Wireless Toolkit + Proxomitron + mysterious SSL Connection?

[Nikolaos]

Dear all,

When i am using At Sun Wireless Toolkit 2.5 As Proxy the proxomitron port 10000
i observe at the log window (of proxomitron) when i do a simple HTTP connection

++SSL 3:++
SSL Pass-Thru: CONNECT https://www.aserver.com:80/
++CLOSE 3++

a)is there a protocol transcoding from Wireless Toolkit to proxomitron?
b)does WTK 2.5 and Proxomitron communicate under SSL?

thanks

Nikos

[JJoe]

(Jun. 02, 2009 09:56 AM)Nikolaos Wrote:  a)is there a protocol transcoding from Wireless Toolkit to proxomitron?

SSL Pass-Thru:
means the Proxomitron sees the HTTPS connection but will not filter it.
So for this example, I'll say no "Transcoding".

(Jun. 02, 2009 09:56 AM)Nikolaos Wrote:  b)does WTK 2.5 and Proxomitron communicate under SSL?

"Communicate"?
The Proxomitron may be able to decrypt the SSL and filter some data.

HTH

[Nikolaos]

thanks, JJoe
in which way "the Proxomitron may be able to decrypt the SSL and filter some data.?"
can you help me please?

[JJoe]

Outgoing headers and incoming data may be filtered.
'Posted' data may be viewed.

From the ReadMe.txt in the Proxomitron's Docs folder.
http://www.proxomitron.info/45/docs/readme.txt

Quote:SSLeay/OpenSSL mode
-------------------

In this mode Proxomitron decrypt incoming data, filters it, then re-encrypts
it before sending it on. This allows for nearly transparent filtering and
full control over https connections. This feat is accomplished using the
very nice Open Source SSLeay/OpenSSL libraries (not included - see below).

** WARNING **

This mode is experimental! I would strongly discourage using active
SSL filtering for important transactions such as on-line banking or purchases.
The connection may not be as secure, and it's better not to risk a filter
potentially creating troubles on such a page. However, since the casual use
of SSL on less important pages is increasing, sometimes you may wish to
filter it anyway. Still, keep in mind that you do so at your own risk.

To use this mode Proxomitron must have access to "slleay32.dll" and
"libeay32.dll" which contain all the SSL libraries and all cryptographic
routines. Otherwise "Pass-Thru" mode will be used.

[Nikolaos]

This is one thing that i do not understand
i never through my MIDlet ask for the url https://www.aserver.com:80/
and (testing with wget) when i ask https://www.aserver.com:80/ no valid answer is taken
because system is Unable to establish SSL connection.

So
a)who is making the mistake and asking an ssl connection wherever it SHOULD not ask...... Proxomitron OR Wireless Toolkit (WTK)?
b)why i am able to get an answer on my midlet?

thanks

Nikos

[JJoe]

(Jun. 04, 2009 02:47 PM)Nikolaos Wrote:  This is one thing that i do not understand
i never through my MIDlet ask for the url https://www.aserver.com:80/

Did you write the MIDlet?
Could you have an error in your code that would make this connection?
An https connection to port 80 of what appears to be an OK site seems odd (to me at least) but having a variable named "aserver" does not.

(Jun. 04, 2009 02:47 PM)Nikolaos Wrote:  and (testing with wget) when i ask https://www.aserver.com:80/ no valid answer is taken
because system is Unable to establish SSL connection.

I got nothing but my headers and/or ip are wrong.

(Jun. 04, 2009 02:47 PM)Nikolaos Wrote:  So
a)who is making the mistake and asking an ssl connection wherever it SHOULD not ask...... Proxomitron OR Wireless Toolkit (WTK)?

I don't think the Proxomitron is guilty.
The Proxomitron doesn't initiate or start connections. It can redirect a connection but I think this would show in the log.

(Jun. 04, 2009 02:47 PM)Nikolaos Wrote:  b)why i am able to get an answer on my midlet?

Are you sure? Probably a silly question but...
If yes, I'd guess wget wasn't hidden from the server.

Have you considered installing the DLLs and having the Proxomitron filter the connection?

I am guessing, btw.
Trying to help.

[lnminente]

(Jun. 04, 2009 02:47 PM)Nikolaos Wrote:  b)why i am able to get an answer on my midlet?

Maybe that server only responds to "mobile" user agents...

[Nikolaos]

1)i did write the midlet and i am asking precisely the http://admin.sport-fm.gr/rssFeed (which is a simple rss feed)
(the https://www.aserver.com:80/ was an example....) and as far i can see at proxomitron divert this at https://admin.sport-fm.gr/rssFeed:80

2) i did not test the DLLs till now.

