Solved

HTTPS PROXY USING GNU TLS

Posted on 2010-11-23
9
590 Views
Last Modified: 2012-05-10
I am writing a https proxy in c++, I am using ubuntu 10.04 and using gnutls-2.10.0.

I know only google.com i.e request is of the form
*******************************
GET https://www.google.com/ HTTP/1.1
User-Agent: NetSurf/2.6 (Linux; i686)
Host: www.google.com
-------
----------

I am able to receive response in the form of chunks and I am able to see almost entire content  and I am using
ret = gnutls_record_recv (session, buffer_new, MAX_BUF); this statement in a for loop.

and I want to come out of the loop after receiving the entire content. i.e I use different flags like
GNUTLS_E_UNEXPECTED_PACKET_LENGTH
GNUTLS_E_INTERRUPTED

the recv call block for a while (nearly 30 mins) even after entire content is received,I want to know how I can come out, I tried few options but none of them work. Please help me and explain this

Thanking you
0
Comment
Question by:shragi
  • 5
  • 4
9 Comments
 
LVL 17

Expert Comment

by:sweetfa2
ID: 34203418
Do you disconnect your sender?
0
 

Author Comment

by:shragi
ID: 34206291
Thanks for the reply, I think I do not need to disconnect by proxy (sender) or my browser .
Because I want my proxy to work for one connection to the web server...But can handle few requests from browser like

GET https://www.google.com/ HTTP/1.1
GET https://www.google.com/favicon.ico HTTP/1.1


0
 
LVL 17

Accepted Solution

by:
sweetfa2 earned 250 total points
ID: 34207508
This function has the similar semantics with recv(). The only difference is that it
accepts a GnuTLS session, and uses different error codes.
In the special case that a server requests a renegotiation, the client may receive an
error code of GNUTLS_E_REHANDSHAKE. This message may be simply ignored, replied
with an alert GNUTLS_A_NO_RENEGOTIATION, or replied with a new handshake, depending
on the client’s will.
If EINTR is returned by the internal push function (the default is recv()) then GNUTLS_
E_INTERRUPTED will be returned. If GNUTLS_E_INTERRUPTED or GNUTLS_E_AGAIN is
returned, you must call this function again to get the data. See also gnutls_record_
get_direction().
A server may also receive GNUTLS_E_REHANDSHAKE when a client has initiated a handshake.
In that case the server can only initiate a handshake or terminate the connection.
Returns: the number of bytes received and zero on EOF. A negative error code
is returned in case of an error. The number of bytes received might be less than
sizeofdata.

gnutls_record_recv uses the underlying socket layer.  As such it will stay open until the socket is closed.

to achieve what you wish you will need to incorporate gnutls_record_check_pending into your loop
0
 
LVL 17

Expert Comment

by:sweetfa2
ID: 34207519
I don't know why you don't have this in the C and C++ zones.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:shragi
ID: 34208813
I thought I included c++ also, But my loop structure is

for(;;)
{
    memset (buffer_new, 0, MAX_BUF + 1);
    ret = gnutls_record_recv (session, buffer_new, MAX_BUF);
   temp=send(_browser, buffer_new, ret, 0);
}

After receiving entire content Even If I used gnutls_record_check_pending, I am unable to come out of loop, I used several flags to check .

But in the last iteration the control blocks at    ret = gnutls_record_recv (session, buffer_new, MAX_BUF);.





0
 
LVL 17

Expert Comment

by:sweetfa2
ID: 34209396
You have not yet got EOF.  Until the socket disconnects you won't get EOF.  As far as I recall there is an ioctl or something you can set on the socket to have it timeout if no more data is received.  No guarantees on that one though - it was a long time ago.

0
 

Author Comment

by:shragi
ID: 34232513
Actually I am using only one socket or only allowing a single connection form proxy to web server, I am able to see all the content back, But unable to understand exactly find the EOF.

There might be some or other means in normal http proxy to stop receiving in recv() method. I used MSG_DONTWAIT flag.
used select() to take care of which socket to read previously. But here I am unable to come out of that hanging statement.
 
0
 
LVL 17

Assisted Solution

by:sweetfa2
sweetfa2 earned 250 total points
ID: 34234316
fcntl(socket, F_SETFL, O_NONBLOCK)
0
 

Author Comment

by:shragi
ID: 34239757
Thanks alot, I am able to find the pattern at EOF and came out of the loop. CAn you help me with the next question or any suggestion.

am writing a https proxy
I am using gnutls to connect to https:www.google.com and I am able to receive the complete response and rendered back to the browser.

Initiallly loop structure
establishing gnu tls session here //need help here -----1
do
{
      select()
    if (browser wannts to talk)
          //in a loop
           then send received request to server
    if (server wants to talk)
           //in a loop
       receive data and sent back to browser
    }while(true)

Initial request is of the form https:www.google.com...and works fine.

After that browser sends another request like
GET https://www.google.com/favicon.ico HTTP/1.1
----
----

Here I know that web server is not closing the TCP connection because I able  to see in wireshark, But I think gnutls session is closed.

Do some one know...how Rehandshake is established...or conform how the protocal need to work after this step to render the complete google.com page in browser.

I hope session need to be re created (not sure) or use sone method calls like rehandshake to re establish the session.

Please help me regarding this.

0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now