1

I have a library that handles the connection between an http client and the webserver.

I would like to intercept the http connections to see the server the user is trying to reach.

In many situations the clients tries to connect to an https servers/resources, so I would like to intercept the stream and inspect the interior to extract the server the user is trying to access. There is an extension in the tls protocol v1.2 that allows this.

So the questions, is there any library (including openssl) that allows tls parsing without using any socket at all? I would like to use just the parser to extract the information, pretty much in a similar way wireshark does.

Thanks in advance. Martin

EDIT I have found a proxy implementation that does exactly what I wanted to do.

https://github.com/dlundquist/sniproxy/tree/master/src

Martin A
  • 132
  • 10

1 Answers1

0

so I would like to intercept the stream ...

There's no need to intercept the stream. The ClientHello is plain text, so its available even to passive attackers.

You might need to hold offline data for things like session resumption an 0-RTT (but then again, the tokens or cookies used in session resumption an 0-RTT may not be available to you).

There is an extension in the tls protocol v1.2 that allows this.

Yes. Its the Server Name Indicator (SNI) extension. Its available in TLS 1.0 and above.

So the questions, is there any library (including openssl) that allows tls parsing without using any socket at all?

One of Wireshark's dissectors come to mind. But I'm not sure if they are available as a library. The following may be helpful from the Wireshark site: How to compile dissector to DLL or shared library?. Also see Wireshark tcap dissector inside my program on Stack Overflow.

Community
  • 1
  • 1
jww
  • 97,681
  • 90
  • 411
  • 885
  • Thanks for your help, yes I know it is plain text, just to know if there was an small api or library to parse the extensions. I will take a look at the dissector you mentioned. – Martin A Dec 24 '14 at 00:32