Fix raw passthrough containing TLS

pimterry · pimterry · commit e9e77a92f1bc · 2025-12-02T18:59:24.000+01:00
We now have a confusing scenario with TLS passthrough (non-intercepted)
raw passthrough (fully intercepted) and raw-passthrough-with-tls (fully
intercepted, but we unwrap and then recreate TLS so we can see
everything).

Previously the last case there didn't work: we unwrapped TLS, then
forwarded the traffic it contained to the destination without TLS. Bad
for security, but also in practice extremely likely to not work at all.

We now recreate the TLS connection on the passthrough, so
unknown-over-TLS should work as expected with TLS on both sides but
traffic still inspectable (cool right). This allows us to do things like
secure MQTT, at least in theory (in practice it's unclear how tricky
cert trust will be in scenarios like that).
diff --git a/src/server/mockttp-server.ts b/src/server/mockttp-server.ts
@@ -14,7 +14,7 @@ import cors = require("cors");
 import now = require("performance-now");
 import WebSocket = require("ws");
 import { Mutex } from 'async-mutex';
-import { ErrorLike, isErrorLike } from '@httptoolkit/util';
+import { ErrorLike, isErrorLike, UnreachableCheck } from '@httptoolkit/util';
 
 import {
     Destination,
@@ -1186,7 +1186,31 @@ ${await this.suggestRule(request)}`
 
         setImmediate(() => this.eventEmitter.emit(`${type}-passthrough-opened`, eventData));
 
-        const upstreamSocket = net.connect({ host: hostname, port: targetPort });
+        let upstreamSocket;
+        if (type === 'raw' && socket[LastHopEncrypted]) {
+            // Awkward edge case. If we are passing through raw data, but we've already unwrapped TLS beforehand,
+            // we need to recreate the TLS for the passthrough. This is more art than science but we can
+            // get pretty close to simulating the original incoming configuration:
+            upstreamSocket = tls.connect({
+                host: hostname,
+                port: targetPort,
+                servername: socket[TlsMetadata]?.sniHostname,
+                // We have to mirror the ALPN protocols, which might be messy since we've actually already
+                // negotiated one. Here we blindly hope (!) that we end up on the same page:
+                ALPNProtocols: socket[TlsMetadata]?.clientAlpn,
+
+                // We have no way to know what certs the client trusts and no config options for this yet, so
+                // we just make do with default trust settings here in all cases.
+            });
+        } else if (type === 'tls' || type === 'raw') {
+            // For raw traffic we pass through raw - not surprising. For TLS traffic this might be surprising,
+            // but it's because a TLS tunnel is when we _don't_ terminate TLS ourselves, so we can't get inside
+            // the tunnel at all here.
+            upstreamSocket = net.connect({ host: hostname, port: targetPort });
+        } else {
+            throw new UnreachableCheck(type);
+        }
+
         upstreamSocket.setNoDelay(true);
 
         socket.pipe(upstreamSocket);
diff --git a/test/integration/proxying/unknown-protocol.spec.ts b/test/integration/proxying/unknown-protocol.spec.ts
@@ -1,6 +1,8 @@
 import * as net from 'net';
+import * as tls from 'tls';
 import * as http2 from 'http2';
 import { expect } from "chai";
+import { TlsHelloData, trackClientHellos } from 'read-tls-client-hello';
 
 import { getLocal } from "../../..";
 import {
@@ -9,96 +11,190 @@ import {
     makeDestroyable,
     nodeOnly,
     openRawSocket,
-    delay,
     getHttp2Response,
-    cleanup
+    cleanup,
+    openRawTlsSocket,
+    DestroyableServer
 } from "../../test-utils";
+import { getCA } from '../../../src/util/certificates';
 
 nodeOnly(() => {
     describe("Unknown protocol handling", () => {
 
         describe("with SOCKS & unknown protocol passthrough enabled", () => {
 
             let server = getLocal({
+                https: {
+                    keyPath: './test/fixtures/test-ca.key',
+                    certPath: './test/fixtures/test-ca.pem',
+                },
                 socks: true,
                 passthrough: ['unknown-protocol']
             });
 
