CA (.p12) import to Burp for proxy chaining

Hello everyone,

I am trying to setup a chain of proxy the following way :
Client <----> Burp <----> Mitmproxy <-----> Internet

Right now i am getting the following Error when I try to connect:
"""
502 Bad Gateway

TlsProtocolException(“Cannot establish TLS with www.***.:443 (sni: None): TlsException(‘Cannot validate certificate hostname without SNI’,)”,)
"""
When I use only Burp or Mitmproxy it works fine (I import the CA, etc…) but I am not able to link Burp and mitmproxy
I think I need to import Mitmproxy CA to Burp, however the only format Burp is accepting is .p12 Cert file and asks for a password, I have the .p12 file generated by mitmproxy on the first run (in .mitmproxy/) but there is no indication about any password. I wonder if missed the information in the doc ? Or if I am not doing the chaining properly / if I am missing something ?

Furthermore this error seems a bit weird because I have looked at the traffic with wireshark and Burp is sending a CONNECT message with the information for SNI to mitmproxy.

So I was wondering how to fix this error (and if a solution for importing the CA to Burp will fix this)?

How did you configure Burp? Can you possibly share the traffic you are seeing in the mitmproxy host?

The “Cannot validate certificate hostname without SNI” seems to imply that Burp is not sending a Server Name Indication when establishing TLS with the server. This has nothing to do with the certificate file import.

SNI refers to the Server Name Indication Extension in the TLS handshake, which is independent from (yet often equivalent to) the host specified in an HTTP CONNECT request.

Thanks for the fast reply
I configured Burp the simplest way :

  • The proxy does not intercept
  • I added an Upstream Proxy Server in the User options / connections : Destination Host : *, Proxy Host : 10.7.0.225 (The IP address of the VM where mitmproxy is running), Proxy port : 8080, Auth : None
    And that’s it, other than that I did not change anything, I finally managed to get that CA in Burp (converted .p12 to pem then to .p12 again with a new password) and you are right It has nothing to do with the problem.

The traffic in the mitmproxy host is the following :

Can you share a pcap of this?

Here is the pcap (the request starts line 35)
http://dl.free.fr/getfile.pl?file=/EE6PncFm
Sorry about the page in french, you can click on “Valider et télécharger le fichier” to get the pcap
Here is the interesting part as an image :
My Client is 10.7.0.214/127.0.0.1 and 10.7.0.225 is the VM hosting mitmproxy


It seems that the part that is not working properly is at line 135

Yesm that seems to be an issue with the client connecting to mitmproxy. Packet 73 has the TLS Client Hello without server name indication. You can of course disable certificate verification in mitmproxy, but if you want verified certificates, we need a SNI.

Indeed, I have dug a bit further and the problem is fairly recent and linked to Burp which does not transfer the SNI with Client Hello, I have found this Burp post related to the problem :
https://support.portswigger.net/customer/portal/questions/16827939-burp-does-not-set-sni-on-the-outgoing-connection-to-an-ssl-enabled-web-server

1 Like