corgski
Well-known member
The premise is simple - use mitmproxy as an HTTP/SSL proxy to downgrade SSL connections for systems that don't support TLS 1.1 or 1.2
The execution, not so much. Currently I have it working with Safari on PPC OS X, Classilla on MacOS 9, and an older version of Opera on Windows 98. Trying to use Internet Explorer/Netscape Navigator currently fails due to, I think, broken SSLv2 and SSLv3 support.
That said, I did work up a way to generate root CA certificates that will install on older systems. In order to do this you'll need a linux system with OpenSSL and mitmproxy installed - you have to downgrade the signature algorithm to SHA-1 on your root certificate in order for it to install at all in IE 5 for mac or anywhere on Windows 98.
To generate the initial keys/certs use this script after installing mitmproxy but before starting it:
This will generate the root CA certificate and all the required certificate formats for the software to operate. Old Microsoft products (including IE5 for Mac) expect the "mitmproxy-ca-cert.cer" file. Classilla, Opera, and Safari will accept "mitmproxy-ca-cert.pem" for their cert. Weirdly, attempting to install the root certificate into MacOS 9 keychain fails. It appears the certificate format it's looking for is at its core pkcs7 (*.p7b) but not base64 encoded. However, this still results in a blank certificate being imported and an error when trying to view it.
Anyway, to start up mitmproxy, you'll want to use the following command line. Being a pentesting tool more than anything it's not really set up for running in the background. Sticking it on a separate screen, however, works well enough.
That will enable less secure ciphers and SSL versions for connecting clients and then also allow less secure ciphers for communication with servers that still aren't following best practices.
Now just enter the IP address of your server with port 8080 for your HTTP and HTTPS proxy and copy over and install the root CA certificates and you'll be online.
The issues I'm still running into is that there's something broken in how it handles clients that only support SSLv2/SSLv3. It won't even log a connection attempt from those browsers - Netscape will say the socket was closed and IE for Mac will say that the server sent an invalid response. I'm not sure what my next step is in debugging what exactly is happening, but that's why I'm posting here!
The execution, not so much. Currently I have it working with Safari on PPC OS X, Classilla on MacOS 9, and an older version of Opera on Windows 98. Trying to use Internet Explorer/Netscape Navigator currently fails due to, I think, broken SSLv2 and SSLv3 support.
That said, I did work up a way to generate root CA certificates that will install on older systems. In order to do this you'll need a linux system with OpenSSL and mitmproxy installed - you have to downgrade the signature algorithm to SHA-1 on your root certificate in order for it to install at all in IE 5 for mac or anywhere on Windows 98.
To generate the initial keys/certs use this script after installing mitmproxy but before starting it:
Code:
#!/bin/sh
cd ~
mkdir .mitmproxy
cd .mitmproxy
openssl genrsa -out mitmCA.key 2048
openssl req -x509 -new -nodes -key mitmCA.key -sha1 -days 1825 -out mitmCA.pem
cat mitmCA.key mitmCA.pem > mitmproxy-ca.pem
cp mitmCA.pem mitmproxy-ca-cert.pem
openssl pkcs12 -export -out mitmproxy-ca-cert.p12 -in mitmproxy-ca-cert.pem -nokeys -passin pass:root -passout pass:root
openssl x509 -outform der -in mitmproxy-ca.pem -out mitmproxy-ca-cert.cer
Anyway, to start up mitmproxy, you'll want to use the following command line. Being a pentesting tool more than anything it's not really set up for running in the background. Sticking it on a separate screen, however, works well enough.
Code:
screen -dm mitmweb --set ciphers_client=ALL --set ciphers_server=ALL --set ssl_version_client=all
Now just enter the IP address of your server with port 8080 for your HTTP and HTTPS proxy and copy over and install the root CA certificates and you'll be online.
The issues I'm still running into is that there's something broken in how it handles clients that only support SSLv2/SSLv3. It won't even log a connection attempt from those browsers - Netscape will say the socket was closed and IE for Mac will say that the server sent an invalid response. I'm not sure what my next step is in debugging what exactly is happening, but that's why I'm posting here!
Last edited by a moderator: