I am trying to implement a transparent HTTPS proxy, i.e. a proxy that can decrypt TLS/SSL-encrypted messages. I'm using the OpenSSL library and having a lot of trouble getting started and would appreciate any and all advice.
Something to note is that I have no intentions of making it publically usable, so I am happy to create my own CA and have my machine unconditionally trust it, or receive warnings from my browser (Using Firefox on OS X). Also, I am aware of the openssl command-line tool, but I am trying to use the C libraries, and stay away from the tool. If there is a good reason to use the tool, please let me know.
Right now, I am just trying to get the proxy to act as a server to a single client. I am trying to generate a single certificate and encrypt/decrypt messages to that client. Next, I will implement client functionality to communicate with servers, and continue to use the one certificate with the client. From what I have gathered, this should still work, but the browser will provide warnings.
The end goal is to dynamically generate and re-use certificates for all new hosts so there are no warnings. However, I am still stuck at the first step. I do not even understand how a single self-signed certificate could work for more than 1 host at all, but my best attempt at trying to make such a certificate is creating one with the Subject Common Name (CN) as *. Currently, I have been testing just using curl, and specifying the certificate with --cacert. However, I know curl can have some odd behavior, so let me know if I should start testing with my browser, even for just one client.
Any advice or instruction, even just how to create such a certificate, would be very appreciated. Additionally, guidance to other subreddits where this may receive more traction/support would be appreciated as well.
No comments:
Post a Comment