HTTPS ========= .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`High Level Protocol Setup ` * :ref:`Experimental Setup ` * :ref:`SW Info ` * :ref:`Application ` * :ref:`Libraries ` * :ref:`Steps ` * :ref:`Setup HTTPS Proxy server on ubuntu ` * :ref:`Connecting HTTPS Proxy server to client ` * :ref:`Squid Configuration ` * :ref:`Protocol ` * :ref:`Test Cases ` * :ref:`Frame Sequence ` * :ref:`Wireshark Capture ` * :ref:`Packets ` * :ref:`Packet 1 ` * :ref:`Packet 2 ` * :ref:`FAQs ` * :ref:`Reference links ` .. _HTTPS_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _HTTPS_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _HTTPS_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _HTTPS_step4: .. tab-set:: .. tab-item:: High Level Protocol Setup * High Level Protocol Setup .. _HTTPS_step5: .. tab-set:: .. tab-item:: Experimental Setup * Experimental Setup .. _HTTPS_step6: .. tab-set:: .. tab-item:: SW .. _HTTPS_step7: .. tab-set:: .. tab-item:: Application * Application .. _HTTPS_step8: .. tab-set:: .. tab-item:: Libraries * Libraries .. _HTTPS_step9: .. tab-set:: .. tab-item:: Steps .. _HTTPS_step10: .. tab-set:: .. tab-item:: Setup HTTPS Proxy server on Ubuntu. * Step-1 : Find the IP address of Ubuntu machine .. code-block:: shell test:~$ ifconfig docker0: flags=4099 mtu 1500 inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255 ether 02:42:c2:a4:22:08 txqueuelen 0 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 enp0s31f6: flags=4163 mtu 1500 inet 10.91.239.13 netmask 255.255.255.0 broadcast 10.91.239.13 inet6 fe80::bb87:2721:82b8:f6cd prefixlen 64 scopeid 0x20 ether e4:54:e8:4e:e4:b9 txqueuelen 1000 (Ethernet) RX packets 10426884 bytes 7818062595 (7.8 GB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 3605750 bytes 434038103 (434.0 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 16 memory 0xdf000000-df020000 lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1000 (Local Loopback) RX packets 1097677 bytes 88297298 (88.2 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1097677 bytes 88297298 (88.2 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 * To find the IP address of your Ubuntu machine,use the ifconfig command. * From the output of ifconfig command,for example, 10.91.239.13 is used as the Proxy Server IP. * This Proxy server IP is used when connecting HTTPS server to a client. * Step-2 : Install Squid Proxy Server on Ubuntu .. code-block:: shell test:~$ pwd /home/test test:~$ sudo apt update test:~$ sudo apt install squid * Step-3 : Verify the Installation .. code-block:: shell test:~$ squid -v * Step-4 : Before edit the configuration file 1.Generate SSL certificate because SSL bumping requires the Proxy to decrypt SSL traffic, you need a self-signed SSL Certificate. .. code-block:: shell test:~$ sudo mkdir -p /etc/squid/ssl_cert test:~$ sudo openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout /etc/squid/ssl_cert/squid.key -out /etc/squid/ssl_cert/squid.crt * you will be prompted to enter some information.you can leave it as the default or provide your information. 2.set proper permissions for the SSL key and certificate. .. code-block:: shell test:~$ sudo chmod 400 /etc/squid/ssl_cert/squid.key test:~$ sudo chmod 444 /etc/squid/ssl_cert/squid.crt * Step-5 : Edit the Squid Configuration file .. code-block:: shell test:~$ sudo nano /etc/squid/squid.conf #specify the port for squid to listen https_port 3129 tls-cert=/etc/squid/ssl_cert/server.crt tls-key=/etc/squid/ssl_cert/server.key #Define an ACL for the client (replace with your client's IP) acl client_ip src 192.168.0.37 #this could be the actual IP of the client #Allow the client IP to access the proxy http_acess allow client_ip #Define safe ports for HTTP and HTTPS acl safe_ports port 80 #HTTP_Port (http://) acl safe_ports port 443 #HTTPS_port(https://) acl safe_ports port 1025-65535 #allow higher ports. #Allow access to safe ports (HTTP,HTTPS,etc) http_access allow safe_ports #Deny all other clients from accessing the proxy http_access deny all #SSL BUMPING RULES ssl_bump bump all ssl_bump splice all ssl_bump terminate all #Logging and cache settings (optional) access_log /var/log/squid/access.log cache_dir ufs /var/spool/squid 100 16 256 #default cache directory with 100MB space visible_hostname sysadmin //optional * NOTE : comment all the lines in file the above prompt only to save. * Step-6 : Start the Squid server .. code-block:: shell test:~$ sudo systemctl restart squid test:~$ sudo systemctl enable squid test:~$ sudo systemctl status squid * NOTE : If server is not running,check logs at "sudo journalctl -u squid" or "sudo systemctl status