Problem

When -cert and -key flags are provided but those files don't exist, ja3proxy creates the certificate and key at the default locations but still attempts to use the paths provided by the flags. This issue also occurs when using the compose.yaml provided in #4.

Walkthrough

1. Cert or key isn't found, calls generateCertificate()
   

   ja3proxy/proxy.go

   Lines 162 to 165 in a485d37

   	if !fileExists(Config.Cert) || !fileExists(Config.Key) {
   	log.Println("cert not exists, generate")
   	generateCertificate()
   	}

2. Cert generation uses default path:
   

   ja3proxy/cert.go

   Line 38 in a485d37

   certOut, err := os.Create("cert.pem")

3. Key generation uses default path:
   

   ja3proxy/cert.go

   Line 45 in a485d37

   keyOut, err := os.OpenFile("key.pem", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)

4. Proxy unsuccessfully attempts to find cert and key at specified paths and fails:
   

   ja3proxy/proxy.go

   Lines 89 to 92 in a485d37

   	cert, err := tls.LoadX509KeyPair(Config.Cert, Config.Key)
   	if err != nil {
   	log.Fatal(err)
   	}

Proposed solution

Create cert and key at the paths specified through the CLI, by passing Config.Cert and Config.Key to the generateCertificate function. Throw an error if only one those files exists (do not overwrite either one).

Moved to #7: Unless I'm overlooking something, I believe it would also make more sense to load the certificates on proxy startup (inside main()) and not on every connection.

I noticed this repository doesn't have a license yet. Since there are only two contributors so far, me and @LyleMi, it should be easy to add a license and license existing commits under that license.

I would suggest using the MIT license, since it's simple and permissive.

How can I solve the problem that the certificate is not secure when using it

Hi- new user so sorry if I'm doing something stupid.

I've tried lots of combinations for the proxy Firefox 55/58/102/105, Chrome 58, iOS 111/13
using curl to https://www.yahoo.com and https://www.bing.com with and without the curl --http2 flag and I always get the curl HTTP/0.9 error

(with Firefox 102)

$ curl -v -k --proxy http://localhost:8080 https://www.bing.com --http2
*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
* allocate connect buffer
* Establish HTTP proxy tunnel to www.bing.com:443
> CONNECT www.bing.com:443 HTTP/1.1
> Host: www.bing.com:443
> User-Agent: curl/7.88.1
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
< Date: Thu, 24 Aug 2023 13:29:59 GMT
< Transfer-Encoding: chunked
* Ignoring Transfer-Encoding in CONNECT 200 response
<
* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: CN=localhost
*  start date: Aug 24 12:43:45 2023 GMT
*  expire date: Aug 23 12:43:45 2024 GMT
*  issuer: CN=localhost
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
* using HTTP/1.x
> GET / HTTP/1.1
> Host: www.bing.com
> User-Agent: curl/7.88.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Received HTTP/0.9 when not allowed
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (1) Received HTTP/0.9 when not allowed

Would it be possible to add an option to chain a second proxy between the ja3proxy and the final destination?

So the request would look like:
client --> ja3proxy --> other_proxy --> destination server
(goal is the pass the modified ja3 signature via the second proxy to the server)

The 2nd proxy params can be passed as parameters to ja3proxy.

Thanks!

➜ ./ja3proxy -port 8080 -client Chrome -version 106
HTTP Proxy Server started at localhost Port:8080
2023/07/15 15:45:09 proxy to kawayiyi.com:443
2023/07/15 15:45:10 copy dest to client error read tcp 127.0.0.1:8080->127.0.0.1:56461: use of closed network connection

$ curl -v -k --proxy http://localhost:8080 https://kawayiyi.com/tls

• Trying 127.0.0.1:8080...
• Connected to localhost (127.0.0.1) port 8080 (#0)
• CONNECT tunnel: HTTP/1.1 negotiated
• allocate connect buffer
• Establish HTTP proxy tunnel to kawayiyi.com:443

CONNECT kawayiyi.com:443 HTTP/1.1
Host: kawayiyi.com:443
User-Agent: curl/8.1.2
Proxy-Connection: Keep-Alive

< HTTP/1.1 200 OK
< Date: Sat, 15 Jul 2023 07:50:40 GMT
< Transfer-Encoding: chunked

• Ignoring Transfer-Encoding in CONNECT 200 response
  <
• CONNECT phase completed
• CONNECT tunnel established, response 200
• schannel: disabled automatic use of client certificate
• using HTTP/1.x

GET /tls HTTP/1.1
Host: kawayiyi.com
User-Agent: curl/8.1.2
Accept: /

• Received HTTP/0.9 when not allowed
• Closing connection 0
• schannel: shutting down SSL/TLS connection with kawayiyi.com port 443
  curl: (1) Received HTTP/0.9 when not allowed

At the moment the certificate and key seem to be loaded from the disk every time a new connection is made:

It would be more efficient to load them once at startup and keep them in memory, since users probably don't expect the proxy to recognize file changes while running.