My understanding is that TLS is an encryption technique that allowing two STMP servers to communicate with each other securely. If HTTPS is used to connect to an STMP serve is that the same as using S/MIME?
No. TLS encrypts the communication channel. S/MIME encrypts the message. I.e., it's the difference between "talking openly on a secure line" and "talking in code on an insecure line."
HTTPS is used to connect to an STMP
There seems to be a misunderstanding regarding what HTTPS and SMTP are. HTTP and SMTP are two distinct protocols. HTTPS is essentially HTTP over SSL/TLS, which secures the communication between the client and the server. Similarly, communications between an SMTP client and an SMTP server can be secured using SSL/TLS (there are two variants: SMTP over SSL/TLS directly, on a specific port, or TLS initiated via STARTTLS within the SMTP protocol; either way, HTTPS isn't used to connect to an SMTP server). In both cases, this is transport-level security.
In contrast, S/MIME is about message-level security, where the messages are encrypted (even when they've been received and are sitting in your inbox).
What can be relevant to both SSL/TLS (for HTTP, SMTP, ...) and S/MIME is the notion of certificates and PKI (Public Key Infrastructure), which is what helps make decision regarding the trust in the remote party, necessary for security.
Related
I've read a lot of related topics in the net, but I still don't have an answer to my question.
Is it possible to implement flow described below?
Proxy receive request.
If request is encrypted and proxy cert is trusted then intercept.
If request is not encrypted, then intercept.
If request is encrypted and proxy cert is NOT trusted then pass it through without interception.
This behaviour should be default for all traffic going through the proxy.
It'd be also really nice to be able to get all possible info for passing encrypted requests (src and dst ip addresses etc.). Basically the same info which I can get with fiddler.
Not really. The main problem is that mitmproxy can not know if proxy cert is trusted by the client or not.
In the SSL/TLS protocol client starts with the CLIENT_HELLO and in response the server (in this case motmproxy) sends back the SERVER_HELLO message containing the generated server certificate.
The client now checks if the received server certificate is trusted. If not the connection is terminated. As far as I know the SSL/TLS spec does not define how to do so. Sems clients end back an SSL_ALERT message, other simply drop the connection, and a third group continues the SSL/TLS handshake but have certain internal values set in a way that always let the handshake fail.
There is a mitmproxy script that tries to identify connections that were not successful and then if the client asks for the same domain a second time bypasses interception.
Of course this requires that the client resends requests which is not always the case.
https://github.com/sociam/x-ray/blob/master/mitmproxy/examples/tls_passthrough.py
Is this supported?
A controller with incoming https request on one port, the controller calling a https web service with RestTemplate and forwarding the service response.
That isn't really multiple SSL connections. If you look at it as incoming and outgoing requests. On the incoming request to support SSL the server has to emit a certificate. It can be self signed or from a root authority. For the outgoing request the app is specifying that the protocol is HTTPS and then validating the server certificate is valid. If the certificate being validated is from a know root cert then the http client handles that on your behalf. If not then you would have to add the root cert to your keychain.
Now with that understanding there is nothing stopping you from configuring multiple incoming SSL endpoints and as well making multiple outgoing SSL requests. It is just a matter of configuring the specific connections. For that I would refer you to the Spring reference documentation as it has a lot of information on it as well as examples.
I am trying to use Amazon SES on a Amazon EC2 linux server. I tried everything, I am already follow all the tutorials but I cant use the SMTP from my Amazon SES on my application.
the error:
SMTP Error: Could not authenticate.
SMTP Error Message: SMTP -> FROM SERVER:220 email-smtp.amazonaws.com ESMTP SimpleEmailService-222567251
SMTP -> FROM SERVER: 250-email-smtp.amazonaws.com 250-8BITMIME 250-SIZE 10485760 250-STARTTLS 250-AUTH PLAIN LOGIN 250 Ok
SMTP -> ERROR: AUTH not accepted from server: 530 Must issue a STARTTLS command first
SMTP -> FROM SERVER:250 Ok
SMTP Error: Could not authenticate.
Can you use telnet to establish a connection?
This thread has a bunch of suggestions:
https://forums.aws.amazon.com/message.jspa?messageID=301767
From about 2/3 down that thread:
The terminology around SSL and TLS is sometimes used in inconsistent or confusing ways in third-party documentation. I believe the problem you encountered is related to the feature set of those libraries rather than a difference between the way SSL and TLS work. Two different ways of establishing secure connections include STARTTLS and the Handshake Protocol.
STARTTLS provides a way for text protocols (SMTP, IMAP, POP3, etc.) to negotiate a secure connection using TLS/SSL within an existing established plaintext connection.
The Handshake Protocol (aka wrapper mode) supports the establishment of TLS/SSL connections which are secured before the application protocol begins. The Amazon SES SMTP interface currently requires the Handshake Protocol and does not support STARTTLS. We support both SSL 3.0 and TLS 1.0.
The SSL and TLS specifications are a good source of further information about the Handshake Protocol:
•SSL 3.0 specification (RFC 6101)
•TLS 1.0 specification (RFC 2246)
The documentation of Net::SMTP::SSL claims it supports the handshake protocol with SSL, while Net::SMTP::TLS suggests that it supports only STARTTLS not the TLS handshake protocol. I believe the library's lack of support for the handshake protocol explains why it did not work for you.
I'm trying to develop a XMPP "Proxy" which will be in the middle of a standard Jabber communication.
The schema will be something like this:
Pidgin ---> Proxy <--- eJabberD
|
v
Console
The purpose of this proxy is to log all the stanzas which go over the wire. IMHO, this is very convenient when you're developing XMPP based solutions.
I'm doing this with EventMachine and Ruby, and the main problem is to know how to decypher the traffic after the TLS/SASL handshake.
Before the starttls, all works perfectly, the server and client can talk between them, but when the tls handshake begins, although it works, it is impossible to dump the clear content as all of the traffic is encrypted.
I'm not an expert in TLS/SASL thing, so I don't know which is the best approach to do this. I think one way to achieve this, should be to grab the certificate in the handshake and use it to decypher the content as it goes throught the proxy.
Thanks!
If you could do what you say (grab the certificate on the wire and use it to decrypt), then TLS would be pretty worthless. This is one of the primary attacks TLS exists to prevent.
If the server will allow it, just don't send starttls. This is not required by spec. If starttls is required by your server, then you can configure it to use a null cipher, which will leave the traffic unencrypted. Not all servers will support that of course.
You can man-in-the-middle the starttls. Respond with your own tunnel to the client, and send a separate starttls negotiation to the server. This should generate certificate warnings on the client, but since you control the client you can tell it to accept the certificate anyway.
If you control the server, you can use the private key from it to decrypt the traffic. I'm not aware with any off-the-shelf code to do that easily, but it's writable.
To what extent, if at all, are HTTPS headers encrypted?
They are encrypted in transit through SSL. There is no special encryption dedicated to headers, HTTPS encrypts the entire message.
All headers are encrypted in HTTPS. You may want to look at some documentation on how SSL and TLS work.
SSL sets up a private authenticated link to the server and then sends an http request over that link. The evil-doer snooping on the link cant actually tell from just watching the connection that http is being used. SSL its self has some unencrypted headers that it uses to establish this connection though these should not be confused with the headers that are part of the http protocol.