Post Reply 
ProxHTTPSProxyMII: Reloaded
Sep. 17, 2018, 01:15 AM (This post was last modified: Sep. 17, 2018 01:17 AM by Sudenr.)
Post: #286
RE: ProxHTTPSProxyMII: Reloaded
(Sep. 16, 2018 06:37 PM)vlad_s Wrote:  is it possible to specify the time when the certificate should start validating more early, rather than at the time the certificate was generated?

Yep. In CertTool.py change lines
Code:
cert.gmtime_adj_notBefore(0)
to
Code:
cert.gmtime_adj_notBefore(-60 * 60 * 24 * 2)
and all your new certificates will be generated two days ago from current time
Add Thank You Quote this message in a reply
[-] The following 1 user says Thank You to Sudenr for this post:
vlad_s
Sep. 17, 2018, 01:20 AM (This post was last modified: Sep. 17, 2018 01:21 AM by Sudenr.)
Post: #287
RE: ProxHTTPSProxyMII: Reloaded
There are also one thing that bothers me. Don't you think, that default encryption between browser and ProxHTTPSProxyMII is too powerful? Really, AES256-GCM for localhost is a little... excessively.
Ciphersuite for connection to front-proxy can be set in ProxHTTPSProxy.py line
Code:
ssl_sock = ssl.wrap_socket(self.connection, keyfile=dummycert, certfile=dummycert, server_side=True)
by change it like
Code:
ssl_sock = ssl.wrap_socket(self.connection, ciphers='ECDHE-ECDSA-AES128-GCM-SHA256', keyfile=dummycert, certfile=dummycert, server_side=True)
It's better to use ECDHE-ECDSA-AES128-GCM-SHA256 if CPU have AES-NI, ECDH+CHACHA20 if AES acceleration unavailable or even !aNULL for avoiding double encrypt-decrypt if connection security managed by upstream proxy like compy
So, maybe ciphersuite selection option should be placed in config.ini as advanced option?
Add Thank You Quote this message in a reply
Sep. 17, 2018, 12:34 PM
Post: #288
RE: ProxHTTPSProxyMII: Reloaded
(Sep. 17, 2018 01:15 AM)Sudenr Wrote:  
(Sep. 16, 2018 06:37 PM)vlad_s Wrote:  is it possible to specify the time when the certificate should start validating more early, rather than at the time the certificate was generated?

Yep. In CertTool.py change lines
Code:
cert.gmtime_adj_notBefore(0)
to
Code:
cert.gmtime_adj_notBefore(-60 * 60 * 24 * 2)
and all your new certificates will be generated two days ago from current time
Ok, it works.
Add Thank You Quote this message in a reply
Today, 04:38 PM
Post: #289
RE: ProxHTTPSProxyMII: Reloaded
It is impossible to open the site just.ru and rbt.ru, while in the section [SSL Pass-Thru] is not added *.variti.de. The script from *.variti.de is loaded normally in any case. So I did not understand who was to blame for the privoxy or proxhttpsproxy.
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: