I clear all the cookies in a browser. Then
I fire up the proxy and browse some websites, and then look at what cookies are set in my browser, I don’t see some cookies that I expect to be set.

When I do the exact same thing (clear cookies, _ exact websites), I can see the cookies being set in the browser.

So my inference is that the proxy is somehow eating up the cookies in the response. These sites are http, not https, so that is also not the issue.

Any pointers for investigation?

thanks

We faced the same problem as you, at time we wrote the tool the only available proxy in http was the one in spikeProxy.

By the way we updated the tool and now you can easily implement plugins.

-CMM

It might be easier to write this as a general (CGI) script that could be developed on your local box without a web server. I could script it using a Bourne shell script ;-) but I would probably use my favorite, Tcl.

From the command-line, you can use “openssl s_client”, and s_server and generate a certificate:

http://www.securityfocus.com/infocus/1486
http://www.vanemery.com/Linux/Apache/openSSL.html

Anyway, I put up a page regarding SSL termination:

http://grandscheme.org/gs.cgi?.....https.html

Since a browser will complain about certificate mismatches, I was wondering how you were expecting your code to be useful as part of a “transparent SSL proxy.” You made no mention of certificates.

could you share the fixed code with us ?
I have been trying to fix it myself. It kind of works but it always takes like 1 or 2 minutes before I get an answer to my POST…

thanks

If i wanted to write some basic tests for this, how would I go about doing it? I think it’d be useful. I was thinking something along the lines of, say, having a Paramiko-driven app try and connect to https://gmail.com using some dummy username and password we create, and seeing if it can intercept the information properly (?)

Just a thought. I don’t have enough netsec experience to contribute directly, but i do have python experience enough (and with scripting paramiko) to do this i think. At the very least, setting up some unit tests should help me figure out how the python networkign stuff works better.

Again, good stuff! I’ll be keeping tabs on this definitely.

Thanks for letting me know. It will be great if we can polish this module as much as possible as I see that there is a lot of interest in a technology like this one and no one is providing it at the moment. I personally need it for several projects of mine.

Regarding your comment on HTTPServerWrapper class. This code is essential in order to make SSL sniffing work. It basically transmits information about the path which needs to be accessed from the SSL endpoint the browser tries to connect to via the proxy. Anyway, I will email you so we can keep in touch.

Line 488: SSL.SysCallError should be OpenSSL.SSL.SysCallError

I was getting a SysCallError exception on reads, so I added “or OpenSSL.SSL.SysCallError” to line 276.

The do_GET function on line 161 was having problems with certain web sites. I think it has something to do with the if hasattr(self.server, 'chainedHandler") block from the other do_GET function elsewhere in the code. When I copied that code from the other do_GET to the do_GET on line 161 it worked for every site I tried it on.

Email me so I know how to get a hold of you later if I find more bugs, ok?