Skip to content

Simple proxy service to remove the mutual TLS authentication to some services. This is useful when a tool is not supporting mTLS.

License

Notifications You must be signed in to change notification settings

ajabep/unmtlsproxy

Repository files navigation

unmtlsproxy

OpenSSF Scorecard Security Rating

un-MTLS proxy is a simple proxy service to remove the mutual TLS authentication to some services. This is useful when a tool is not supporting mTLS.

⚠️ DO NOT RUN IT IN PRODUCTION ⚠️

This will kill the value added by mTLS.

NEVER EVER USE IT AGAINST IN PRODUCTION

It's not a tool for daily life, only a tool when nothing else is possible and is really required.

Do NOT use it if you don't know EXACTLY what you are doing!

My use-case is during penetration testing when some tools are not supporting mTLS, but, be careful of:

  1. What you are doing!
  2. Which interface you are binding!
  3. How may access this interface!

Note: it has been based on github.com/PaloAltoNetworks/mtlsproxy, but, honestly, there are not a lot of commons, except:

  1. The architecture;
  2. The command line options;
  3. Some pieces of code;
  4. The dependencies.

Thus, I deleted the "Fork" status on GitHub.

How to install?

Just run:

go install github.com/ajabep/unmtlsproxy@latest

How to use?

See in the ./example/ directory.

How to define a proxy?

Multiple ways are possibles:

  1. The classic environment variables works well!
  2. Using proxychains should also work.

Changes from github.com/PaloAltoNetworks/mtlsproxy

  1. Now, it removes the mTLS layer. Actually, all the TLS part is removed.
  2. Added some options to ease the debug
  3. The docker version is no longer available: Not useful for penetration testing and I don't want to encourage this to be used to expose a service.

Known issues

Check all the known issues... in the issue section of the GitHub repo!

The answer my client receive is net/http: HTTP/1.x transport connection broken: malformed HTTP status code "response"

The server may support only HTTP/0.9, or is not an HTTP server. Try to use the TCP mode.

How to use an encrypted private key?

The private key encryption (RFC 1423) is insecure by design. Since it does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext.

Also, if the private key is accessible by someone else on your disk, a simple ps auxe would help them to extract the password, not enabling any better security than a good MAC.

In other words, it just gives you the feeling of being secured. Nothing more.

About

Simple proxy service to remove the mutual TLS authentication to some services. This is useful when a tool is not supporting mTLS.

Resources

License

Security policy

Stars

Watchers

Forks

Sponsor this project

 

Packages

No packages published

Languages