FT_SSL

SSL decoder/encoder.

Category: Preprocessor

Supported flags:

FF_SSL_TLS
FF_SSL_SELF_SIGNED_CERTIFICATE
FF_SSL_INDICATE_HANDSHAKE_REQUESTS
FF_SSL_TLS_AUTO
FF_SSL_COMPATIBILITY
FF_SSL_VERIFY
FF_SSL_SUPPORT_CLIENT_CERTIFICATES
FF_SSL_INDICATE_SERVER_CERTIFICATES
FF_SSL_INDICATE_EXCEPTIONS
FF_SSL_ENABLE_ALPN
FF_SSL_INDICATE_CLIENT_CERT_REQUESTS
FF_SSL_DECODE_ONLY

Object types:
OT_SSL_HANDSHAKE_OUTGOING
OT_SSL_HANDSHAKE_INCOMING
OT_SSL_INVALID_SERVER_CERTIFICATE
OT_SSL_SERVER_CERTIFICATE
OT_SSL_EXCEPTION
OT_SSL_CLIENT_CERT_REQUEST

Indicates object parts: yes

The filter uses man in the middle scheme for decoding the encrypted content. It detects SSL handshakes automatically and generates a compatible SSL certificate for each server. The generated certificates are saved to cert.db file in SSL subfolder of configuration folder specified in pf_init call. The certificates in cert.db are encrypted. By default the filter generates a chained certificate, inherited from a common root with default subject "NetFilterSDK". It is possible to change this name using pf_setRootSSLCertSubject function. The generated root certificate is added to automatically to the following storages:
- Windows certificate storage.
- The certificate storages used by Mozilla products (Firefox, Thunderbird) and other products using the same library for SSL communications. There must be NSS folder containing Mozilla libraries, in the same directory with executable.
- Opera certificate storage.

To disable warnings in the applications using own certificate storages, import ProtocolFilters root certificate to their storage manually. The root certificate is stored in <configuration folder>\SSL\<root name>.cer file, where <configuration folder> is a folder specified in pf_init call, and <root name> is a name specified in pf_setRootSSLCertSubject call. The default root certificate file name is NetFilterSDK.cer. The private key is the same for generated root certificates, unless RSIF_GENERATE_ROOT_PRIVATE_KEY flag is specified in pf_setRootSSLCertImportFlags call before the first run of pf_setRootSSLCertSubject.

When the flag FF_SSL_SELF_SIGNED_CERTIFICATE is specified for FT_SSL filter, the library generates self signed certificates for filtered SSL sessions. The applications using Windows certificate storage like Internet Explorer work without warnings in this case too. But the other applications like Firefox show alerts and do not allow to continue transmitting the data until receiving a confirmation from user.

In some cases it is not possible to filter SSL protected data. For example when a client denies the generated server certificates. In this case the filter counts unsuccessful attempts to filter encrypted connection from some process to some host. After second unsuccessful attempt it stops trying to decode SSL, and creates a record in x.db file in SSL folder to avoid blocking the data transmittion in future.


Administrative rights are required for adding certificates to Windows certificate storage. I.e. the filtering process must have elevated administrative rights.


When FF_SSL_INDICATE_HANDSHAKE_REQUESTS flag is specified in pf_addFilter, the filter indicates SSL handshake requests via dataPartAvailable event. The indicated objects contain one stream with a host name, specified in extended TLS field by a client application. The stream can be empty in case if the client application doesn't specify host name during handshake. The object type is OT_SSL_HANDSHAKE_OUTGOING for outgoing connections, OT_SSL_HANDSHAKE_INCOMING for incoming connections. dataPartAvailable can return one of the following codes:
DPCR_FILTER - continue filtering SSL and decode/encode the transmitted data.
DPCR_BYPASS - don't filter SSL, remove SSL filter from chain and bypass the transmitted packets as-is.
DPCR_BLOCK - close the connection.
DPCR_FILTER_READ_ONLY - enable the flag FF_SSL_DECODE_ONLY and continue filtering SSL without encoding the data between proxy and server.

When the flag FF_SSL_DECODE_ONLY is enabled, the traffic between proxy and server is not encoded. It is useful for example when a local or remote server should handle both HTTP and HTTPS traffic as generic HTTP. It is possible to enable the flag dynamically, by returning DPCR_FILTER_READ_ONLY from dataPartAvailable for OT_SSL_HANDSHAKE_OUTGOING object, containing some known domain name.

When the flag FF_SSL_TLS_AUTO is enabled, the filter tries to detect TLS handshake automatically in first 8 kilobytes of packets, transmitted after adding the filter. It is useful for decoding TLS for unknown protocols, which establish encoded session dynamically using a special protocol command.

