Hi,
I have an old debian box running 5.0, and has OpenSSL 0.9.8g 19 Oct 2007. It runs a billing application that cannot be upgraded. The payment processor has announced that they are cutting off support for < TLS1.2 and so that means this app is going to stop working. Seems to be a lot of this going around, doesn’t it?
I am trying to determine how or if mitmproxy can be used to provide a suitable solution so that this app can continue working. I have resolved a number of issues and have correct certificates and such on this ancient host and can , with proxy settings, ‘wget’ certain sites without issue. The age of the system is a limitation in that the ssl libs don’t appear to support SNI and this appears to be an issue that prevents me from working. I am running mitmproxy --ssl-insecure -v --listen-host x.x.x.x. (Altered wget command lines due to forum limiting ‘links’ to 2…)
- wget --secure-protocol=TLSv1 xhttpsx://non-wildcard-cert-site
This works. The site has a an SN matching it’s name and mitmproxy gives me the interception.
- wget --secure-protocol=TLSv1 xhttpsx://hosted-ssl-site-with-wildcard-cert
This does not work. Site certificate returned is that of the host and not the requested hostname, wget comlaims certificate common name doesn’t match requested hostname. Makes sense.
- wget --no-check-certificate --secure-protocol=TLSv1 xhttpsx://hosted-ssl-site-with-wildcard-cert
The works. Mitmproxy complains “Certificate verification error for None: hostname ‘no-hostname’ doesn’t match …” but since i’m running mitmproxy with ‘ssl-insecure’, it continues and works.
- wget --no-check-certificate --secure-protocol=TLSv1 xhttpsx://www.authorize.net
(real url). This does not work; I get ‘502 Bad Gateway’ on the client, and mitmproxy complains "
<< Cannot establish TLS with www.authorize.net:443 (sni: None): TlsException(“SSL handshake error: Error([(‘SSL routines’, ‘ssl3_read_bytes’, ‘sslv3 alert handshake failure’)],)”,)"
So, my ultimate target is the last one (a related subdomain actually) so I don’t know what I would need to do here to make this also work. Would appreciate any help I can solicit.
Thank you.
Mike