OpenSSL & SSL Authentication Questions
|
Feb. 10, 2014, 10:38 PM
Post: #1
|
|||
|
|||
OpenSSL & SSL Authentication Questions
Greetings Proxomitron Gurus!
I'm new here. Please try to be kind if I violate any forum etiquette or customs (e.g. this is a long post with quite a few questions and hopefully I have not made *too many* assumptions) After rediscovering Proxomitron I began researching which OpenSSL dlls to use in Proxomitron these days. I'm still unsure which to use in Proxomitron itself and/or with make-proxcert. Prospects include: OpenSSL 0.9.6m [from OpenSSL Win32 Installer Team], Both files Modified: March 18, 2004 Code: libeay32.dll: SHA-256 932663d5f3fc13d6f6a182663c4dca326eec0db22bd5f4307bb84c2e8dac7282 OpenSSL-0.9.8-patched [from unknown source], Both files Modified: July 06, 2005 Code: libeay32.dll: SHA-256 40bf950dcdb88deb66a355fe9838049c2b77f80872763f66238c71311352910e OpenSSL-0.9.8.0-mod-rev1 [readme claims sidki, Sep 29 2006], Modified: September 26, 2006 Code: libeay32.dll: SHA-256 492d02e478ac8ce340b8b9e2120bb8735cc25ce673d5841793ccedd02eecff46 From Shining Light Productions' website: OpenSSL 0.9.8y © 1998-2007 The OpenSSL Project, Both files Modified: February 06, 2013 Code: libeay32.dll: SHA-256 733714803dc313a9481fcc0a5fdd33ad3574c1571f753f15299dd0df06656d9f OpenSSL 1.0.1f © 1998-2005 The OpenSSL Project, Both files Modified: January 06, 2014 Code: libeay32.dll: SHA-256 eb75fdef63d8af4995e36b1522873556f3f9d146cc971ecb990b2b2cec7d3767 I'd like to use the latest OpenSSL 1.0.1f, but would really appreciate any recommendations, pointers, links, experiences, etc anyone is willing to offer. BTW does anyone know the details of netlaw's June 2003 OpenSSL_add_all_algorithms modifications? sidki, feel like adding all the security patches between September 26, 2006 and February 06, 2013 <joking> Additionally does anyone know if there are any limitations on OpenSSL versions in phoenix (aka whenever's) ProxHTTPSProxy? Will the slproweb Light packages suffice? How about the Win64 versions on an x64 OS... just curious? Also I'm very interested in following up on a digression ProxRocks posted in the "ProxHTTPSProxy, a Proxomitron SSL Helper Program" thread (Post: #126) http://prxbx.com/forums/showthread.php?t...7#pid16467 Quote:...while i haven't played around with ProxHTTPSProxy for some time now, it has been my high hopes that it would become the wave of the future for anyone (ie, "us geeks") wishing to take matters into their own hands and "at their own risk" AXE the STUPID certificate-check CRAP... Note: Some references & resources pertaining to the following paragraphs are at the end of this post. When I first came across phoenix (aka whenever's) ProxHTTPSProxy in the forums I too had high hopes, although slightly different ones than ProxRocks. At first I'd hoped ProxHTTPSProxy might permit certificate verification and/or enable local storage and comparison of verified certificates. I even thought *perhaps* it might be able to do some kind of certificate pinning like Microsoft's EMET or some more 'advanced' certificate checks (e.g. comparing certificate fingerprints against Steve Gibson's Fingerprints page or using less centralized approaches like Perspectives or Convergence.) Apparently I had somehow managed to skim right past the big red “Warning: Currently ProxHTTPSProxy is not doing any kind of certificate check, use it as your own risk!†After reading ProxRocks' digression and a great article "Technical Architecture shapes Social Structure" I did a little more research and thinking. As much as the Carnegie Mellon Perspectives' approach and it's derivatives Convergence and Convergence "Extra" may be improvements on the Certificate Authority scheme, in principal, I've come around to ProxRocks' position “the whole scheme is a crock of crap†Nevertheless, in my opinion something needs to fill the authentication void. I'd personally rather see an approach like Monkeysphere; but humbly ask - Does anyone know of any "parent proxy" that they use, or could be used, to help fill the SSL authentication void in Proxomitron? If not, does anyone have the skill(s) and motivation to implement some kind of SSL authentication into a Proxomitron add-on/parent proxy? I don't have the coding (or even scripting) skills myself but I've tried to compile some places to start -below- if anyone is interested. Lastly, somewhat digressing here, view the source of https://dnscrypt.eu/ IIUC that's tracking script inside https on a security/privacy resource's webpage... probably (hopefully!) relatively benign. Thanks to any and all that read this far! And thanks to all those who've participated on this forum, both past and present. References & Resources: Microsoft EMET 4.x's Certificate Trust Feature https://blogs.technet.com/b/srd/archive/...ature.aspx Perspectives [“decentralized†SSL certificate checks from “network notary serversâ€] http://perspectives-project.org/ https://github.com/danwent/Perspectives Convergence [Perspectives like SSL certificate checks from “dynamic set of Notariesâ€] [url= http://convergence.io/details.html]http:...tails.html[/url] https://github.com/moxie0/Convergence Convergence "Extra" [Convergence fork that checks using “private†notaries] https://github.com/mk-fg/convergence#cha...m-upstream Monkeysphere [uses PGP web of trust model to assess https certificates] http://web.monkeysphere.info/why/#index1h2 TACK [“A proposal for a dynamically activated public key pinning frameworkâ€] http://tack.io/ https://lists.riseup.net/www/arc/tack/20...00001.html Skip Cert Error [Seems better than ignoring all certificates imho] https://github.com/foudfou/skipCertError/ https://addons.mozilla.org/en-US/firefox...ert-error/ |
|||
Feb. 12, 2014, 05:30 AM
Post: #2
|
|||
|
|||
RE: OpenSSL & SSL Authentication Questions
Welcome,
Use one of the two openssl files at http://proxomitron.info/files/index.html . The patches sidki used and info are in the zip. http://proxomitron.info/files/download/o...readme.txt IIRC, OpenSSL 0.9.8a and later are incompatable with the Proxomitron. Some users of programs that were orphaned by the changes to OpenSSL considered creating software to bridge but no. The OpenSSL folks just might break it again. Advice was that any effort should be spent on new programs. Quote:ProxHTTPSProxy? Will the slproweb Light packages suffice? I'd choose the "Win32 OpenSSL v1.0.0L Light". However, I just noticed, I have run ProxHTTPSProxy without slproweb OpenSSL installed. I have python installed with pyOpenSSL-0.13.1.win32-py2.7 instead. There are libraries that could extend ProxHTTPSProxy https abilities but I haven't been able to convince myself that that is the thing to do. A browser in http mode may not do things that it should do while the mitm proxy is handling the https connection and http://en.wikipedia.org/wiki/HTTP_Strict...t_Security and ??. I know the current https scheme can fail but so can proxies, vpns, toothpaste, seatbelts, airplanes, parachutes, etc. Proper use and fingers crossed seems to be the best course. I would like browsers that will always accept known friendly mitms. The browser could even have some cute icon display when using the mitm. As to better security, privacy, etc... My world has some people who believe they have the right or responsibility to be able to know what others are doing. Any solution has to get by these people. Have fun |
|||
« Next Oldest | Next Newest »
|