2

I have configured android APP to bypass certificate pinning using some modification of app and installed mitm certificate as system and user in android

After running mitmproxy and mitmdump i got below error

however i tried all possible way to solve issue but only in one app i am facing this error

Certificate verification error for www.kjljjlk.com.mx:
                          ("hostname 'www.hjkhjk.com.mx' doesn't match either
                          of 'a248.e.jhkhkdsfsf.net', '*.dsfsfds-sdfsdfdsf.net',
                          '*.sdffdsfsdf.net', '*.dsfsdfdsf-sdfsfsf.net',
                          '*.dfsfsdsdf.net'",)

 << Cannot establish TLS with client (sni: xyxyxyxy.com): TlsException("SSL handshake error: Error([('SSL routines', 'tls_process_client_hello', 'parse tlsext')])")

I also try to run with burpsuite, but i get unknown_ca error

After all i tried to open site in firefox, and i get warning of potential risk

xyxyxyx.com uses an invalid security certificate. The certificate is not trusted because it is self-signed. Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

so i click on accept risk and continue, then it open

but somehow in android app it is not accessing site

any help pls

Thank you

======

> Mitmproxy: 5.0.0 binary Python:    3.7.5 OpenSSL:   OpenSSL 1.1.0j  20
> Nov 2018 Platform: 
> Linux-5.3.0-7625-generic-x86_64-with-debian-buster-sid
Phantômaxx
  • 37,901
  • 21
  • 84
  • 115
TonyStark
  • 379
  • 6
  • 22

2 Answers2

4

As a general rule, you can disable certificate checking with the ssl_insecure option.

What TLS versions are supported by the server? It might be that the server is TLS 1.3 only, which mitmproxy doesn't support at the moment (https://github.com/mitmproxy/mitmproxy/pull/3692).

Maximilian Hils
  • 6,309
  • 3
  • 27
  • 46
  • 1
    Okay. I tried with `--ssl-insecure` but still getting same error. Also site has TLS 1.3, so as you told that is not supported yet. any other way to capture? – TonyStark Dec 30 '19 at 10:02
  • Does mitmproxy 6.0.2 not support TLS1.2? – Alex Sep 16 '21 at 02:17
  • @Alex: It definitely does, even though you should upgrade to version 7. :) – Maximilian Hils Sep 16 '21 at 06:29
  • Dear @MaximilianHils: tks for u answer – Alex Sep 16 '21 at 07:26
  • But my code is not working properly. It looks like you deleted ProxyConfig and ProxyServer. Is there any way to do it?tks. – Alex Sep 16 '21 at 07:33
  • I updated the 7.0.2 version and reinstalled the certificate, and the following error occurred: `Client TLS handshake failed. The client may not trust the proxy's certificate for xxx.xxx.xxx (OpenSSL Error([('SSL routines', 'ssl3_read_bytes', 'sslv3 alert certificate unknown')]))` – Alex Sep 16 '21 at 08:12
  • @Alex: What kind of client are you using? – Maximilian Hils Sep 16 '21 at 11:35
  • Android+MacOS Catalina 10.15.7 – Alex Sep 16 '21 at 11:40
  • Thanks. I think I can't help you much more beyond the error message. It looks like your client does not trust mitmproxy's certificate, there's not much we can do about this. See https://docs.mitmproxy.org/stable/concepts-certificates/#certificate-pinning – Maximilian Hils Sep 16 '21 at 11:54
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/237195/discussion-between-alex-and-maximilian-hils). – Alex Sep 17 '21 at 02:32
  • @MaximilianHils many thanks! – Alex Sep 17 '21 at 02:33
  • Was there any resolution to this? I updated from 4 which was working fine to 7 which no longer works. – Tony Oct 07 '21 at 20:21
-1

@MaximilianHils

    from mitmproxy import options
    from mitmproxy import proxy
    from mitmproxy.tools import dump
    
    myaddon = Myaddon()
    prot = sys.argv[1]
    opts = options.Options(listen_port=int(prot), ssl_insecure=True, http2=False)
    pconf = proxy.config.ProxyConfig(opts)
    m = dump.DumpMaster(opts)
    m.server = proxy.server.ProxyServer(pconf)
    m.addons.add(myaddon)
Alex
  • 150
  • 9