**** BEGIN LOGGING AT Mon Oct 29 03:00:00 2018
Oct 29 05:16:24 <Maxdamantus> Okay, so luckily that certificate expired at Apr 24 14:09:34 2009.
Oct 29 05:17:02 <Maxdamantus> but if maemo has a clock set to a time before that, any SSL connection could be intercepted.
Oct 29 05:18:12 <Maxdamantus> Presumably it's unused, unless there's something else in maemo that doesn't check the issuer expiry.
Oct 29 05:20:55 <Maxdamantus> Ah, actually, it's not used by microb. I guess it just tests the expiry time before checking that a certificate is in the store (since I was getting an "expired" error before setting my clock back)
Oct 29 10:23:10 <Maxdamantus> Damn, turns out Opera Mobile doesn't use SNI.
Oct 29 10:23:21 <Maxdamantus> I thought I saw the host it was connecting to before.
Oct 29 10:24:29 <Maxdamantus> microb uses it though.
Oct 29 10:24:58 <bencoh> SNI support sounds quite mandatory to me nowadays ...
Oct 29 10:25:10 <Maxdamantus> Anyway, this is what I've made so far: https://gist.github.com/Maxdamantus/e32ab94dbc5d9d43298428400020620e
Oct 29 10:25:37 <bencoh> Maxdamantus: silly question, but why not use one of the already available small-footprint proxies?
Oct 29 10:25:45 <Maxdamantus> bencoh: such as?
Oct 29 10:26:13 <bencoh> tinyproxy or polipo
Oct 29 10:26:24 <Maxdamantus> tinyproxy is an HTTP proxy
Oct 29 10:26:29 <Maxdamantus> Nothing to do with SSL
Oct 29 10:26:29 <bencoh> (tinyproxy might not have proper support for ssl, I don't quite remember)
Oct 29 10:26:33 * Maxdamantus looks at polipo
Oct 29 10:26:50 <Maxdamantus> Again sounds like an HTTP proxy.
Oct 29 10:26:56 <bencoh> Tinyproxy is a light-weight HTTP/HTTPS proxy daemon
Oct 29 10:27:06 <Maxdamantus> That's a fairly misleading description.
Oct 29 10:27:18 <KotCzarny> you can have https proxy without any ssl
Oct 29 10:27:23 <KotCzarny> just copy data as is
Oct 29 10:27:28 <KotCzarny> i do it in my own proxy
Oct 29 10:27:49 <KotCzarny> you need a proxy that does ssl management if you want to interact in any way
Oct 29 10:28:03 <Wizzup> a thread for every socket?
Oct 29 10:28:04 <Maxdamantus> Yes, that's the intention of my program above.
Oct 29 10:28:19 <Maxdamantus> Wizzup: for now, yes.
Oct 29 10:28:33 <Wizzup> well, looks lke you're having fun :) 
Oct 29 10:28:34 <Maxdamantus> I don't expect to be maintaining a large number of connections.
Oct 29 10:28:35 <bencoh> you might be right about tinyproxy
Oct 29 10:28:56 <Wizzup> I'd personally do it in go - since it links statically with the latest tls support and does all of this multiplexing easily, but I guess there's no point to suggesting it :P 
Oct 29 10:29:01 <Maxdamantus> also note that the program above is agnostic about a particular protocol.
Oct 29 10:29:06 <Wizzup> sure, just tls + sni
Oct 29 10:29:12 <bencoh> polipo caches content, so it probably handles ssl properly, though
Oct 29 10:29:26 <bencoh> Maxdamantus: you can't really be protocol-agnostic when it comes to starttls
Oct 29 10:29:36 <bencoh> and you'll eventually have to handle that as well
Oct 29 10:30:03 <bencoh> (same goes for SNI, actually)
Oct 29 10:30:05 <Maxdamantus> bencoh: well, it assumes that the entire socket is encapsulated in TLS.
Oct 29 10:30:15 <Maxdamantus> otherwise it's protocol agnostic.
