Can't get mitmproxy to work with badly configured site


#1

So this started on a thread on reddit before, but I think this is going to be a better place to actually get help.

So I’m running on Debian Sid with python 3.6 and it works for everything except this site (of course it’s the one I WANT to record everything on).

I’m running it in as insecure a method as I can seem to figure out:

$ mitmproxy -a test.flows --insecure --ssl-version-server all --ssl-version-client all --ciphers-server ALL --ciphers-client ALL -p 12345

Here’s the website: https://techinfo.toyota.com/

And according to Qualys, it only supports: https://www.ssllabs.com/ssltest/analyze.html?d=techinfo.toyota.com

Cipher Suites (sorted by strength as the server has no preference; deprecated and SSL 2 suites at the end)
TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK 56
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE 128
TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE 128


#2

Oh, forgot the error I get back:

TlsProtocolException(‘Cannot establish TLS with techinfo.toyota.com:443 (sni: techinfo.toyota.com): TlsException(“SSL handshake error: Error([(‘SSL routines’, ‘ssl3_read_bytes’, ‘sslv3 alert handshake failure’)],)”,)’,)


#3

Did you try passing --ciphers-server ALL?


#4

Yes with no change, you can see the complete command I was using in the top post.


#5

I’ve managed to track this down further for anyone curious. It’s an issue with OpenSSL. 1.0.x seems to work and 1.1.x seems to not. it looks like there’s a change where the weak ciphers and other such stuff is making it hard fail without actually connecting. Still looking into what I can do about this (aside from doing everything in a VM or downgrading openssl)


#6

Thanks, this is super helpful!

I suspect this may be related to https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_level.html. Unfortunately, SSL_CTX_set_security_level is not even exposed in cryptography yet, so attempting a fix isn’t entirely trivial. One would need to add SSL_CTX_set_security_level to cryptography here, recompile cryptography, and then call set_security_level in mitmproxy somewhere around here to check if this is the actual root cause. