The proxy can now sit between a client and a https web server. It does
this by looking for a CONNECT request that conventional proxies use to
open a tunnel between a client and an https server. Instead of opening
an opaque tunnel, yaip immediately sends bacck a "connection
established" response. This tells the client (browser normally) to
proceed and initiate an HTTPS connection.
I use the host that was send in the connect request to set up a fake SSL
server. If we have seen the domain before, we re-use the certificate,
otherwise we generate a new one and sign it using YAIP's built in
certificate authority.
I still need to do work on forwarding the request upstream. This is my
next job. Currently, yaip responds with a valid response of "it worked".
```
$ curl https://example.com --cacert ~/.config/yaip/cert.pem
It worked
```
Notice, we don't get any certificate errors because we are telling curl
to trust the authority that yaip uses
Yaip is now able to generate simple SSL certificates for a given host.
I don't currently add any extensions to the certificates (such as
alternative names). When I get to testing it with a browser I'll see
what browsers require. However, I think I'll probably generate
certificates for each host, including sub domains, to make life easier
searching.
I've also added a util function to count lines in a file that was used
for testing some of the ssl functions.
I now start the listener in the main.c file rather than proxy given that
I didn't feel proxy was the right place if a normal (non-proxied)
request came in. webserver.{c,h} and proxy.{c,h} had some changes
relating to this.
The config changed slightly - we now create a folder in ~/.config/
called yaip. This is where certificates and so on will be stored along
with the user configuration
I created a helper function to get files inside this directory (it
changes based on xdg_config_home) and updated relevant tests.
In ssl.{c,h} I have started work. If they don't exist, the tool now
creates and stores a key and certificate for the CA that this tool will
need to pretend to be. I still need to write tests for this.
making requests to something like example.com over a non-encrypted
connection now works. Binary files are unlikely to work at the moment
although I haven't tried. Also, non-encrypted doesn't work.
I have also changed a little about how tests work. Requests tests now
display much better.
When the proxy is requested directly (without an host to pass the
request to), we want to respond with something.
In burp, you can download the certificate from here. In time, I'd like
this to do the same.
I'd also like the proxy server to be interacted with via an API - this
webserver will eventually deal with that as well although that is a
little way off.
I have started writing tests for the config functions. This has resulted
in a few changes to the config code (tests working I guess)
I have also added a special "all" config file which (as the name
suggests) runs all test suites
In the makefile I have added the compiled test files to the clean target
and added targets for building and running tests
I have done some work on opening a socket and waiting for a connection.
This can be read line by line and I have started a request struct that
it will accept.
Also started on some docs. Not much is yet working. I am going to start
learning µnit for unit tests:
https://nemequ.github.io/munit/
Jonathan Hodgson