Web Traffic Behind Corporate Firewall
Question
I'm working behind a corporate firewall that is blocking web traffic on Windows and Ubuntu for almost all applications other than web browsers & system updates.
When I try to connect to external resources using curl, git, python, etc., I get SSL/TLS errors. I am able to successfully ignore SSL/TLS for those applications, and they work as intended (eg curl -k succeeds).
I have a few questions about how this type of issue works:
- Since ignoring SSL/TLS works, does that mean the ports in question are open to TCP/HTTP traffic, but not to TLS/HTTPS traffic?
- Why are browsers and
apt install <package>able to connect via HTTPS, but other applications are not? - Is there a general solution to this problem which doesn't impair security, and which doesn't involve having access to firewall settings?
1 answers
solution1
1 ACCPTED 2020-07-04 05:33:52
Since ignoring SSL/TLS works, does that mean the ports in question are open to TCP/HTTP traffic, but not to TLS/HTTPS traffic?
No, it means that there is some (probably transparent) proxy which intercepts HTTPS and likely also HTTP traffic. Using SSL interception the HTTPS traffic is decrypted on the proxy, likely in order to inspect it against threats or data leakage.
This man in the middle "attack" works by breaking up the original HTTPS connection into two: one between client and proxy and one between proxy and target server. Since the proxy does not have access to the original certificates private key it will use a dynamically created certificate signed by a proxy specific CA. If this proxy CA is trusted the access will work as smoothly. But if it is not trusted it will break - this is what you see. If you simply disable certificate validation it will seem to work though, although it would also blindly accept a malicious SSL interception by an attacker.
Why are browsers and apt install able to connect via HTTPS, but other applications are not?
Unfortunately there is not a single trust store. Browsers have their own, Python might have their own, Java has its own, applications might have their own etc. Thus while the proxy CA might have been added to some trust stores it might not have been added to others.
Is there a general solution to this problem which doesn't impair security, and which doesn't involve having access to firewall settings?
The solution is to add the trusted proxy CA to all necessary trust stores. But again, there is no single one so what needs to be done depends heavily on the exact setup of the system and the applications used. There are some standard places to look for (depending on OS and browsers) but these often don't include all possible trust stores used on the system.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.