Oct 29 10:30:24 <Maxdamantus> (though atm it doesn't forward ALPN)
Oct 29 10:31:22 <Maxdamantus> also regarding proxying, opera mobile doesn't seem to have the option to use a proxy.
Oct 29 10:31:42 <Maxdamantus> and I'm guessing if microb/firefox has that option, it will still want to use SSL over the proxy.
Oct 29 10:31:45 <Wizzup> what if you set the env variables?
Oct 29 10:32:00 <KotCzarny> in the worst case you have iptables
Oct 29 10:32:00 <Maxdamantus> (ie, it'd rely on something like `CONNECT google.com:443`)
Oct 29 10:32:04 <Wizzup> Maxdamantus: yes, indeed, it will do it's own tls over the proxy.
Oct 29 10:32:34 <Maxdamantus> Wizzup: right, in which case polipo won't help, unless polipo actually does the funky TLS stuff that my program does.
Oct 29 10:32:36 <Wizzup> Maxdamantus: but you can intercept it
Oct 29 10:32:42 <Wizzup> yes
Oct 29 10:32:53 <Maxdamantus> (funky stuff = generating/signing certificates on the fly)
Oct 29 10:33:05 <Wizzup> why do you need to do that, though?
Oct 29 10:33:44 <Wizzup> if you have your own CA, you can just install a wildcard cert, no?
Oct 29 10:33:49 <Maxdamantus> Because if the browser makes a request to "google.com", the certificate used needs to have CN=google.com
Oct 29 10:33:53 <Wizzup> (plus, generating keys + certs takes a -long- time)
Oct 29 10:33:59 <Wizzup> Maxdamantus: wildcard should work?
Oct 29 10:34:05 <Maxdamantus> TLD wildcards are illegal.
Oct 29 10:34:13 <Wizzup> how do you think mitm proxies work?
Oct 29 10:34:15 <Maxdamantus> ie, *.com and * are illegal.
Oct 29 10:34:20 <Maxdamantus> Wizzup: they have to do what I do.
Oct 29 10:34:23 <Wizzup> really?
Oct 29 10:34:25 <Wizzup> mhm
Oct 29 10:34:29 <Maxdamantus> Wizzup: that's almost certainly what "mitmproxy" does.
Oct 29 10:34:30 <Wizzup> well, I guess you can re-use the same key
Oct 29 10:34:34 <Wizzup> then it doesn't take long
Oct 29 10:34:51 <Maxdamantus> (mitmproxy being some debugging utility written in Python, seems unsuitable for running locally on N900)
Oct 29 10:34:57 <Maxdamantus> Yes, I use the same key.
Oct 29 10:35:02 <Maxdamantus> but have to generate different certificates.
Oct 29 10:35:15 <Wizzup> maybe I'll do it in go for fun some time
Oct 29 10:36:50 <Maxdamantus> The "CAKEY.pem" passed in to my program is meant to be the key for the CA certificate, and it also uses that same key for all generated certificates.
Oct 29 10:37:10 <Maxdamantus> It could theoretically take in a second key for the latter, but that seems unnecessary.
Oct 29 10:37:41 <KotCzarny> generating certs is not a big problem if you just need it for few frequent sites
Oct 29 10:37:54 <Wizzup> you could use transparent socks proxy if n900 supports it
Oct 29 10:37:57 <Wizzup> (with iptables)
Oct 29 10:37:58 <Maxdamantus> and when/if I get it working properly, I'd rather just keep the key in memory instead of storing it on the filesystem, so don't want to generate too many keys on boot.
Oct 29 10:38:18 <Wizzup> Maxdamantus: just generate a new intermediate?
Oct 29 10:38:27 <Maxdamantus> Wizzup: there's no intermediate.
Oct 29 10:38:38 <Wizzup> then generate one ;) 
Oct 29 10:38:44 <Maxdamantus> How does an intermediate help?