3)how can i be 100% sure that WTK and Proxomitron are "talking" under SSL?

Thanks!

Nikos

[JJoe]

Consider
http://bugzilla.mozilla.org/enter_bug.cg...t=Bugzilla
It gets a 301 to
https://bugzilla.mozilla.org/enter_bug.c...t=Bugzilla

If not filtering SSL

Code:

+++GET 288+++
GET /enter_bug.cgi?product=Bugzilla HTTP/1.1
Host: bugzilla.mozilla.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Referer: http://bugzilla.mozilla.org/enter_bug.cgi?product=Bugzilla
Cookie: DEFAULTFORMAT=specific
Connection: keep-alive

+++RESP 288+++
HTTP/1.1 301 Moved Permanently
Date: Fri, 05 Jun 2009 14:28:16 GMT
Server: Apache/2.2.3 (Red Hat)
Location: https://bugzilla.mozilla.org/enter_bug.cgi?product=Bugzilla
Content-Length: 353
Content-Type: text/html; charset=iso-8859-1
+++CLOSE 288+++

+++GET 289+++
CONNECT / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Proxy-Connection: keep-alive
Host: bugzilla.mozilla.org

+++SSL 289:+++
SSL Pass-Thru: CONNECT https://bugzilla.mozilla.org:443/

+++GET 290+++
CONNECT / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Proxy-Connection: keep-alive
Host: www.mozilla.org

+++SSL 290:+++
SSL Pass-Thru: CONNECT https://www.mozilla.org:443/

I can see that the Proxomitron sees SSL traffic and lets it pass though.
I can see the User-Agent for the SSL. It's my browser.

Next filtering SSL

Code:

+++GET 291+++
GET /enter_bug.cgi?product=Bugzilla HTTP/1.1
Host: bugzilla.mozilla.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Referer: http://bugzilla.mozilla.org/enter_bug.cgi?product=Bugzilla
Cookie: DEFAULTFORMAT=specific
Connection: keep-alive

+++RESP 291+++
HTTP/1.1 301 Moved Permanently
Date: Fri, 05 Jun 2009 14:32:43 GMT
Server: Apache/2.2.3 (Red Hat)
Location: https://bugzilla.mozilla.org/enter_bug.cgi?product=Bugzilla
Content-Length: 353
Content-Type: text/html; charset=iso-8859-1
+++CLOSE 291+++

+++GET 292+++
CONNECT / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Proxy-Connection: keep-alive
Host: bugzilla.mozilla.org

+++SSL:GET 292+++
SSL cipher TLSv1 AES256-SHA (256 bits)
GET /enter_bug.cgi?product=Bugzilla HTTP/1.1
Host: bugzilla.mozilla.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Referer: https://bugzilla.mozilla.org:443/enter_bug.cgi?product=Bugzilla
Cookie: DEFAULTFORMAT=specific
Connection: keep-alive

+++SSL:RESP 292+++
SSL cipher TLSv1 RC4-MD5 (128 bits)
HTTP/1.1 200 OK
Date: Fri, 05 Jun 2009 14:32:45 GMT
Server: Apache/2.2.3 (Red Hat)
X-Backend-Server: mrapp51
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Match 292: Kill pop-up windows
Match 292: Suppress all JavaScript errors
Match 292: Stop browser window resizing
Match 292: Frame Jumper-Outer
<end> 292: Restore pop-ups after a page loads
+++CLOSE 292+++

+++GET 293+++
CONNECT / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Proxy-Connection: keep-alive
Host: www.mozilla.org

+++SSL:GET 293+++
SSL cipher TLSv1 AES256-SHA (256 bits)
GET /images/subsite_back.gif HTTP/1.1
Host: www.mozilla.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Accept: image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Referer: https://www.mozilla.org:443/images/subsite_back.gif
If-Modified-Since: Wed, 22 Apr 2009 20:30:37 GMT
If-None-Match: "317-a2dab540"
Connection: keep-alive

+++SSL:RESP 293+++
SSL cipher TLSv1 RC4-MD5 (128 bits)
HTTP/1.1 304 Not Modified
Connection: Keep-Alive
Date: Fri, 05 Jun 2009 14:29:05 GMT
Via: NS-CACHE-6.0:   4
ETag: "317-a2dab540"
+++CLOSE 293+++

I can see the "SSL:RESP" from the server. The Proxomitron is filtering it.
I can see the User-Agent for the SSL.



