Adding initial HttpRequest to MitmManager methods

[jekh]

While working on the PR for issue #288, I started to wonder if it would be a good idea to add the initial HttpRequest for the HTTP CONNECT as a parameter to the MitmManager methods. This would allow the MitmManager to impersonate a host based on the Host header from the client, rather than on the actual hostname or the actual certificate returned by the upstream server. I can think of a few cases when the host requested by the client would not match the upstream server's hostname or server's certificate:

1. A DNS server or filter has changed the DNS resolution of the client-requested host to resolve to some other host.
2. Both of the following conditions are true:
   • SNI is not being used (working on that for Supporting fallback for Java's unrecognized_name error with SNI #288), in which case the MitmManager can't get the hostname from sslContext.getPeerHost().
   • The certificate returned by the upstream server contains some other hostname (i.e. it is an invalid certificate) and/or condition (1) above.

Adding in the initialRequest to the MitmManager would allow the MitmManager to return a valid certificate to the client. It would still be up to the MitmManager to determine whether or not to trust the upstream server, just as it is today, but at least the client would trust the MitmManager's certs.

What do you think, @ganskef? This would of course be a breaking change to MitmManager, so I always want to be cautious about such things.

[ganskef]

First, thank you @jekh pointing me to get the host name from sslContext. I haven't seen this possibility yet.

And yes, an initial HttpRequest would solve my offline requirement, to create a certificate without connecting the upstream server.

So I have no concerns changing the interface. There are some forks, but I haven't seen another application using LittleProxy-mitm yet. The beta1 release is available in Maven and I'll build beta2 ASAP.

Condition 1 and 2b is wrong, I think. If the proxy to server handshake validates the host name, it should never happens. The upstream HTTPS connection is invalid. This could only be a test requirement.

My caching proxy can't use the current MitmManager#clientSslEngineFor(SSLSession) method. I need the additional host name #282. Therefore I have to integrate every upstream twice, in master and in my offline branch. Likewise I can't plug in the https://github.com/lightbody/browsermob-proxy/mitm for this. Offline-MITM was my reason to sign on at GitHub. I'm waiting for a solution ever since.

[jekh]

Condition 1 and 2b is wrong, I think. If the proxy to server handshake validates the host name, it should never happens. The upstream HTTPS connection is invalid. This could only be a test requirement.

Yes, that's correct, it's not valid for "normal" users, but when using the proxy with testing (which is BMP's emphasis), it is a somewhat common use case.

And yes, an initial HttpRequest would solve my offline requirement, to create a certificate without connecting the upstream server.
So I have no concerns changing the interface. There are some forks, but I haven't seen another application using LittleProxy-mitm yet. The beta1 release is available in Maven and I'll build beta2 ASAP.

Sounds good. After PR #291 is reviewed, I'll create another PR adding in the initialHttpRequest to MitmManager.

[jekh]

I'll close this since PR #294 is open now.