-            // Simple TCP echo server:
-            let remoteServer = makeDestroyable(net.createServer((socket) => {
-                socket.on('data', (data) => {
-                    socket.end(data);
-                });
-            }));
-            let remotePort!: number;
-
             beforeEach(async () => {
                 await server.start();
 
-                remoteServer.listen();
-                await new Promise((resolve, reject) => {
-                    remoteServer.on('listening', resolve);
-                    remoteServer.on('error', reject);
-                });
-                remotePort = (remoteServer.address() as net.AddressInfo).port;
-
                 // No unexpected errors here please:
                 await server.on('tls-client-error', (e) => expect.fail(`TLS error: ${e.failureCause}`));
                 await server.on('client-error', (e) => expect.fail(`Client error: ${e.errorCode}`));
             });
 
             afterEach(async () => {
                 await server.stop();
-                await remoteServer.destroy();
             });
 
-            it("can tunnel an unknown protocol over SOCKS, if enabled", async () => {
-                const socksSocket = await openSocksSocket(server, 'localhost', remotePort);
-                const response = await sendRawRequest(socksSocket, '123456789');
-                expect(response).to.equal('123456789');
-            });
+            describe("to a raw TCP server", () => {
+
+                // Simple TCP echo server:
+                let remoteServer = makeDestroyable(net.createServer((socket) => {
+                    socket.on('data', (data) => {
+                        socket.end(data);
+                    });
+                }));
+                let remotePort!: number;
+
+                beforeEach(async () => {
+                    remoteServer.listen();
+                    await new Promise((resolve, reject) => {
+                        remoteServer.on('listening', resolve);
+                        remoteServer.on('error', reject);
+                    });
+                    remotePort = (remoteServer.address() as net.AddressInfo).port;
+                });
+
+                afterEach(async () => {
+                    await remoteServer.destroy();
+                });
+
+                it("can tunnel an unknown protocol over SOCKS, if enabled", async () => {
+                    const socksSocket = await openSocksSocket(server, 'localhost', remotePort);
+                    const response = await sendRawRequest(socksSocket, '123456789');
+                    expect(response).to.equal('123456789');
+                });
+
+                it("can tunnel an unknown protocol over HTTP, if enabled", async () => {
+                    const tunnel = await openRawSocket(server);
+
+                    tunnel.write(`CONNECT localhost:${remotePort} HTTP/1.1\r\n\r\n`);
+                    const connectResponse = await new Promise<Buffer>((resolve, reject) => {
+                        tunnel.on('data', resolve);
+                        tunnel.on('error', reject);
+                    });
 
-            it("can tunnel an unknown protocol over HTTP, if enabled", async () => {
-                const tunnel = await openRawSocket(server);
+                    expect(connectResponse.toString()).to.equal('HTTP/1.1 200 OK\r\n\r\n');
 
-                tunnel.write(`CONNECT localhost:${remotePort} HTTP/1.1\r\n\r\n`);
-                const connectResponse = await new Promise<Buffer>((resolve, reject) => {
-                    tunnel.on('data', resolve);
-                    tunnel.on('error', reject);
+                    tunnel.write('hello world');
+                    const unknownProtocolResponse = await new Promise<Buffer>((resolve, reject) => {
+                        tunnel.on('data', resolve);
+                        tunnel.on('error', reject);
+                    });
+
+                    expect(unknownProtocolResponse.toString()).to.equal('hello world');
+                    tunnel.end();
                 });
 
-                expect(connectResponse.toString()).to.equal('HTTP/1.1 200 OK\r\n\r\n');
+                it("can tunnel an unknown protocol over HTTP/2, if enabled", async () => {
+                    const proxyClient = http2.connect(server.url);
+
+                    const tunnel = proxyClient.request({
+                        ':method': 'CONNECT',
+                        ':authority': `localhost:${remotePort}`
+                    });
+                    const proxyResponse = await getHttp2Response(tunnel);
+                    expect(proxyResponse[':status']).to.equal(200);
+
+                    tunnel.write('hello world');
+                    const unknownProtocolResponse = await new Promise<Buffer>((resolve, reject) => {
+                        tunnel.on('data', resolve);
+                        tunnel.on('error', reject);
+                    });
 
-                tunnel.write('hello world');
-                const unknownProtocolResponse = await new Promise<Buffer>((resolve, reject) => {
-                    tunnel.on('data', resolve);
-                    tunnel.on('error', reject);
+                    expect(unknownProtocolResponse.toString()).to.equal('hello world');
+                    tunnel.end();
+
+                    await cleanup(tunnel, proxyClient);
                 });
 
-                expect(unknownProtocolResponse.toString()).to.equal('hello world');
-                tunnel.end();
             });
 
-            it("can tunnel an unknown protocol over HTTP/2, if enabled", async () => {
-                const proxyClient = http2.connect(server.url);
+            describe("to a TLS-but-not-HTTP server", () => {
+
+                // TLS echo server: unwraps TLS, then echos
+                let remoteServer: DestroyableServer<tls.Server>;
+                let remotePort!: number;
+
+                // Track client hellos on connections
+                before(async () => {
+                    // Dynamically generate certs, just like Mockttp itself, but for raw 'echo' only. We use our
+                    // test CA which should be trusted by Node due to NODE_EXTRA_CA_CERTS settings in package.json.
+                    const ca = await getCA({
+                        keyPath: './test/fixtures/test-ca.key',
+                        certPath: './test/fixtures/test-ca.pem',
+                    });
+                    const defaultCert = await ca.generateCertificate('localhost.test');
+
+                    remoteServer = makeDestroyable(tls.createServer({
+                        key: defaultCert.key,
+                        cert: defaultCert.cert,
+                        ca: [defaultCert.ca],
+                        SNICallback: async (domain: string, cb: Function) => {
+                            const generatedCert = await ca.generateCertificate(domain);
+                            cb(null, tls.createSecureContext({
+                                key: generatedCert.key,
+                                cert: generatedCert.cert,
+                                ca: generatedCert.ca
+                            }));
+                        },
+                        ALPNProtocols: ['echo']
+                    }, (socket) => {
+                        hellos.push(socket.tlsClientHello);
+                        socket.on('data', (data) => {
+                            socket.end(data);
+                        });
+                    }));
+
+                    trackClientHellos(remoteServer);
+                });
+
+                // Store the client hellos for reference
+                let hellos: Array<TlsHelloData | undefined> = [];
 
-                const tunnel = proxyClient.request({
-                    ':method': 'CONNECT',
-                    ':authority': `localhost:${remotePort}`
+                beforeEach(async () => {
+                    remoteServer.listen();
+                    await new Promise((resolve, reject) => {
+                        remoteServer.on('listening', resolve);
+                        remoteServer.on('error', reject);
+                    });
+                    remotePort = (remoteServer.address() as net.AddressInfo).port;
+
+                    hellos = [];
                 });
-                const proxyResponse = await getHttp2Response(tunnel);
-                expect(proxyResponse[':status']).to.equal(200);
 
-                tunnel.write('hello world');
-                const unknownProtocolResponse = await new Promise<Buffer>((resolve, reject) => {
-                    tunnel.on('data', resolve);
-                    tunnel.on('error', reject);
+                afterEach(async () => {
+                    await remoteServer.destroy();
                 });
 
-                expect(unknownProtocolResponse.toString()).to.equal('hello world');
-                tunnel.end();
+                it("can tunnel an unknown protocol using TLS over SOCKS, if enabled", async () => {
+                    const socksSocket = await openSocksSocket(server, 'localhost', remotePort);
+
+                    const tlsSocket = await openRawTlsSocket(socksSocket, {
+                        servername: 'server.test',
+                        ALPNProtocols: ['echo']
+                    });
+
+                    const response = await sendRawRequest(tlsSocket, '123456789');
+                    expect(response).to.equal('123456789');
+
+                    // We're terminating TLS, so we can't perfectly forward everything (client certs, really)
+                    // but we should be able to mirror all the common bits:
+                    expect(hellos.length).to.equal(1);
+                    const destinationTlsHello = hellos[0]!;
+
+                    expect(destinationTlsHello.alpnProtocols).to.deep.equal(['echo']);
+                    expect(destinationTlsHello.serverName).to.equal('server.test');
+                });
 
-                await cleanup(tunnel, proxyClient);
             });
 
         });