If I have the Proxomitron do the redirect

Code:

[HTTP headers]
In = FALSE
Out = TRUE
Key = "URL: Test"
Match = "http://bugzilla.mozilla.org/enter_bug.cgi?product=Bugzilla"
Replace = "$JUMP(https://bugzilla.mozilla.org/enter_bug.cgi?product=Bugzilla)"

Code:

JumpTo: https://bugzilla.mozilla.org/enter_bug.cgi?product=Bugzilla

+++GET 294+++
GET /enter_bug.cgi?product=Bugzilla HTTP/1.1
Host: bugzilla.mozilla.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Referer: http://bugzilla.mozilla.org/enter_bug.cgi?product=Bugzilla
Cookie: DEFAULTFORMAT=specific
Connection: keep-alive
+++CLOSE 294+++

I see "JumpTo:" in the log.

http://admin.sport-fm.gr/rssFeed
to
https://admin.sport-fm.gr/rssFeed:80
still seems odd to me.
Like an autocomplete gone wrong.

Does the Proxomitron's log show a request for
http://admin.sport-fm.gr/rssFeed
and then
https://admin.sport-fm.gr/rssFeed:80
?

(Jun. 05, 2009 08:16 AM)Nikolaos Wrote:  3)how can i be 100% sure that WTK and Proxomitron are "talking" under SSL?

I'm not sure how to or that I can answer this. I haven't written a MIDlet.
I assume expected SSL:GET and SSL:RESP would be "talking"?

[Nikolaos]

JJoe, I guess that the problem is caused not from the Proxomitron but the wireless Toolkit itself which makes a simple http URL to https.

Does anyone here is familiar with a similar Problem???

Thanks

Nikos

[JJoe]

http://forums.java.net/jive/thread.jspa?...t=0#296830

jannewmarc Wrote:Setting the property com.sun.midp.io.http.proxy only works with certain proxies configured in certain ways. The usual way of talking to proxy is to open a TCP connection and then issue commands such as "GET url HTTP/1.1" where the url is the resource you really want to access. The proxy is expected to forward the request to the desired host and relay the response.

MIDP uses proxy tunneling instead (expired internet draft "Tunneling TCP based protocols through Web proxy servers"). It sends "CONNECT remote-host" to the proxy which should then open a stream to the remote host. If successful, the proxy returns "200 Okay" and the client can then send HTTP requests (or anything) over the stream. It does this so it can support HTTPS.

Many proxies refuse to handle CONNECT requests. e.g. my work proxy will only handle them for port 443, the normal HTTPS port. Solutions like "use another proxy" or "reconfigure the proxy" are not an option in our work environment.

Solution? Write your own HTTP client which can talk to proxies using the normal mechanism. It's not TOO hard to write a basic HTTP client, but it starts to get messy if you need to handle HTTP redirects, chunked documents, etc, etc. All the code to do that is already in MIDP and it wouldn't take much to support proxies as in the JDK. Sigh :-(

Here is some naive code, use at your own risk:

public InputStream getInputStreamFromURL(String url) {
InputStream is = null;
try {
// Are we using a proxy?
httpProxy = System.getProperty("com.sun.midp.io.http.proxy");
if (httpProxy == null) {
// No proxy, connect directly
HttpConnection conn = (HttpConnection)
Connector.open("http://" + url);
return conn.openInputStream();

} else {
/*
* we need to talk over TCP to the proxy and send HTTP requests to it
*/
SocketConnection conn = (SocketConnection)
Connector.open("socket://" + httpProxy);


OutputStream os = conn.openOutputStream();
DataOutputStream out = new DataOutputStream(os);

// send an HTTP 1.0 request so we get a simple reply
String request = "GET " + url + " HTTP/1.0\r\n\r\n";

byte[] b = request.getBytes();
for (int n = 0; n < b.length; n++)
out.writeByte(b[n]);

is = conn.openInputStream();
int ch;
//

Maybe this helps?

[Nikolaos]

This is exactly what we want! this is the core of the problem!thanks JJoe!!!

So the question is to find a HTTP Proxy that allows to handle CONNECT requests...
Does anybody knows anyone free with this functionality?

Nikos

[Nikolaos]

i have Found
http://ws.apache.org/commons/tcpmon/index.html
http://www.http-tunnel.com/html/

Anyone something else?

Nikos

Thanks

[whenever]

http://www.pps.jussieu.fr/~jch/software/polipo/

[JJoe]

jannewmarc post reads like knowledge. I'm guessing. Research our posts regardless...

IIRC, once the Proxomitron sees browser https you can't $RDIR to http.
I'll guess that the Proxomitron will only handle CONNECT requests for https.
So, I'll guess that you need a proxy (middleman) that hides the MIDP from the Proxomitron.

Nikos' problem seems similar to jannewmarc's,
"e.g. my work proxy will only handle them for port 443".
jannewmarc's post is dated Sep 2, 2008 10:31 PM and does not name a 'middleman'.
I'll guess that there isn't a well known one...

Some quick googling shows little hope, imo.