On 11/03/12 16:18, Steve Chapel wrote:
I will need to write an HTTPS proxy, which will examine the certificates sent from the web server and determine whether the certificate is valid or invalid. If the proxy determines if the certificate is valid, I will need to resign the document. I suppose this will require that the proxy be a certificate authority and will generate certificates for websites, which the proxy will then use to sign the documents. Will this be something that twisted can do easily? If so, where can I find documentation for how to do this?
This is a pretty hard question to answer in this form, and depends on what you mean by "easily". Since you say it's classwork I'm reluctant to say too much, but... Fundamentally, the only "difficult" bit of this project in terms of Twisted capabilities is finding the original destination address of your intercepted connections (so that you can do a "lookaside" connection and verify / impersonate the far-end cert) Presumably you'll be using something like Linux/IPTables to do this: iptables t nat -A PREROUTING \ -p tcp --dport 443 -j REDIRECT --to-port <twisted> In that case, you can find the original destination address by calling: socket.getsockopt(self.transport.fileno(), SOL_IP, SO_ORIGINAL_DST, 16) ...in your transport "connectionMade". You will presumably then want to start up an SSL connection to the original IP (or draw from cache) to find the far-end cert attributes (note: plural), call out to your local MITM CA for an impersonated cert/key, then call startTLS in server mode using a context holding the fake cert/key. This isn't very hard, and Twisted has everything you need (accept TCP connections, make outgoing SSL, find server certs, call out to subprocess, startTLS in server mode) except the SO_ORIGINAL_DST stuff (which is easy to add in). Anyway, I hope this helps; good luck with the assignment! Cheers, Phil