Commit 50749b4e authored by Matthew Holt's avatar Matthew Holt

httpserver: Improve MITM tests for Chrome on iOS, BlueCoat connections

parent 06873175
...@@ -58,6 +58,11 @@ func (h *tlsHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { ...@@ -58,6 +58,11 @@ func (h *tlsHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
} else if strings.Contains(ua, "Chrome") { } else if strings.Contains(ua, "Chrome") {
checked = true checked = true
mitm = !info.looksLikeChrome() mitm = !info.looksLikeChrome()
} else if strings.Contains(ua, "CriOS") {
// Chrome on iOS sometimes uses iOS-provided TLS stack (which looks exactly like Safari)
// but for connections that don't render a web page (favicon, etc.) it uses its own...
checked = true
mitm = !info.looksLikeChrome() && !info.looksLikeSafari()
} else if strings.Contains(ua, "Firefox") { } else if strings.Contains(ua, "Firefox") {
checked = true checked = true
mitm = !info.looksLikeFirefox() mitm = !info.looksLikeFirefox()
...@@ -338,6 +343,10 @@ func (info rawHelloInfo) looksLikeFirefox() bool { ...@@ -338,6 +343,10 @@ func (info rawHelloInfo) looksLikeFirefox() bool {
} }
} }
if hasGreaseCiphers(info.cipherSuites) {
return false
}
// We check for order of cipher suites but not presence, since // We check for order of cipher suites but not presence, since
// according to the paper, cipher suites may be not be added // according to the paper, cipher suites may be not be added
// or reordered by the user, but they may be disabled. // or reordered by the user, but they may be disabled.
...@@ -412,6 +421,10 @@ func (info rawHelloInfo) looksLikeChrome() bool { ...@@ -412,6 +421,10 @@ func (info rawHelloInfo) looksLikeChrome() bool {
} }
} }
if !hasGreaseCiphers(info.cipherSuites) {
return false
}
return true return true
} }
...@@ -449,6 +462,10 @@ func (info rawHelloInfo) looksLikeEdge() bool { ...@@ -449,6 +462,10 @@ func (info rawHelloInfo) looksLikeEdge() bool {
} }
} }
if hasGreaseCiphers(info.cipherSuites) {
return false
}
return true return true
} }
...@@ -483,6 +500,10 @@ func (info rawHelloInfo) looksLikeSafari() bool { ...@@ -483,6 +500,10 @@ func (info rawHelloInfo) looksLikeSafari() bool {
return false return false
} }
if hasGreaseCiphers(info.cipherSuites) {
return false
}
// We check for order and presence of cipher suites // We check for order and presence of cipher suites
expectedCipherSuiteOrder := []uint16{ expectedCipherSuiteOrder := []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, // 0xc02c tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, // 0xc02c
...@@ -540,6 +561,34 @@ func assertPresenceAndOrdering(requiredItems, candidateList []uint16, requiredIs ...@@ -540,6 +561,34 @@ func assertPresenceAndOrdering(requiredItems, candidateList []uint16, requiredIs
return true return true
} }
func hasGreaseCiphers(cipherSuites []uint16) bool {
for _, cipher := range cipherSuites {
if _, ok := greaseCiphers[cipher]; ok {
return true
}
}
return false
}
var greaseCiphers = map[uint16]struct{}{
0x0A0A: {},
0x1A1A: {},
0x2A2A: {},
0x3A3A: {},
0x4A4A: {},
0x5A5A: {},
0x6A6A: {},
0x7A7A: {},
0x8A8A: {},
0x9A9A: {},
0xAAAA: {},
0xBABA: {},
0xCACA: {},
0xDADA: {},
0xEAEA: {},
0xFAFA: {},
}
const ( const (
extensionOCSPStatusRequest = 5 extensionOCSPStatusRequest = 5
extensionSupportedCurves = 10 // also called "SupportedGroups" extensionSupportedCurves = 10 // also called "SupportedGroups"
......
This diff is collapsed.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment