thread Proxying HTTPS traffic via HTTPS Proxy WireMock #help

Join Slack

:thread: Proxying HTTPS traffic via HTTPS Proxy

# help

Prakash Nath Jha

12/24/2024, 8:40 AM

🧵 Proxying HTTPS traffic via HTTPS Proxy

Prakash Nath Jha

12/24/2024, 8:42 AM

I have a Wiremock proxy deployed on my kubernetes cluster along with my client application. The Wiremock proxy is used to act as froward proxy for

<http://graph.microsoft.com|graph.microsoft.com>

endpoint which is outside my network

Prakash Nath Jha

12/24/2024, 8:43 AM

Setup is similar to this

Prakash Nath Jha

12/24/2024, 8:44 AM

Now I want the traffic between client and WM to be on HTTPS, therefore I have deployed WM with appropriate certificate which is trusted by the client application using the

--https-keystore

option. I don't want to proxy over HTTP because then I will need to disable cert verification in my client app.

Prakash Nath Jha

12/24/2024, 8:48 AM

Connection between WM and

<http://graph.microsoft.com|graph.microsoft.com>

will necessarily need to be on HTTPS because HTTP is not supported. Anyways this part of the communication is not my major concern because my usecase is that I want WM to act as a mock server for

<http://graph.microsoft.com|graph.microsoft.com>

so the the API requests to microsoft needs to be intercepted by WM and return mock response.

Prakash Nath Jha

12/24/2024, 8:50 AM

Now the issue is that when I try to proxy over HTTPS client fails with below error

Copy code

requests.exceptions.SSLError: HTTPSConnectionPool(host='<http://graph.microsoft.com|graph.microsoft.com>', port=443): Max retries exceeded with url: /v1.0/organization?$top=999 (Caused by SSLError(SSLCertVerificationError(1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for '<http://graph.microsoft.com|graph.microsoft.com>'. (_ssl.c:1000)")))

Prakash Nath Jha

12/24/2024, 8:53 AM

Now if you look closely it seems that

requests

lib in python is trying to establish a TLS connection with

<http://graph.microsoft.com|graph.microsoft.com>

which is failing since WM is not running with the cert of

<http://graph.microsoft.com|graph.microsoft.com>

Prakash Nath Jha

12/24/2024, 8:54 AM

When I performed the same with curl I noticed that there are two TLS handshake happening 1. Between client and WM 2. Between client and

<http://graph.microsoft.com|graph.microsoft.com>

using WM cert (this is obviously failing)

Prakash Nath Jha

12/24/2024, 8:55 AM

I am not able to understand why the second TLS handshake is happening? Isn't WM was supposed to perform the TLS handshake with

<http://graph.microsoft.com|graph.microsoft.com>

Prakash Nath Jha

12/24/2024, 8:56 AM

Any help here will be much appreciated.

Prakash Nath Jha

12/24/2024, 9:05 AM

From curl logs I can see

CONNECT

being used

Copy code

* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Establish HTTP proxy tunnel to <http://graph.microsoft.com:443|graph.microsoft.com:443>
> CONNECT <http://graph.microsoft.com:443|graph.microsoft.com:443> HTTP/1.1
> Host: <http://graph.microsoft.com:443|graph.microsoft.com:443>
> User-Agent: curl/8.5.0
> Proxy-Connection: Keep-Alive

Which is again something I did not expect. Isn't WM was suppoed to terminate the TLS from Client and start a new TLS session with the Target ?

Prakash Nath Jha

12/24/2024, 12:53 PM

@Tom any thoughts here?

4 Views

Open in Slack

Previous Next