DeleGate as a Man-In-The-Middle proxy

Yutaka Sato
July 5, 2006

( Note that this feature is available only in the binary distributions. )

Peeping the encrypted communication in HTTPS/SSL as a HTTP proxy becomes necessary in several situations. If the peeping is done by stealth by a malicious third party, it should be prevented as Man-In-The-Middle attack. But if it is done by the same party including the user of the client, it can be a useful feature.

Configuring DeleGate as a HTTP proxy to do such peeping has become easy in the version 9.2.3, with a STLS option just as: By this option, all of HTTPS/SSL communications relayed on it become peepable. The following is an example of a HTTP proxy to peep the HTTPS/SSL request messages toward the server. Another mode of MITM by DeleGate is doing it only when it is explicitly requested to do MITM by the client. This mode is enabled with STLS=-mitm option and a special format of URL specified by the client. The current implementation of MITM of DeleGate is slow due to Keep-Alive handling with SSL peeping. It will be improved in the next version. The performance of MITM for HTTP in 9.2.3 was about ten times slower than that without MITM, because of disabled HTTP Keep-Alive in MITM, lacking SSL session cache with servers, and so on. These were implemented in 9.2.4 to improve the performance five times. Now the performance with STLS=mitm is about twice slower than without MITM. (but STLS=-mitm in 9.2.4 is still slow because of disabled Keep-Alive to escape a problem around rewriting URLs ...)

( excerpt from the reference manual )
DeleGate reference manual version 9.9 / TLS negotiation control [CTX] [ALL] TLS negotiation control
STLS parameter*     ==  STLS=stlsSpecs[,sslwayCom][:connMap]
         stlsSpecs  ==  [-]stlsSpec[/im][/ssl][,stlsSpecs]
          stlsSpec  ==  fsv | fcl | mitm | imimSec
         sslwayCom  ==  {sslway [-Vrfy] [-CApath dir] ...}
           connMap  ==  ProtoList:dstHostList:srcHostList
                    --  default: none
                    --  restriction: applicable to HTTP, FTP, SMTP, POP, IMAP, SOCKS
                    --  required: SSLway

PageViews: 65 hits / 23 nets