There is client_certs option for mTLS between proxy and external websites but I don't see any option to enforce client authentication for the client connection to proxy.
Any help, pointers would be appreciated. Thanks
mitmproxy does not support mutual TLS between client and proxy at the moment (version 8.1.1).
Related
From my browser I want to communicate to localhost application using ssl. Here browser(which acts as client) will submit the certificate instead of localhost application(which acts as server). Can Ssl be established in this scenario? So finally it boils down to problem statement can a ssl communication be established by server validating the client certificate and client not validating the server certificate.
The SSL/TLS implementation inside the browser do not support this scenario. A server certificate is always required by the browser with SSL/TLS in order to be sure that the browser is communicating with the expected server (as specified in the URL) and not some man in the middle. Apart from that it is not clear what you want to achieve with such a setup in the first place - maybe there is a better design for your unknown use case.
Converse.js successfully makes requests to Prosody bosh but the chat client never actually connects. In the console I can see it hitting the bosh endpoint and after each request it outputs to the console:
"Server did not yet offer a supported authentication mechanism. Sending a blank poll request."
I can hit the bosh endpoint from my browser as well, the proxy pass appears to be working as intended and bosh is running and responding to requests.
Any insight is much appreciated.
I came across this issue as well while using the fullpage demo. The problem was because Prosody was forcing encrypted authentication only for client side.
I recommend going into the config file /etc/prosody/prosody.cfg.lua
Look for the code
-- Force clients to use encrypted connections? This option will
-- prevent clients from authenticating unless they are using encryption.
c2s_require_encryption = true
By default for me this was set to true, change this to false
c2s_require_encryption = false
save it and reboot Prosody
systemctl restart prosody
you could also do
prosodyctl restart
The error message is quite clear. Prosody is not offering a SASL authentication mechanism supported by Converse.
By default Converse supports SCRAM-SHA1, DIGEST-MD5 and PLAIN.
Your XMPP server needs to support one of these.
I setup a vault servr (not in dev mode) with keystore following the section of the link - http://cloud.spring.io/spring-cloud-vault/single/spring-cloud-vault.html
I am able to start the server now with tls enabled. My question is simple how do I get vault client to communicate with the server.
Vault has authbackend to validate against role using TLS, but to reach to this point i think i would have to first make client connection. Can someone please throw some light.
I want to connect to my ejabberd server from another machine using a certificate instead of a login/password. I've looked for authentication client-to-server with a certificate for ejabberd, but i couldn't find something helpfull.
If anyone has any ideas how it cas be done, I'm taking..
As of version 16.02, ejabberd Community Server does not yet support client cert authentication.
However, if your questions is about communication encryption, you can indeed configure ejabberd with Starttls support to use TLS between client and server. A service like Let's encrypt can provide such certificates for free: https://letsencrypt.org/
I'm trying to see how a certain application is talking to a server in SSL. Basically, the process just hangs when it claims to have done some SSL communication. I want to debug the problem by catching the traffic, but I can't really use a sniffer since SSL will probably look like a hexdump.
Is there a good man-in-the-middle tool that I could use as instrumentation? I just need something that will show me the decrypted communication. Hopefully very easy to setup. I could even point the application to any IP address/port available to my machine (eg localhost:8888), so proxies would be fine. Also, I can probably configure the application to accept any certificate.
What do you use to simulate a man-in-the-middle (mitm) SSL attack?
UPDATE: I tried fiddler and can't get it to work. I installed openssl and typed the following command:
openssl s_client -connect smtp.gmail.com:465
Gmail responds with their certificate and a 220 mx.google.com ESMTP .... However, Fiddler does not capture the traffic. I set the WinINET options in fiddler to "Use the same proxy server for all protocols". Can anyone else get this to work (or not work)? I think I need to find a way to have openssl use a proxy.
Fiddler allows you to implement a man in the middle attack against yourself to see what is inside the SSL tunnel.
Fiddler generates a unique root SSL certificate for your computer, and then creates a session certificate signed by the root. When you configure Fiddler to decrypt SSL for you it acts as a proxy between you and the destination, decrypting the traffic using the site's SSL certificate and then re-encrypting it using its own certificate.
Your browser/application will see an untrusted certificate error. You can get around this error by choosing to trust Fiddler's root certificate.
The folks over at .Net Rocks did a great podcast episode on using Fiddler to sniff your traffic.
I haven't use it for this purpose but Fiddler should be able to do what you want.
Fiddler is a Web Debugging Proxy which
logs all HTTP(S) traffic between your
computer and the Internet. Fiddler
allows you to inspect all HTTP(S)
traffic, set breakpoints, and "fiddle"
with incoming or outgoing data.
Fiddler includes a powerful
event-based scripting subsystem, and
can be extended using any .NET
language.
Fiddler is freeware and can debug
traffic from virtually any
application, including Internet
Explorer, Mozilla Firefox, Opera, and
thousands more.
If you are using the amazingly useful Wireshark sniffer, then you can have it decrypt SSL if you are able to provide it the appropriate key files.