[Twisted-Python] HTTPS proxy with twisted?

[Phil Mayers]

On 11/03/12 16:18, Steve Chapel wrote:

> I will need to write an HTTPS proxy, which will examine the certificates
> sent from the web server and determine whether the certificate is valid
> or invalid. If the proxy determines if the certificate is valid, I will
> need to resign the document. I suppose this will require that the proxy
> be a certificate authority and will generate certificates for websites,
> which the proxy will then use to sign the documents. Will this be
> something that twisted can do easily? If so, where can I find
> documentation for how to do this?

This is a pretty hard question to answer in this form, and depends on 
what you mean by "easily". Since you say it's classwork I'm reluctant to 
say too much, but...

Fundamentally, the only "difficult" bit of this project in terms of 
Twisted capabilities is finding the original destination address of your 
intercepted connections (so that you can do a "lookaside" connection and 
verify / impersonate the far-end cert)

Presumably you'll be using something like Linux/IPTables to do this:

iptables t nat -A PREROUTING \
   -p tcp --dport 443 -j REDIRECT --to-port <twisted>


In that case, you can find the original destination address by calling:

socket.getsockopt(self.transport.fileno(), SOL_IP, SO_ORIGINAL_DST, 16)

...in your transport "connectionMade". You will presumably then want to 
start up an SSL connection to the original IP (or draw from cache) to 
find the far-end cert attributes (note: plural), call out to your local 
MITM CA for an impersonated cert/key, then call startTLS in server mode 
using a context holding the fake cert/key.

This isn't very hard, and Twisted has everything you need (accept TCP 
connections, make outgoing SSL, find server certs, call out to 
subprocess, startTLS in server mode) except the SO_ORIGINAL_DST stuff 
(which is easy to add in).

Anyway, I hope this helps; good luck with the assignment!

Cheers,
Phil