  The Keystore is then maintained in memory and as it grows, certificates and keys can be removed from it.

If anyone is interested in this solution, you can shoot me a message on twitter @briankrupp and I can share the code with you

Jeryl Cook

unread,
Feb 11, 2015, 7:55:49 PM2/11/15
to littl...@googlegroups.com
Hi Brian,
Could you please share the code with me?  I would greatly appreciate it!  jeryl...@vanity-soft.com  

Thank you!!

beam...@gmail.com

unread,
May 1, 2015, 11:23:45 AM5/1/15
to littl...@googlegroups.com
Could u please send me a copy? Thanks a lot, beam...@gmail.com

在 2015年1月8日星期四 UTC+8上午11:07:00,Brian Krupp写道:

beam...@gmail.com

unread,
May 1, 2015, 11:23:44 AM5/1/15
to littl...@googlegroups.com
A copy to me? thanks a lot. beam...@gmail.com

在 2015年1月20日星期二 UTC+8上午10:48:05,Brian Krupp写道:

je...@outlook.com

unread,
May 3, 2015, 11:16:21 PM5/3/15
to littl...@googlegroups.com
Hi Brian,

Do you have a copy of your code on github or another public location? This is exactly the sort of thing we'd like to do in BrowserMob Proxy (which uses LittleProxy).

Thanks-
Jason

Gustavo Morales

unread,
Aug 3, 2016, 11:33:46 AM8/3/16
to LittleProxy
Hey Brian I'm interested in your solution, could you share the code with me? My email morales....@gmail.com

Idan Slonimsky

unread,
Oct 31, 2016, 2:52:59 PM10/31/16
to LittleProxy
Hi Brian,

Could you please share your code with me as well?
ida...@gmail.com

Thanks!
Reply all
Reply to author
Forward
0 new messages