Using mitmproxy to "bump" up SSL security for old application

Hi guys, we have an old program that we use to batch upload credit card payments. Daily, it uploads a file to our credit card processor with that day’s customer CC data. Unfortunately it uses tls 1.1 (1.0?) to do so. Our cc processor recently announced that they will (rightfully) be dropping support for that.

So, we were hoping to use MITMproxy to “bump” up this software’s comms to 1.2. Does MITMproxy support this? How would I accomplish that?

So basically:

old software -> tls1.1 -> mitmproxy -> 1.2 -> internet -> payment processor

Thanks!

So, we were hoping to use MITMproxy to “bump” up this software’s comms to 1.2. Does MITMproxy support this?

Yes. This is supported and encouraged. You would just run mitmproxy as a regular or reverse proxy (depends on what you can configure easily). Mitmproxy will negotiate the strongest possible encryption individually on both ends. One caveat is that your client needs to send a Server Name Indication TLS extension, which may not be the case with very old software (Cannot validate certificate hostname without SNI · Issue #1846 · mitmproxy/mitmproxy · GitHub).

That worked!
Now, I need help with another matter (and can create a new thread if you want). Apparently, as part of the switch to TLS 1.2, our payment processor has a new domain that we need to communicate with. There’s no easy way to switch to the new domain as it is hardcoded in our software. Can mitmproxy do this for us?

Old url - https://www.myvirtualmerchant.com/VirtualMerchant/processxml.do

New url - https://api.convergepay.com/VirtualMerchant/processxml.do

I tried this script (named myscript.py, and ran with the -s command):

import mitmproxy
from mitmproxy.models import HTTPResponse
from netlib.http import Headers
def request(flow):

if flow.request.pretty_host.endswith("myvirtualmerchant.com"):
        mitmproxy.ctx.log( flow.request.path )
        method = flow.request.path.split('/')[3].split('?')[0]
        flow.request.host = "api.convergepay.com"
        flow.request.port = 443
        flow.request.scheme = 'https'
        flow.request.headers["Host"] = "api.convergepay.com"

I then got this error i.imgurDOTCOM/z3cRWHW.png

(it would only let me submit 2 links in my post, remove DOTCOM)

help! thanks

Not sure where you have your example from, but this looks a bit outdated. Take a look at https://github.com/mitmproxy/mitmproxy/blob/master/examples/simple/redirect_requests.py

You don’t need the imports at all based on what I see.

I gave that script a try, while it definitely runs, it does not seem to work.

"""
This example shows two ways to redirect flows to another server.
"""
from mitmproxy import http


def request(flow: http.HTTPFlow) -> None:
# pretty_host takes the "Host" header of the request into account,
# which is useful in transparent mode where we usually only have the IP
# otherwise.
if flow.request.pretty_host == "myvirtualmerchant.com":
    flow.request.host = "api.convergepay.com"

When I go to myvirtualmerchant.com, it does not forward me to the new site like it should. It simply takes me to the old site, it’s almost like script isn’t there at all. No change.

What kind of “forward” do you expect? You should not see anything client side. If you want to send a HTTP 302 Redirect, take a look at https://github.com/mitmproxy/mitmproxy/blob/master/examples/simple/send_reply_from_proxy.py.