Don’t you just love man-in-the-middle (MITM) HTTPS proxies ? I use Burp proxy a lot, it does man-in-the-middle and gzip.
But I have an assignment where the client configuration cannot be changed. The client rejects certificates from non-trusted CA and I cannot add Portswigger’s certificate to the trusted roots. I went looking for an open source HTTPS mitm proxy, hoping I could recompile it to use a trusted certificate that I have in hand.
Paros proxy fits the bill. Here is how you can change Paros proxy’s man-in-the-middle certificate for your own using keytool, openssl, and jar.
First of all, Paros certificate is the file ./resource/paroskey. It is a JKS keystore and it’s password is “!@#$%^&*()”, without the quotes (the password is in the source code, I am not revealing any secrets). Extract it with this command :
jar xvf paros.jar resource/paroskey
You can view the certificate using this command (you might have to escape some characters for it to work on your platform) :
keytool -list -v -keystore resource/paroskey -storepass "!@#$%^&*()"
If something goes wrong, you can type that command and compare the original and the new certificate. Run it from after each keytool operations if you want to follow what is going on in there.
To keep it as simple as possible, I will simply replace the paroskey file with my own certificate, using the same alias and password that is hardcoded. It will allow you to do the same without the need to use the java SDK. Ok, maybe just keytool.
Now, you have to get your hand on a certificate. I suggest using your own certificate authority (CA) to start and play with the proxy right away. This page is perfect for this. It even works well on Windows with cygwin. A better setup would be to have a test CA in your company or lab that would sign your certificates. I also packaged the two sample certificate files I refer two in this article in a zip file.
So if you have your CA public key in a file named ca-cert.pem, copy it to the local directory and import it in your brand new keystore with this command :
keytool -import -trustcacerts -alias "my-ca" -file ca-cert.pem -keystore resource/paroskey -noprompt -storepass "!@#$%^&*()"
Now you must choose the hostname of your proxy. It doesn’t have to match any DNS record, but if you want your setup to be warning-free, make them match. I choose mitm.paralint.com, and I delete the old certificate and generate a new private key with those two commands :
keytool -delete -alias paros -keystore resource/paroskey -storepass "!@#$%^&*()"
keytool -genkey -keyalg RSA -alias paros -keystore resource/paroskey -storepass "!@#$%^&*()" -keypass "!@#$%^&*()" -dname "CN=mitm.paralint.com" -validity 720
Adjust the validity period to your needs, but do not change the alias or passwords. Now create a certificate signing request with this command :
keytool -certreq -v -alias paros -keystore resource/paroskey -storepass "!@#$%^&*()" -file mitm.paralint.com.csr
Hand over the mitm.paralint.com.csr file to your CA. If you are using the CA suggested above, initialize it with make init, copy the csr file in that same directory as the makefile and type make sign.
Your CA will send you back a signed certificate (mitm.paralint.com.cert). It must be in DER format to be imported in the JKS keystore. If it is not (like if you are using the CA mentionned above), type this command to convert it :
openssl x509 -in mitm.paralint.com.cert -out mitm.paralint.com.der -outform DER
Now import that DER encoded certificate in a JKS keystore with this keytool command :
keytool -import -v -alias paros -file mitm.paralint.com.der -keystore resource/paroskey -storepass "!@#$%^&*()" -storetype JKS
All this work has got you a certificate with a hostname you selected, in a keystore that can be used as a drop-in replacement for Paros built-in hardcoded keystore. Use your favorite tool for this or keep reading if all you have is the jar utility.
Replace the old keystore with the new one in paros.jar with this command (backup paros.jar before, just in case…) :
jar uvf paros.jar resource\paroskey
That’s all there is to it ! Your Paros proxy will now show mitm.paralint.com as it’s hostname. Remember that to be completely warning free, you must trust the root CA. If it’s not already there, import the root CA public key certificate in your browser.
5 Comments
Hi
I went through article and implemented the same. When I am trying to login to cetain web application after enetering the credentials, the certifice created using the above method is being rejected saying that the certificate is not trusted. Can you please help me out in this?
Thanks
Chaco
[Reply]
That’s odd. There are basically 3 warnings you can get :
1. an outdated certificate
2. an root certificate that is not trusted
3. a mismatch between the hostname and the certificate name.
I think that you have the second problem. It is easy to fix : you must add the certificate authority public key certificate to you browser / device. In this example, you would need to import ca-cert.pem, replace with your own file.
I used Firefox to test this procedure, but here is how you add ca-cert.pem to IE 6.
1. Go to Tools > Internet Options and click on the “Content” tab.
2. Click the “Certificates” button.
3. In the windows that pops up, select the “Trusted root Certification Authorities” tab and click “Import”
4. Find the ca-cert.pem file (the PEM extension is not in the filter list, type *.* to find it)
5. Click Ok, Next, Yes and whatnot about a dozen times until you get out of those dialogs.
Does this help ?
[Reply]
HI ixe013,
Thanks a lot for the quick response. I forgot to mention in my last comment that this article is really really helpful and very nicely elaborated inspite of being a very compicated topic.
I did as suggested by you, but it still throws the same error. Here, the web application is using an applet to day everything and i think it is the applet that is validating the certificate. I got this error that the certificate is not trusted from the exceptions in the java console. Do you think something can be done at this level to overcome this issue? Please suggest.
Thanks
Chaco
[Reply]
Ah, those applets ! They really add confusion to this whole certificate thing. It’s by desing, there is some good reason why its like that. But it does make sense in the end.
First, let me suggest a little known debugging tip : enable Java security debugging with -Djava.security.debug=policy in your deployment.properties file. More on this over here : http://java.sun.com/j2se/1.4.2/docs/guide/plugin/developer_guide/debugger.html
It is a matter of trust, again. A java applet will not use the certificate store of you browser. It will use a java keystore. You edit that keystore with keytool.
What you need to do is add the certifcate authority public key certificate to the trusted certificates. On Windows, it can also be done with the control panel.
I do not have an english localized java VM, expect the names I write to be a little different.
Lauch the Java control panel applet. In the Security tab, click Certificates. In the type drop down box, select “secure web site root CA”. Click import. Browse to the ca-cert.pem file (pem files won’t be shown, but they are supported. Type *.* to show all files). Then it’s the usual Ok, Yes, Finish, Done, etc.
It can also be done with the command line. It is the same command as the third step in my Paros MITM blog entry. The keystore you are looking for is named cacerts. On Windows, unless you specify another keystore location in your local client.policy file, the default root ca keystore is
C:\Program Files\Java\jre1.5.0_07\lib\security\cacerts
Where cacerts is a file, not a directory. To trust a root certificate contained in a file named ca-cert.pem, type this :
keytool -import -trustcacerts -alias “my-ca” -file ca-cert.pem -keystore cacerts -noprompt -storepass “changeit”
The password is actually changeit, btw. So don’t change it or the command won’t work
Good luck !
[Reply]
Thanks ixe013. This is very useful and thanks for your patience and time to elaborate it. I have another question, though not very relevant to this topic.
When I am trying to use Paros on a web application that requires a client certificate and this certificate does not have any password. But when I am trying the select the certificate on Paros from the Options menu, it asks for a password and if I dont give a password, it does not accept the certificate. Could you provide some help on this?
Thanks a lot.
[Reply]
Post a Comment