Struggling with TLS

There are a lot of issues concerning TLS and handshakes failures, due to HSTS, PKP or Android’s policy concerning user certificate.

I was wondering if it’s possible to disable TLS handshake by the client, redirect him via a 302 to an http connection and handle the TLS handshake by the proxy with the destination server (so that the communication between the client and the proxy is http, the communication between the proxy and the server is httpS).

I’m struggling with mitmproxy to make that up, with a transparent proxy. The TLS handshake seems to happen even before the ‘request’ event is called, so I can’t make my 302 …

Thank you

I’m struggling with mitmproxy to make that up, with a transparent proxy. The TLS handshake seems to happen even before the ‘request’ event is called, so I can’t make my 302 …

Yes - this is precisely how TLS works. If the clients wants to connect using TLS, we can’t perform a downgrade attack on the client. If we try to intercept and that fails, the browser will (rightfully) always serve a security warning.

Yes I just understood that TLS happens on the session layer … Do you know if I can still tell the client not to use the mitmproxy certificate if there is a handshake failure (so that I can still use my Android apps for instance, even without seeing the secured traffic) ?
Thank you for your always gentle answers :wink:

Hi,

In the simplest case, you can just use mitmproxy’s ignore feature: https://docs.mitmproxy.org/stable/howto-ignoredomains/

If you need something more automated, take a look at https://github.com/mitmproxy/mitmproxy/blob/master/examples/complex/tls_passthrough.py. :slight_smile: