A MitM Proxy #1
Description
gomiddleman: A Secure mTLS MitM Proxy
This issue tracks development for gomiddleman, a secure mTLS MitM proxy aimed at improving client-server communication through advanced certificate and revocation management. The project will progress through a phased, iterative approach to enhance security, robustness, and scalability. Below is our streamlined development roadmap to incrementally develop the proxy's features.
Problem Addressed
Modern software requires the ability to update configurations dynamically to ensure continuous operations and adhere to security standards. Our challenge was with a Java application that couldn't update certificate revocation lists (CRLs) on the fly. This limitation meant any CRL update required restarting the application, leading to downtime and inefficiency, negatively affecting our service's availability and security.
Solution
We created gomiddleman -- a specialized proxy to sit in front of the Java application, enabling dynamic management of CRL updates and client certificate access control without the need for application restarts. This approach allows for immediate revocation of compromised certificates, enhancing our security and operational efficiency. Our solution fills a gap, offering dynamic, seamless certificate management and access control, thus significantly improving our infrastructure's resilience and flexibility.
Current Architecture
sequenceDiagram
participant Client
participant gomiddleman as gomiddleman Proxy
participant Backend
Client->>+gomiddleman: Initiate mTLS Connection
gomiddleman->>+Backend: Establish mTLS Connection (as Client)
Note over gomiddleman,Backend: gomiddleman mimics client certificate details
Backend-->>-gomiddleman: mTLS Connection Established
gomiddleman-->>-Client: mTLS Connection Established
Client->>gomiddleman: Sends encrypted traffic
gomiddleman->>Backend: Forwards decrypted traffic
Backend->>gomiddleman: Sends response traffic
gomiddleman->>Client: Forwards encrypted response traffic
Alternative architecture (not implemented)
sequenceDiagram
participant Client
participant gomiddleman as gomiddleman Proxy
participant Backend
Client->>+gomiddleman: Initiate mTLS Connection
Note over Client,gomiddleman: gomiddleman verifies client's certificate
gomiddleman->>+Backend: Relay mTLS Connection Request
Backend-->>-gomiddleman: mTLS Connection Established
gomiddleman-->>-Client: mTLS Connection Established
Client->>Backend: Sends encrypted traffic via gomiddleman
Note over Client,Backend: Traffic is encrypted end-to-end
Backend->>Client: Sends encrypted response via gomiddleman
Next steps
- [Task 11] Environment Setup and Preliminary Research #11
- [Task 2] Implement Basic Proxy Mechanics #2
- [Task 3] mTLS Termination & Initiation #3
- [Task 4] Dynamic Certificate Management #4
- [Task 5] Implement OCSP and CRL Checks #5
- [Task 6] Real-time Revocation List Updates #6
- [Task 7] Enhance Security and Performance #7
- [Task 8] Comprehensive Testing #8
- [Task 9] Documentation & Deployment Preparation #9
- [Task 10] Maintenance and Updates #10
- [Task 34] Implement REST Interface #34