The flag FF_SSL_COMPATIBILITY is required to avoid issues with RPC over HTTPS protocol in MS Outlook. It is necessary to use this flag during filtering HTTPS connections of Outlook. When this flag is enabled, the filter uses RC4 algorithm for SSL session and doesn't change the size of transmitted packets. In other cases RPC over HTTPS sometimes hangs in the middle of communicating with Exchange via proxy.

When FF_SSL_VERIFY flag is specified, SSL filter verifies the server certificates using Windows API. When a server returns invalid certificate, for example revoked, expired, self-signed or with untrusted root, the filter calls dataPartAvailable with object having type OT_SSL_INVALID_SERVER_CERTIFICATE. The certificate subject name is specified in object stream. dataPartAvailable can return one of the following codes:
DPCR_FILTER - continue filtering SSL and decode/encode the transmitted data. In this case SSL filter substitutes the invalid certificate with own generated certificate having the same time values, but valid root.
DPCR_BYPASS - don't filter SSL. Block the connection once, add host to the list of exceptions and don't filter the connections with this host:port in future. The connection is blocked because there is no way to bypass the data immediately at the stage when server certificate is already requested.
DPCR_BLOCK - close the connection.

If the certificate is not revoked, SSL filter validates it each 24 hours.

The flag FF_SSL_SUPPORT_CLIENT_CERTIFICATES can be specified for filtering SSL in case when a server requires client certificate. By default SSL filter adds exception in this case. If FF_SSL_SUPPORT_CLIENT_CERTIFICATES flag is specified, the filter requests a client certificate, tries to find an appropriate certificate with exportable private key in Windows storage, then uses the found certificate for filtering SSL. So in this case SSL filter requires the following:
- The client certificate must be imported to Windows storage with exportable private key, even if the client application uses own certificate storage. I.e. it is necessary to mark the private key as exportable during importing the certificate from *.pfx or *.p12 file.
- To have access to all user certificate storages the filtering application must run as a service under LocalSystem account.

When FF_SSL_INDICATE_SERVER_CERTIFICATES flag is specified in pf_addFilter, the filter indicates SSL server certificates via dataPartAvailable event.
The indicated objects with type OT_SSL_SERVER_CERTIFICATE have 3 streams:
SSL_SCS_CERTIFICATE = 0 - Server certificate bytes
SSL_SCS_SUBJECT = 1 - Certificate subject name
SSL_SCS_ISSUER = 2 -  Certificate issuer name

The filtering application can analyze the certificate and return one of the following codes:
DPCR_FILTER - continue filtering SSL and decode/encode the transmitted data.
DPCR_BYPASS - don't filter SSL. Block the connection once, add host to the list of exceptions and don't filter the connections with this host:port in future. The connection is blocked because there is no way to bypass the data immediately at the stage when server certificate is already requested.
DPCR_BLOCK - close the connection.

When FF_SSL_INDICATE_CLIENT_CERT_REQUESTS flag is enabled, and server requests a client certificate, SSL filter indicates via dataPartAvailable an object of type OT_SSL_CLIENT_CERT_REQUEST, containing server domain name (or IP address the name is not specified in SNI) in a single stream.  If dataPartAvailable returns DPCR_BYPASS, SSL filter adds host to internal list of exceptions and doesn't try to filter SSL for this host in future. For any other return code the certificate requests are handled as described above when enabled the flag FF_SSL_SUPPORT_CLIENT_CERTIFICATES.

When FF_SSL_INDICATE_EXCEPTIONS flag is specified in pf_addFilter, the filter calls dataPartAvailable each time when server or client closes a connection during SSL handshake. In such cases SSL filter adds the appropriate pair remote host:port to the list of exceptions after 2 unsuccessful attempts to establish SSL connection.
The indicated objects with type OT_SSL_EXCEPTION have one stream, containing a remote host name from TLS SNI field, or remote endpoint string host:port in case if SNI field is empty.
dataPartAvailable can return DPCR_BLOCK to avoid adding the host to list of exceptions. If it returns any other code, the exception is added as usual. 

FF_SSL_ENABLE_ALPN flag enables TLS extension for negotiating next protocol (e.g. HTTP/2,SPDY,HTTP/1.1). The flag is disabled by default to block HTTP/2 and SPDY. In this case the browsers use generic HTTP 1.0 and 1.1 protocols, supported by HTTP filter.

There are known issues with SSL filter:

- Some versions of Windows Update use additional certificate checks. SSL is filtered properly, but after establishing a connection and transmitting several packets it is blocked by Windows Update service. To avoid issues don't add SSL filter for svchost.exe.
- Skype TCP connections via HTTPS proxy cannot be filtered properly. Don't add SSL filter for the process Skype.exe.
- For Outlook RPC over HTTP connections it is necessary to add SSL filter with FF_SSL_COMPATIBILITY flag.
- PokerStars client establishes many SSL connections with different servers, which cannot be filtered. The filter is unable to add such hosts to the list of exceptions automatically. Add pokerstars.exe to the list of SSL exceptions.