https workaround for bitdefender mitm ssl proxy
This commit is contained in:
zefie
@@ -77,10 +77,6 @@ class WTVHTTP {
|
|||||||
// configure connection to remote socks proxy
|
// configure connection to remote socks proxy
|
||||||
const { SocksProxyAgent }= require('socks-proxy-agent');
|
const { SocksProxyAgent }= require('socks-proxy-agent');
|
||||||
options.agent = new SocksProxyAgent("socks://" + (minisrv_config.services[request_type].external_proxy_host || "127.0.0.1") + ":" + minisrv_config.services[request_type].external_proxy_port);
|
options.agent = new SocksProxyAgent("socks://" + (minisrv_config.services[request_type].external_proxy_host || "127.0.0.1") + ":" + minisrv_config.services[request_type].external_proxy_port);
|
||||||
options.agents = {
|
|
||||||
"http": options.agent,
|
|
||||||
"https": options.agent
|
|
||||||
}
|
|
||||||
} else {
|
} else {
|
||||||
// configure connection to remote http proxy
|
// configure connection to remote http proxy
|
||||||
this.proxy_agent = this.http;
|
this.proxy_agent = this.http;
|
||||||
@@ -97,6 +93,24 @@ class WTVHTTP {
|
|||||||
options.headers.Connection = 'close'
|
options.headers.Connection = 'close'
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
if (this.minisrv_config.services[request_type].support_bitdefender_self_signed_proxy) {
|
||||||
|
try {
|
||||||
|
const WTVSSL = require('./WTVSSL.js');
|
||||||
|
const ssl = new WTVSSL();
|
||||||
|
const bitdefenderCACert = ssl.getBitdefenderCACert();
|
||||||
|
if (bitdefenderCACert) {
|
||||||
|
options.ca = [bitdefenderCACert];
|
||||||
|
// this sucks, but bitdefender's cert is weird and doesn't seem to work properly with Node's TLS implementation
|
||||||
|
// even when added to the trusted store, so we have to disable rejection of unauthorized certs
|
||||||
|
// when the Bitdefender CA cert is present. At least this way we can still allow it without
|
||||||
|
// completely breaking SSL proxying for Bitdefender users.
|
||||||
|
// This will only trigger on Windows if support_bitdefender_self_signed_proxy is true, and the Bitdefender CA file exists
|
||||||
|
options.rejectUnauthorized = false;
|
||||||
|
}
|
||||||
|
} catch (err) {
|
||||||
|
console.warn(" * Failed to load Bitdefender CA certificate:", err.message);
|
||||||
|
}
|
||||||
|
}
|
||||||
const req = this.proxy_agent.request(options, (res) => {
|
const req = this.proxy_agent.request(options, (res) => {
|
||||||
let total_data = 0;
|
let total_data = 0;
|
||||||
|
|
||||||
|
|||||||
@@ -13,6 +13,51 @@ class WTVSSL {
|
|||||||
}
|
}
|
||||||
return this.wtvshared.fs.readFileSync(caCertFile);
|
return this.wtvshared.fs.readFileSync(caCertFile);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
derToPem(derBuffer) {
|
||||||
|
const base64 = derBuffer.toString("base64");
|
||||||
|
const pem = [
|
||||||
|
"-----BEGIN CERTIFICATE-----",
|
||||||
|
base64.match(/.{1,64}/g).join("\n"),
|
||||||
|
"-----END CERTIFICATE-----"
|
||||||
|
].join("\n");
|
||||||
|
|
||||||
|
return pem;
|
||||||
|
}
|
||||||
|
|
||||||
|
wrapBase664ToPem(text) {;
|
||||||
|
const pem = [
|
||||||
|
"-----BEGIN CERTIFICATE-----",
|
||||||
|
text,
|
||||||
|
"-----END CERTIFICATE-----"
|
||||||
|
].join("\n");
|
||||||
|
return pem;
|
||||||
|
}
|
||||||
|
|
||||||
|
normalizeCert(cert) {
|
||||||
|
if (Buffer.isBuffer(cert)) {
|
||||||
|
// assume DER
|
||||||
|
return this.derToPem(cert);
|
||||||
|
}
|
||||||
|
const text = cert.toString().trim();
|
||||||
|
if (text.includes("BEGIN CERTIFICATE")) {
|
||||||
|
return text; // already PEM
|
||||||
|
}
|
||||||
|
// assume Base64 DER
|
||||||
|
return this.wrapBase664ToPem(text);
|
||||||
|
}
|
||||||
|
|
||||||
|
getBitdefenderCACert() {
|
||||||
|
// return the Bitdefender CA cert
|
||||||
|
if (process.platform !== 'win32') {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
const caCertFile = "C:\\Program Files\\Bitdefender\\Bitdefender Security\\mitm_cache\\fake-ca.crt"
|
||||||
|
if (!this.wtvshared.fs.existsSync(caCertFile)) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
return this.normalizeCert(this.wtvshared.fs.readFileSync(caCertFile));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = WTVSSL;
|
module.exports = WTVSSL;
|
||||||
@@ -330,7 +330,8 @@
|
|||||||
"disallow_no_slash": true,
|
"disallow_no_slash": true,
|
||||||
"handler_module": "WTVHTTP",
|
"handler_module": "WTVHTTP",
|
||||||
"handler_extra_vars": ["http", "sendToClient"],
|
"handler_extra_vars": ["http", "sendToClient"],
|
||||||
"allow_self_signed_ssl": true // If true, will allow self-signed SSL certificates via the proxy.
|
"allow_self_signed_ssl": false, // If true, will allow self-signed SSL certificates via the proxy.
|
||||||
|
"support_bitdefender_self_signed_proxy": true // If the user has bitdefender installed, it is intercepting SSL connections and re-signing them with its own self-signed certificate. Enabling this will add the Bitdefender certificate to the trusted store for the https service, allowing it to proxy https connections without errors.
|
||||||
},
|
},
|
||||||
"proto": {
|
"proto": {
|
||||||
// ProtoWeb Proxy
|
// ProtoWeb Proxy
|
||||||
|
|||||||
Reference in New Issue
Block a user