squid" and fix the errors. * Step-7 : Allow connection from port 3129 (https port) .. code-block:: shell test:~$ sudo ufw allow 3129 * Step-8 : To check the server is listening on port .. code-block:: shell test:~$ sudo netstat -tuln | grep 3129 tcp 0 0 0.0.0.0:3129 0.0.0.0:* LISTEN tcp6 0 0 :::3129 :::* LISTEN .. _HTTPS_step11: .. tab-set:: .. tab-item:: Connecting client to HTTPS Proxy server * Step-1 : Find the IP address of Client machine. .. code-block:: shell test:~$ ifconfig enp3s0: flags=4099 mtu 1500 ether e4:54:e8:0a:f2:75 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1000 (Local Loopback) RX packets 453840 bytes 299962936 (299.9 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 453840 bytes 299962936 (299.9 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlp4s0: flags=4163 mtu 1500 inet 192.168.0.37 netmask 255.255.255.0 broadcast 192.168.0.255 inet6 fd8d:7bbc:1295:8:3e83:f574:906b:9b12 prefixlen 64 scopeid 0x0 inet6 fe80::efe6:fe58:4cd1:9a51 prefixlen 64 scopeid 0x20 inet6 fd8d:7bbc:1295:8:51a9:e8f4:66d6:3180 prefixlen 64 scopeid 0x0 ether c0:b5:d7:0b:ac:5b txqueuelen 1000 (Ethernet) RX packets 3476163 bytes 2223285532 (2.2 GB) RX errors 0 dropped 48920 overruns 0 frame 0 TX packets 450874 bytes 86312159 (86.3 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 * Step -2 On client machine to connect the server 1.obtain the proxy,s certificate .. code-block:: shell test:~$ echo | openssl s_client -showcerts -connect 10.91.239.13:3129 * This will show you the certificate chain the proxy is presenting.copy the certificate from the output (the blocking starting with ----begin certificate----and ending with ---END CERTIFICATE---). * save it to afile,e.g., proxy_cert.pem. 2.ADD the proxy's certificate to trusted CA store 1.copy the proxy certificate to /usr/local/share/ca-certificates/ .. code-block:: shell test:~$ sudo cp proxy_cert.pem /usr/loacl/share/ca-certificates/ 2.update the certificate store .. code-block:: shell test:~$ sudo update-ca-certificates * this will add the proxy,s self-signed certificate to the list of trusted certificates. * Step-3 : Using Curl .. code-block:: shell test:~$ curl --proxy https//10.91.239.13:3129 --proxy-cacert /path/to/proxy_cert.pem https://example.com * Expected output:The HTML source code of the webpage hosted at http://example.com * NOTE: 10.91.239.13 is the Proxy Server IP address referenced in the "Setup HTTP Proxy Server on Ubuntu" section above. * Step-4 : Using wget .. code-block:: shell test:~$ wget --proxy=on --ca-certificate=/path/to/proxy_cert.pem https://10.91.239.13:3129 https://example.com * Expected output:The HTML content of the webpage at http://example.com * NOTE: 10.91.239.13 is the Proxy Server IP address referenced in the "Setup HTTP Proxy Server on Ubuntu" section above. * Step-5 : Using Telnet .. code-block:: shell test:~$ telnet 10.91.239.13 3129 Trying 10.91.239.13... Connected to 10.91.239.13. Escape Character is '^]'. * If the connection fails,the output will be something like connection refused or unable to connect. * NOTE: 10.91.239.13 is the Proxy Server IP address referenced in the "Setup HTTP Proxy Server on Ubuntu" section above. * Step-6 : Using netcat .. code-block:: shell test:~$ nc -zv 10.91.239.13 3128 Connection to 10.91.239.13 3128 port [tcp/*] succeeded! * NOTE: 10.91.239.13 is the Proxy Server IP address referenced in the "Setup HTTP Proxy Server on Ubuntu" section above. * Step-7 : Using ping .. code-block:: shell test:~$ ping 10.91.239.13 PING 10.91.239.13 (10.91.239.13 56(84) bytes of data. 64 bytes from 10.91.239.13: icmp_seq=1 ttl=64 time=0.092 ms 64 bytes from 10.91.239.13: icmp_seq=2 ttl=64 time=0.036 ms 64 bytes from 10.91.239.13: icmp_seq=3 ttl=64 time=0.094 ms 64 bytes from 10.91.239.13: icmp_seq=4 ttl=64 time=0.105 ms 64 bytes from 10.91.239.13: icmp_seq=5 ttl=64 time=0.094 ms * NOTE: 10.91.239.13 is the Proxy Server IP address referenced in the "Setup HTTP Proxy Server on Ubuntu" section above. .. _HTTPS_step20: .. tab-set:: .. tab-item:: Squid Configuration * squid .. _HTTPS_step12: .. tab-set:: .. tab-item:: Protocol .. _HTTPS_step21: .. tab-set:: .. tab-item:: Test Cases * Test Cases .. _HTTPS_step13: .. tab-set:: .. tab-item:: Frame Sequence * Frame Sequence .. _HTTPS_step14: .. tab-set:: .. tab-item:: Wireshark Capture * Wireshark Capture .. _HTTPS_step15: .. tab-set:: .. tab-item:: Packets .. _HTTPS_step16: .. tab-set:: .. tab-item:: packet 1 * packet 1 .. _HTTPS_step17: .. tab-set:: .. tab-item:: packet 2 * packet 2 .. _HTTPS_step18: .. tab-set:: .. tab-item:: FAQs * FAQs .. _HTTPS_step19: .. tab-set:: .. tab-item:: Reference links * Reference links