4

I recently had to MiTM an HTTP/2 connection over TLS and realized there is no MiTM tool out there that fully supports HTTP/2 over TLS, and no articles/blog posts written about this topic. After struggling with this for a while, I decided to post my solution to this problem.

The problem:

Standard MiTM tools don't support HTTP/2.

SSLSplit and Burp do not offer any kind of support, and instead just downgrade the connection to HTTP1.1. If the server only accepts HTTP/2 requests, you will get the following error:

Unexpected HTTP/1.x request

mitmproxy offers only partial support. For my use case it didn't work however, as I ran into the following error described here, which currently has no fix:

Initiating HTTP/2 connections with prior knowledge are currently not supported

I will post my answer below, and leave this thread open in case anyone has anything else to add, or a better solution.

c0mpute
  • 81
  • 4

2 Answers2

4

To solve this, I used an HTTP/2 proxy called nghttpx, which translates HTTP/1.x requests to HTTP/2 and vice-versa.

I used SSLSplit to MiTM the connection, and nghttpx as a secondary proxy between the downgraded requests from SSLSplit and the server. Here is a quick diagram:

Client Request [HTTP/2] -> SSLSplit [HTTP/1.1] -> nghttpx [HTTP/2] -> Server
Server Reply [HTTP/2] -> nghttpx [HTTP/1.1] -> SSLSplit [HTTP/1.1] -> Client

In my use case, the client was making requests to multiple domains, but only one of them was HTTP/2. The domain in question was resolving to multiple IP addresses, so I didn't bother using iptables and just added a rule to my /etc/hosts to resolve that domain to localhost:

127.0.0.1     my-domain.com

I then fired up SSLSplit with my regular iptables setup and started nghttpx:

nghttpx -k -f'*,443' -b'IP_ADDR,443;;proto=h2;tls' mitmca.key mitmca.crt -L INFO

Depending on your use case, you might have requests for multiple domains, which will need nghttpx listening on a separate port for each domain, and iptables entries for each one.

Hopefully standard MiTM tools will add full support for HTTP/2 in the future, but for now, this is a good enough solution.

c0mpute
  • 81
  • 4
0

It depends what you mean by MiTM: as a passive observer or with the ability to change the traffic?

If you just want to view the traffic then Wireshark has full HTTP/2 support providing your client supports exporting the SSLKEYLOGFILE to allow you to decrypt the traffic (Chrome, Firefox and Curl all support this).

If your client doesn’t support this, or you want to be able to modify traffic, then yes you need to do your other methods like you describe in your answer.

Barry Pollard
  • 231
  • 2
  • 7