如何测试中间人 HTTPS 代理?
我们正在寻找测试作为“中间人”代理并拦截 HTTPS 流量的新产品的指南。
该系统需要充当标准浏览器并阻止任何访问具有无效证书的站点的尝试。
我们考虑测试以下场景:
- 过期的证书
- 为未来日期颁发的证书
- 请求的主机名与证书主机名不匹配 证书
- 未由根 CA 签名
我的问题是:
- 我们还应该测试哪些其他证书场景?
- 我们应该使用哪些工具来生成那些“无效”证书?
- 您是否知道任何开源项目(可能是浏览器或代理)有一组我们可以学习的单元测试?
谢谢。
We are looking for guidelines for testing a new product that works as a "man in the middle" proxy, and intercept HTTPS traffic.
This system needs to act as a standard browsers and block any attempt to access a site with invalid certificate.
We thought about testing the following scenarios:
- Expired certificate
- A certificate that was issues for a future date
- The requested hostname does not match the certificate hostname
- The certificate is not signed by a root CA
My questions are:
- What other certificates scenario should we test?
- Which tools should we use to generate those "invalid" certificates?
- Do you know of any open source project (maybe a browser or proxy) that has a set of unit tests that we can learn from?
Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
证书验证的过程在相应的 RFC(3280、2560 等)中有完整描述,您不需要发明任何“场景”。
要生成证书(包括无效证书),您可以使用我们的 SecureBlackbox 组件(试用模式将就足够了)。
The procedure of certificate validation is completely described in the corresponding RFCs (3280, 2560 etc.) and you don't need to invent any "scenarios".
For generation of certificates including invalid ones you can use our SecureBlackbox components (trial mode will be enough).