Is this supported?
A controller with incoming https request on one port, the controller calling a https web service with RestTemplate and forwarding the service response.
That isn't really multiple SSL connections. If you look at it as incoming and outgoing requests. On the incoming request to support SSL the server has to emit a certificate. It can be self signed or from a root authority. For the outgoing request the app is specifying that the protocol is HTTPS and then validating the server certificate is valid. If the certificate being validated is from a know root cert then the http client handles that on your behalf. If not then you would have to add the root cert to your keychain.
Now with that understanding there is nothing stopping you from configuring multiple incoming SSL endpoints and as well making multiple outgoing SSL requests. It is just a matter of configuring the specific connections. For that I would refer you to the Spring reference documentation as it has a lot of information on it as well as examples.
Related
I am currently working on GO app and I wanted to know how can I detect someone using reverse proxy apps such as Charles, Wireshark and Fiddler.
I tried to read about SSL-Pinning but I couldn't find anything useful.
Charles and Fiddler are no reverse proxies but forward proxies. TLS interception in such proxies can be detected based on the certificate returned - it will not be the original server certificate but one created by the server. And certificate validation will fail unless the proxy is specifically trusted by importing the proxies CA certificate. SSL pinning helps too since it expects the server to use a specific certificate or a specific CA - which the SSL intercepting proxy cannot provide.
Wireshark is no kind of proxy but passive packet capturing, i.e. it makes no changes to the traffic. Because it is passive it cannot be detected from inside the client application and SSL pinning would not help either. Wireshark can not decrypt TLS traffic though by its own - it would need to have the connection specific secrets from either inside the client application or inside the server application.
I've read a lot of related topics in the net, but I still don't have an answer to my question.
Is it possible to implement flow described below?
Proxy receive request.
If request is encrypted and proxy cert is trusted then intercept.
If request is not encrypted, then intercept.
If request is encrypted and proxy cert is NOT trusted then pass it through without interception.
This behaviour should be default for all traffic going through the proxy.
It'd be also really nice to be able to get all possible info for passing encrypted requests (src and dst ip addresses etc.). Basically the same info which I can get with fiddler.
Not really. The main problem is that mitmproxy can not know if proxy cert is trusted by the client or not.
In the SSL/TLS protocol client starts with the CLIENT_HELLO and in response the server (in this case motmproxy) sends back the SERVER_HELLO message containing the generated server certificate.
The client now checks if the received server certificate is trusted. If not the connection is terminated. As far as I know the SSL/TLS spec does not define how to do so. Sems clients end back an SSL_ALERT message, other simply drop the connection, and a third group continues the SSL/TLS handshake but have certain internal values set in a way that always let the handshake fail.
There is a mitmproxy script that tries to identify connections that were not successful and then if the client asks for the same domain a second time bypasses interception.
Of course this requires that the client resends requests which is not always the case.
https://github.com/sociam/x-ray/blob/master/mitmproxy/examples/tls_passthrough.py
I have written simple app which uses Spring RestTemplate to Another REST API.
Sample :
SomeClassresponse = restTemplate.postForObject("https://rest-endpoint.com", body, SomeClass.class);
"https://rest-endpoint.com" is using SSL. But my application is not, however according spring documentation RestTemplate "Spring's central class for synchronous client-side HTTP access.". So I'am using Client, as far as I understand I don't need to use SSL for data protection from sniffing packets? Or I'am I wrong?
That is correct.
The server hosting the RESTful endpoint is responsible for providing SSL. The SSL handshake occurs before your client delivers the payload. During the SSL handshake, the server shares its public asymmetric key with the client, and retains its private asymmetric key which it never shares with anybody. These keys are used to establish a single session key which will be used for encrypting all communication (except for IP addresses) during the session.
You can verify this with a network protocol analyzer such as Wireshark which allows you to inspect packets traversing your network. Run Wireshark and capture the packets that your client sends to the endpoint and you should see that they are encrypted.
i have a webservice which is being consumed by my website using ajax. since im using ajax i cannot have ip restrictions on my webservice. i know i can always add an additional layer of security by using a proxy to call my webservice and the ajax code calls the proxy not the webservice. this way i can always restrict access to my webservice to only allow requests from the proxy
but the end problem is not solved. that is any smart end user can always come to know the proxy url im using from my ajax code and fire requests to this proxy to access all the webservice data
how do i secure my webservice (with or without proxy) such that it only serves requests which come from my website
i can always use http_referrer check in my proxy but thats easy to hack...
is there a fool proof way of doing this
One of the ways you can implement this is by using two way SSL authentication for your website.
In two-way SSL authentication, the SSL
client application verifies the
identity of the SSL server
application, and then the SSL server
application verifies the identity of
the SSL-client application.
Two-way SSL authentication is also
referred to as client authentication
because the application acting as an
SSL client presents its certificate to
the SSL server after the SSL server
authenticates itself to the SSL
client.
This way before executing any WS request your WS will first check if your client has the valid SSL certificate or not. If it does not then the WS will not execute. Implementing two way SSL requires configuration at both ends and can be slightly complicated to implement. However once setup this is a really secure way to call your webservice and ensure that only authorized clients(who already have the certificate) make those calls. So your AJAX code can make a call to a Servlet which in turn can make the call to this service. This way your service url is also not exposed to the browser.
My understanding is that TLS is an encryption technique that allowing two STMP servers to communicate with each other securely. If HTTPS is used to connect to an STMP serve is that the same as using S/MIME?
No. TLS encrypts the communication channel. S/MIME encrypts the message. I.e., it's the difference between "talking openly on a secure line" and "talking in code on an insecure line."
HTTPS is used to connect to an STMP
There seems to be a misunderstanding regarding what HTTPS and SMTP are. HTTP and SMTP are two distinct protocols. HTTPS is essentially HTTP over SSL/TLS, which secures the communication between the client and the server. Similarly, communications between an SMTP client and an SMTP server can be secured using SSL/TLS (there are two variants: SMTP over SSL/TLS directly, on a specific port, or TLS initiated via STARTTLS within the SMTP protocol; either way, HTTPS isn't used to connect to an SMTP server). In both cases, this is transport-level security.
In contrast, S/MIME is about message-level security, where the messages are encrypted (even when they've been received and are sitting in your inbox).
What can be relevant to both SSL/TLS (for HTTP, SMTP, ...) and S/MIME is the notion of certificates and PKI (Public Key Infrastructure), which is what helps make decision regarding the trust in the remote party, necessary for security.