0

I am using an SSL/TLS Proxy, meaning I have installed a CA on all my clients that allows me to break/decrypt their TLS connections. I’m trying to determine what would happen to an mTLS connection and if it would be possible for a client to establish a successful connection with mTLS while still allowing my proxy to mitm the traffic. Furthermore, can I edit the traffic or just intercept/decrypt it? I have no access or control to the server that the client is trying to connect to.

My belief is that I could at least successfully establish the connection and decrypt the traffic by sending the valid client certificate along to the target server. I would essentially be mimicking the client, but I could forge the server side of the connection using my own trusted keys so I’d retain the ability to decrypt the messages from the client to the target server, but I’m not sure if I can decrypt the server’s responses.

I also can’t figure out what happens in the next few steps when both hosts try to establish a symmetric key.

Curious Nerd
  • 1

1 Answers1

1

With mTLS authentication of both server and client certificate are done within the TLS handshake and before any application data are sent.

It is possible for the MITM proxy to provide a trusted server certificate to the client since the proxy CA is trusted by the client. It is not possible to provide a trusted client certificate to the server though: Passing the original client certificate is impossible due to lack of the matching private key in the proxy. Creating a new or provide a different certificate is not possible either since it is not trusted by the server.

This means the TLS handshake will fail. This also means that no application data will be send in the first place, in no direction. This also means that there is nothing to decrypt, neither data from client to server nor data from server to client.

Steffen Ullrich
  • 12,227
  • 24
  • 37