Oct 29 10:38:55 <Wizzup> if you want to keep the keys in memory...
Oct 29 10:39:01 <Wizzup> eh, whatever :) 
Oct 29 10:39:09 <Maxdamantus> The intermediate would need to be signed by the trusted certificate's key.
Oct 29 10:39:37 <sicelo> opera mobile *can* use a proxy. it's in about:opera, or some such
Oct 29 10:40:18 <sicelo> opera:config
Oct 29 10:40:45 <Maxdamantus> Oh, cool.
Oct 29 10:41:03 <Maxdamantus> Okay, guess I'll adapt it to use that tomorrow.
Oct 29 10:41:20 <Maxdamantus> That should solve the lacking SNI issue too.
Oct 29 10:41:28 <Maxdamantus> since whatever it sends to the proxy should have the hostname.
Oct 29 10:44:05 <Maxdamantus> and yeah, that treats the proxy as an HTTP proxy and just uses "CONNECT github.com:443 HTTP/1.1                                                                                                                                                      
Oct 29 10:44:09 <Maxdamantus> "
Oct 29 10:44:12 <Maxdamantus> eh, spaces.
Oct 29 10:47:57 <bencoh> hmm, mitmproxy looks pretty handy for android app REing
Oct 29 10:53:00 <Maxdamantus> also simplifies getting the browser to actually connect to the proxy.
Oct 29 10:54:02 <Maxdamantus> was intending on adding netfilter rules that did something like forward all :443 traffic to the proxy, unless the source is some particular address, which the proxy would bind to for outgoing connections.
Oct 29 10:58:16 <Maxdamantus> btw, https://github.com/kr/mitm might already be a sufficient Go implementation.
Oct 29 11:01:43 <Maxdamantus> Have to be careful with all these things though, given how explicit you have to be in OpenSSL to actually get validation to work.
Oct 29 11:03:10 <Maxdamantus> eg, checking that the certificate is valid and checking that the CN in the certificate matches what you're connecting to are different things.
Oct 29 11:05:14 <Maxdamantus> even though the hostname is specified in two places already (`BIO_set_conn_hostname` (for DNS lookup) and `SSL_set_tlsextl_host_name` (SNI))
Oct 29 14:59:22 <DocScrutinizer05> BYEBYE Merkel
Oct 29 14:59:52 <DocScrutinizer05> hurry up a bit! don't forget to take you rocks with you
Oct 29 15:00:20 <KotCzarny> dont worry, refugees are there to stay
Oct 29 15:01:05 <DocScrutinizer05> I don't care too much about any refugees
Oct 29 15:01:55 <KotCzarny> well, not refugees, hostile tools of national identity disintegration
Oct 29 15:10:24 <KotCzarny> also, 2021? is that a joke?
Oct 29 15:13:42 <KotCzarny> 2 more years of the fun
Oct 29 15:29:06 <DocScrutinizer05> alas you got a few points there
Oct 29 15:30:10 * DocScrutinizer05 is tempted to run the streets shouting "HURRY UP! GET LOST!"
Oct 29 15:30:42 <DocScrutinizer05> "I WONT SURVIVE ANOTHER 2 YEARS OF THAT NARCOTIC"
Oct 29 15:34:56 <DocScrutinizer05> there's hope she can't pull off the chancellorship 2 years as lame duck
Oct 29 19:51:27 <halftux> does somebody know where I could find these automated generated maemo diff files to debian source packages?
Oct 29 19:52:06 <sicelo> which ones?
Oct 29 19:55:52 <halftux> libsoup2.4
Oct 29 19:56:16 <halftux> from original maemo source
Oct 29 19:57:21 <halftux> there was an url were you could generate diff files from debian to maemo but I forget
Oct 29 20:12:23 <sicelo> no idea. :-/
Oct 29 22:16:01 <DocScrutinizer05> halftux, sicelo: it's dead since ages
**** ENDING LOGGING AT Tue Oct 30 02:59:59 2018