NTB
Reputation: 89
How to test a man in the middle HTTPS proxy?
We are looking for guidelines for testing a new product that works as a "man in the middle" proxy, and intercept HTTPS traffic.
This system needs to act as a standard browsers and block any attempt to access a site with invalid certificate.
We thought about testing the following scenarios:
- Expired certificate
- A certificate that was issues for a future date
- The requested hostname does not match the certificate hostname
- The certificate is not signed by a root CA
My questions are:
- What other certificates scenario should we test?
- Which tools should we use to generate those "invalid" certificates?
- Do you know of any open source project (maybe a browser or proxy) that has a set of unit tests that we can learn from?
Thanks.
Upvotes: 1
Views: 4194
Answers (1)
Eugene Mayevski 'Callback
Reputation: 46040
The procedure of certificate validation is completely described in the corresponding RFCs (3280, 2560 etc.) and you don't need to invent any "scenarios".
For generation of certificates including invalid ones you can use our SecureBlackbox components (trial mode will be enough).
Upvotes: 3
Related Questions
- SSL certificate testing
- Curl request with proxy. how verify if it work?
- SSL Intercepting Proxys
- Way to test IP proxies
- Mock server for https connection
- How would you test an SSL connection?
- polygraph for https via proxy server
- Man In Middle Attack for HTTPS
- How to verify that ssl was not intercepted via proxy etc in browser?
- How to create Man in the Middle instrumentation