stackoom
  简体   繁体   中英

How do I (manually) intercept and return a custom message to a browser making a HTTPS request

 原文  2016-11-18 10:08:09       ssl/ https

Question

I am creating a 'firewall' type device (ie sitting in the middle of a communication) that in some cases need to intercept a HTTPS request and return a message to the client browser (like eg : sorry this is blocked).

I can do this for HTTP by redirecting (with iptables DNAT) to another port on the device where netcat is listening: while true; do echo -e "HTTP/1.1 200 OK\\n\\nsorry this is blocked"|nc -l -p 8000; done

(so nc is listening on port 8000 and returning a normal code 200 reply. Could of course also be some other return code like 403 Forbidden etc.)

But what to do for HTTPS? The whole thing is encapsulated in SSL/TLS and if intercepted the browser will just display a message that the secure connection failed. I tried responding with a HTTP 307 Temporary Redirect with a Location pointing to http://127.0.0.1 (which would then give the above message). But the browser doesn't like this.

I need to display some sort of customized message (not necessarily HTML). I realize that it would be a huge security issue if a HTTPS request could be changed to HTTP, thus stripping the security without the client noticing, but can a popup message or something not be forced in the client? Or at least a standard code like '403 Forbidden'..? Is there something in the SSL or TLS protocols that I can (ab)use?

Thanks.

1 answers

solution1
 0 ACCPTED  2016-11-18 10:27:32

So you are developing a transparent proxy. When it comes to HTTPS traffic every proxy has the choice:

  • Pass it without decryption
  • Block it completely
  • Perform a man-in-the-middle attack for getting access to the content

If you performing the man-in-the-middle attack and the client does not trust the certificate used by the proxy it will get a certificate warning. You can not send anything HTTP related to the client because SSL/TLS already fails to establish the tunnel. No tunnel means that you will not be able to transmit a single "HTTP byte" (this also means that you can not redirect the client somewhere else).

And on SSL/TLS level there is AFAIK no way to send a custom message. The "TLS alert message" only allows pre-defined constant values .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How do I do an HTTPS request with Erlang? How do I digitally sign an HTTPS request in .net? How to return an image to an https request with PHP HTTPS intercept How to do a https request with bad certificate? How to make nodejs request https server just like a browser? How do I get the peer_cert for a https request using Ruby? How do I do a 301 redirect from https to https? How can I inspect a HTTPS certificate before making a connection Making HTTPS Request and opening SSL socket in JAVA
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM