Im playing around with transparent proxy in linux to perform a man in the middle scenario by proxying the client connection to erlang instead of real destination. i have the following iptables/ip rules to proxy the connection to my erlang app.
iptables -t mangle -A OUTPUT -p tcp --sport 8888 -j MARK --set-mark 1
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
iptables -t mangle -A PREROUTING -p tcp --sport 8888 -j TPROXY --on-port 5555
i only proxy a connection that have source port of 8888 (for testing) to erlang which is listening on port 5555.
When client is using tls, i use ssl:handshake(Socket, [{handshake, hello}]) to pause handshake and look at the extensions to extract sni.
Example:
openssl s_client -connect example.com:443 -bind 0.0.0.0:8888 -tls1_3
has the following Extentions returned from ssl:handshake(Socket, [{handshake, hello}]):
#{client_hello_versions => [{3,4}],
cookie => undefined,certificate_authorities => undefined,
sni => “example.com”,
signature_algs =>
[ecdsa_secp256r1_sha256,ecdsa_secp384r1_sha384,
ecdsa_secp521r1_sha512,eddsa_ed25519,eddsa_ed448,
rsa_pss_pss_sha256,rsa_pss_pss_sha384,rsa_pss_pss_sha512,
rsa_pss_rsae_sha256,rsa_pss_rsae_sha384,rsa_pss_rsae_sha512,
rsa_pkcs1_sha256,rsa_pkcs1_sha384,rsa_pkcs1_sha512],
signature_algs_cert => undefined,use_srtp => undefined,
elliptic_curves =>
[x25519,secp256r1,x448,secp521r1,secp384r1,ffdhe2048,ffdhe3072,
ffdhe4096,ffdhe6144,ffdhe8192],
pre_shared_key => undefined,alpn => undefined,
ec_point_formats => [0,1,2],
psk_key_exchange_modes => [psk_dhe_ke],
key_share =>
[{key_share_entry,x25519,
<<190,152,151,120,139,199,202,124,169,189,233,
43,242,214,82,193,204,15,19,151,25,219,53,
49,227,205,12,198,219,76,215,101>>}]}
Then when calling ssl:handshake_continue to perform the handshake (Which should eventually fail at client because of certificate), i get the following error:
{error,{tls_alert,{illegal_parameter,“TLS server: In state start at tls_server_connection_1_3.erl:511 generated SERVER ALERT: Fatal - Illegal Parameter\n illegal_parameter_in_client_hello”}}
line 511 from tls_connection_1_3.erl is the following:
PSK = Maybe(tls_handshake_1_3:handle_pre_shared_key(State, OfferedPSKs, Cipher)),
im trying to perform a man in the middle scenario where i have a custom root CA installed and forge a certificate on fly to present it to client. but regardless of the certificate, i get illegal_parameter_in_client_hello and i want to understand the reason behind it. (im using OTP 27)