Troubleshooting HTTPS MITM Proxy With Custom CA Certificate

by Kenji Nakamura 60 views

Hey guys! šŸ‘‹ Ever tried setting up a MITM proxy for HTTPS and ran into a wall? It can be super frustrating, especially when you're dealing with certificates. In this article, we're diving deep into a common issue: getting your own Certificate Authority (CA) certificate to work with a MITM proxy. We'll break down the problem, explore the code, and figure out how to get things running smoothly. So, if you're scratching your head over ERR_PROXY_CONNECTION_FAILED or just want to understand the nitty-gritty of HTTPS proxying, you're in the right place! Let's get started and make sense of this together.

Understanding the Problem

So, you're trying to set up a Man-In-The-Middle (MITM) proxy to inspect HTTPS traffic, which is a pretty common need for debugging or security testing. You've got your own CA certificate generated, and you're ready to roll. But then, bam! You hit the ERR_PROXY_CONNECTION_FAILED error in Chrome. šŸ˜© This usually means something's not quite right with how the proxy is handling HTTPS connections. The goal here is to use your custom CA cert so that the proxy can generate certificates for the sites you're visiting, and your browser will trust them because they're signed by your CA.

When diving into problems like these, it's crucial to understand each component's role. Your CA certificate acts as the root of trust, and the proxy uses it to create certificates for the HTTPS websites you visit. The browser, trusting your CA, should then accept these on-the-fly generated certificates. A failure often points to issues in certificate generation, signing, or trust establishment. This can include incorrect settings in the proxy, mismatches between the CA certificate and the generated certificates, or simply the browser not trusting the CA. So, let's roll up our sleeves and make sure all these pieces play nice together!

Analyzing the Code

Letā€™s break down the provided code snippets to understand whatā€™s going on. We have two main files: certGen.js and proxy.js. certGen.js is responsible for generating the CA certificate, while proxy.js sets up the MITM proxy using node-http-mitm-proxy. To really get to grips with this, we'll walk through each file, highlighting key parts and discussing their function. So, grab your favorite beverage, and let's get coding!

certGen.js: The Certificate Generator

The certGen.js script is where the magic of certificate creation happens. This script uses the node-forge library to generate a root CA certificate and key. The main steps include:

  1. Generating a Key Pair: A 2048-bit RSA key pair is generated using forge.pki.rsa.generateKeyPair(2048). This key pair is the foundation of our CA, with the private key used for signing certificates and the public key included in the CA certificate itself.
  2. Creating a Certificate: An empty certificate object is created using forge.pki.createCertificate(). Think of this as a blank slate we'll fill with important details.
  3. Populating Certificate Details: We set the certificate's serial number, validity period, public key, subject, and issuer. The generateSerialNumber() function ensures we have a secure, random serial number, which is crucial for certificate uniqueness. The validity period is set to one year.
  4. Setting Attributes: The subject and issuer are set with attributes like common name, country, organization, etc. This information helps identify the CA. A common name like ā€œI Hate DPI Certificateā€ is used here, which can be anything you choose to identify your CA.
  5. Adding Extensions: Extensions define the capabilities and usage of the certificate. Key extensions include basicConstraints (marking this as a CA), keyUsage (allowing certificate signing), and subjectKeyIdentifier. These extensions are vital for the certificate to function correctly as a CA.
  6. Signing the Certificate: The certificate is signed using the private key and SHA256 hash. This step cryptographically binds the certificate details to the CA's private key, making it trustworthy.
  7. Saving the Certificate and Key: The certificate and private key are converted to PEM format and saved to certs/ca-cert.pem and certs/ca-key.pem, respectively. PEM is a common format for storing cryptographic keys and certificates.
  8. .p12 Generation: Finally, the script generates a .p12 file, which is a container that can hold the private key and certificate. This format is particularly useful for importing the CA certificate into systems like Windows, where you might need to explicitly trust the CA. The password