0

I am trying to understand why I get a handshake failure during hello client/hello server session.

I am using postman to send this request to the server: $ POST https://192.168.10.211/message Both the machine on which I am running postman and my server are in same LAN;

Server's Ip address: 192.168.10.211

Machine's IP address: 192.168.10.246

I've installed on my android device an application that enables me to communicate with my server. So I use Mitmproxy on my machine to intercept the requests my application is sending to the server Android --> Machine 192.168.10.246 (proxy) --> server and I can see that the application on my android is sending the same request I use on postman (as mentioned above)

This is what wireshark intercepts when I send the request on postman: pcap1

Just after the client sends Certificate, Client key Exchange, Change Cipher Spec, Encrypted Handshake Message The server responds with a handshake failure message which I don't understand where is it coming from?

Here is what the client sends, it says that the certificate length is 0: pcap2

What I tried to do: I've decompiled the apk of the application I use to communicate with the server and I've extracted from it the CERT.RSA which I added on postman but this doesn't work either.

yosra
  • 111
  • 5
  • Your first step is to ensure the server is able to serve content over SSL channel. Try that from any Windows/Linux client, or from the server itself: `openssl s_client -showcerts -servername -connect 192.168.10.211:443`. Also why is in your question mentioned `192.168.10.192` address? Where is it in your setup? – Sergey Nudnov Jun 17 '19 at 01:28
  • @SergeyNudnov sorry my bad it's `192.168.10.211` I've corrected it on my post. – yosra Jun 17 '19 at 08:31
  • @SergeyNudnov Thank you for your response, but this is what I get when I run the command you suggested: `connect: No route to host` `connect:errno=113` – yosra Jun 17 '19 at 08:36
  • It is a bad idea connecting to SSL host by IP address. Usually a SSL certificate is generated for some domain name, and you should use it to connect, otherwise your client will not be able to verify the certificate properly. Also your web server could route connection differently when connecting by IP instead of connecting by name. What command exactly did you run and from what host? The simplified command is: `openssl s_client -showcerts -connect 192.168.10.211:443` – Sergey Nudnov Jun 17 '19 at 14:49

0 Answers0