Hi Nelson:
Thanks for your reply. But my goal is a little different. I want to
intercept requests from different clients (and not just the mozilla browser).
So this compnent is a real proxy listening on some port for requests.
As far as the design is concerned, it may not be a good thing to have a
MITM, but if we just consider the implementation aspect, then can someone who
has worked on SSL in mozilla point out a flaw in the following code? As I said
earlier, no error is reported but the handshake which is suppose to take place
at the start of next request, doesn't happen. I have read the SSL Functions
document (http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html)
and I think I have covered all aspects mentioned there
Thanks.
//Creating a socket
mServerSocket = do_CreateInstance(NS_SERVERSOCKET_CONTRACTID);
mServerSocket->Init(<SomePortNum>, loopbackOnly,-1);
nsCOMPtr<nsIServerSocketListener> listener = CreateProxyConnectionListener();
//ProxyConnectionListener implements nsIServerSocketListener
mServerSocket->AsyncListen(listener);
//In ProxyConnectionListener's OnSocketAccepted, I do the following:
NS_IMETHODIMP OnSocketAccepted(nsIServerSocket *aServ, nsISocketTransport
*aTransport)
{
nsCOMPtr<nsIInputStream> input;
nsCOMPtr<nsIOutputStream> output;
aTransport->OpenInputStream(0, 0, 0, getter_AddRefs(input));
aTransport->OpenOutputStream(0, 0, 0, getter_AddRefs(output));
nsCOMPtr<nsIStreamListener> shell = CreateConnectionHandler(aTransport, input,
output); //ConnectionHandler Implemets nsIStreamListener
nsresult rv = NS_NewInputStreamPump(getter_AddRefs(mPump), input, -1, -1, 0, 0,
PR_FALSE);
rv = mPump->AsyncRead(shell, nsnull);
return NS_OK;
}
//In ConnectionHandler's OnDataAvailable, when I receive the CONNECT request, I
do the following:
//First I write a 200 response to the client
//Then I upgrade the socket to SSL by calling the following StartSSLServer()
function
NS_IMETHODIMP StartSSLServer(nsISocketTransport *trans)
{
SSLKEAType certKEA;
PRFileDesc *s1, *s2;
NS_ENSURE_ARG_POINTER(trans);
if (!cert || !privKey)
return NS_ERROR_NOT_INITIALIZED;
nsresult rv = trans->GetFileDescriptor(&s1);
NS_ENSURE_STATE(s1);
s2 = SSL_ImportFD(nsnull, s1);
if (!s2)
return NS_ERROR_UNEXPECTED;
rv = trans->SetFileDescriptor(s2);
if (NS_FAILED(rv))
goto loser;
certKEA = NSS_FindCertKEAType(cert);
if (SECSuccess != SSL_ConfigSecureServer(s2, cert, privKey, certKEA))
goto loser;
if (SECSuccess != SSL_ResetHandshake(s2, PR_TRUE))
goto loser;
return NS_OK;
loser:
return NS_ERROR_FAILURE;
}
--
Best Regards.
Umesh.
"Nelson Bolyard" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
> Colin Blake wrote:
>> The use of the word "extension" in Umesh's introduction is misleading.
>> This is for use within a product, which is not your typical browser with
>> a typical user. There is no plan to offer any such proxy as a general
>> purpose extension.
>
> If you want to perform some kind of filtration on the content, the right
> way to do it is to filter it when it comes out of the SSL pipe in the
> local browser (or other client product), not to MITM attack the pipe.
>
> The MITM attack leaves the browser/client vulnerable to many OTHER attacks.
>
> There are other extensions that already do this, intercept/filter the
> content in side the client process, on "this side" of the SSL pipe.
> I suggest you try to do it in the way that those other extensions do.
> Work WITH the client's built-in security system, rather than against it.
>
> _______________________________________________
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
