TcpCatcher - WorkShop n°13 : Monitoring a java secured client program (HTTPS)

WorkShop n°13 : Monitoring a java client program HTTPS communication

In this workshop we are going to monitor (and debug) a simple java client program's SSL communication.

In order to monitor the secured communication, TcpCatcher is going to behave like an SSL server in the middle. Since TcpCatcher's server certificate won't match target server we will have to turn off certificate chain validation at client level.
.

Let's suppose we have a java client program that is retrieving a web page using HTTPS and an URLConnection.

import java.io.BufferedInputStream; import java.io.InputStream; import java.net.URL; import java.net.URLConnection; public class ClientSSL { public static void main(String[] args) { new ClientSSL().go(); } private void go() { try { String sURL = "https://mail.google.com/mail/"; URL url = new URL(sURL); URLConnection httpConn = url.openConnection(); httpConn.setDoInput(true); httpConn.connect(); InputStream in = httpConn.getInputStream(); BufferedInputStream bufIn = new BufferedInputStream(in); int nbytes; do { // Echo the response on the Java Console. // This is crude, and just for demo purposes. byte buf[] = new byte[8192]; nbytes = bufIn.read(buf, 0, 8192); System.out.println(new String(buf,"US-ASCII")); } while(nbytes > 0); } catch (Exception e) { System.out.println("Exception: " + e.getMessage()); } } }

Let's start TcpCatcher with default settings but check the 'Monitor SSL' and 'static certificate' options

Now TcpCatcher has opened its own SSL server in the middle with its own server certificate.
We need to do few little changes in our client program in order to be able to monitor this communication :
First, we need to tell the program to use TcpCatcher as a proxy.
Second, since the server certificate received won't be trusted and won't match target server name, we'll need to turn off certificate chain validation at client level. This can be achieved simply with a custom javax.net.ssl.HostnameVerifier and a custom javax.net.ssl.X509TrustManager.
Here is the new code :

import java.io.BufferedInputStream;
import java.io.InputStream;
import java.net.InetSocketAddress;
import java.net.Proxy;
import java.net.URL;
import java.net.URLConnection;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.X509TrustManager;

public class ClientSSL {

	public static void main(String[] args) {
		new ClientSSL().go();
	}


	private void go() {

		try {
			// A HOSTNAME VERIFIER THAT ACCEPTS EVERY HOSTS
			HostnameVerifier myhostnameverifier = new HostnameVerifier() {
				@Override
				public boolean verify(String urlHostName, SSLSession session) {
					return true;
				}
			};
			HttpsURLConnection.setDefaultHostnameVerifier(myhostnameverifier);
			
			// A TRUSTMANAGER THATS TRUSTS EVERY CERTIFICATES
			class MyTrustManager implements X509TrustManager {

				@Override
				public void checkClientTrusted(X509Certificate[] chain,
						String authType) throws CertificateException {
				}

				@Override
				public void checkServerTrusted(X509Certificate[] chain,
						String authType) throws CertificateException {
				}

				@Override
				public X509Certificate[] getAcceptedIssuers() {
					return null;
				}
			}
			//CREATE AN SSLSocketFactory USING THE MOCKED TRUSTMANAGER
			SSLContext ctx = SSLContext.getInstance("TLS");
			javax.net.ssl.TrustManager mtm = new MyTrustManager();
			javax.net.ssl.TrustManager[] tm = { mtm };
			ctx.init(null, tm, null);
			SSLSocketFactory sslSocketFactory = ctx.getSocketFactory();

			String sURL = "https://mail.google.com/mail/";
			
			URL url = new URL(sURL);
			//SETUP A PROXY TOWARDS TCPCATCHER
			Proxy proxy=new Proxy(Proxy.Type.HTTP,new InetSocketAddress("localhost",8200));
			URLConnection httpConn = url.openConnection(proxy);
		
			if (httpConn instanceof HttpsURLConnection) {

				//FORCE OUR URLConnection TO USE OUR SSLSocketFactory
				((HttpsURLConnection) httpConn)
						.setSSLSocketFactory(sslSocketFactory);
			}

			httpConn.setDoInput(true);

			httpConn.connect();
			InputStream in = httpConn.getInputStream();
			BufferedInputStream bufIn = new BufferedInputStream(in);
			int nbytes;
			do {
				// Echo the response on the Java Console.
				// This is crude, and just for demo purposes.
				byte buf[] = new byte[8192];
				nbytes = bufIn.read(buf, 0, 8192);
				System.out.println(new String(buf, "US-ASCII"));
			} while (nbytes > 0);

		} catch (Exception e) {
			e.printStackTrace();
		}

	}
}

Let's run new client program and now the HTTPS communication can be monitored (and interfered) at network level

[Coming soon: no change in client code with new TcpCatcher options..]