Hot Topics
Security Bloggers Network 
SBN

PolarProxy 0.8.16 Released

by Erik Hjelmvik on November 30, 2020

PolarProxy 0.8.16
We are happy to announce a new release of the TLS decryption tool PolarProxy.
The new version has been updated to support features like client certificates and a
PCAP-over-IP connector.

Client Certificates

PolarProxy now supports client-authenticated TLS handshakes for outgoing connections
to support sites that require mutual TLS (mTLS) authentication.
The following example uses the PKCS#12 client certificate “client.p12” with password “pwd”
to authenticate PolarProxy when connecting to “https://api.example.com“:

./PolarProxy -p 10443,80,443 –clientcert api.example.com:client.p12:pwd

Thanks to Peter Lambrechtsen for the idea!

Bypassing Decryption for Specific Domains

There are situations when it isn’t appropriate to decrypt the traffic passing through PolarProxy.
The traffic might, for example, contain personal or confidential information.
It might also not be possible to decrypt the traffic for technical reasons,
such as when clients use
certificate pinning or
certificate transparency
to validate the server certificate.
We therefore recommend that such sites are put on a “bypass” list, i.e. a list of domains
for which PolarProxy should let the encrypted traffic pass untouched to preserve the end-to-end encryption
between the client and server.

PolarProxy’s “–bypass <file>” option,
which can be used to provide a regular expression list of domains not to decrypt,
has now been acompanied by “–bypassexact <file>“.
The new –bypassexact option
simply matches domains against the lines in <file> using string matching of the full domain name,
no fancy-pants regex involved.

PCAP-over-IP Client

The new “–pcapoveripconnect” option can be used to let PolarProxy connect to a
PCAP-over-IP listener and send it a live PCAP stream of decrypted traffic over TCP.
This option complements PolarProxy’s “–pcapoverip” option, which sets up a PCAP-over-IP
listener that serves clients with the same PCAP stream.
Thanks to Andy Wick for suggesting adding
a PCAP-over-IP connector to PolarProxy!

The following command instructs PolarProxy to send a live PCAP stream with decrypted traffic to a local PCAP-over-IP listener:

./PolarProxy -p 10443,80,443 –pcapoveripconnect 127.0.0.1:57012

PolarProxy will automatically attempt to re-establish the PCAP-over-IP connection every 10 seconds if it goes down or cannot be established for some reason.

Only Store Packets When Instructed

PolarProxy no longer writes hourly rotated pcap files with decrypted packets
to disk unless explicitly instructed to do so with
-o <directory>
or “-w <file>“.

Flushing Buffered Packets to Disk

PolarProxy now periodically flushes buffered packets to disk every 60 seconds.
The flush interval can be controlled with the “–autoflush <seconds>” option.
The auto flush can also be disabled with “–autoflush 0“.

No More Out-of-Quota Issues

We have also improved the quota handling for our privileged users,
who have a license key that allows them to decrypt more than 10 GB or 10 000 TLS sessions per day.
You should now be able to use your full daily quota without issues!

Facebook Share on Facebook  Twitter Tweet  Reddit Submit to reddit.com


Recent Articles By Author
More from Erik Hjelmvik

*** This is a Security Bloggers Network syndicated blog from NETRESEC Network Security Blog authored by Erik Hjelmvik. Read the original post at: https://www.netresec.com/?page=Blog&month=2020-11&post=PolarProxy-0-8-16-Released

Erik Hjelmvik , , , , , , , , ,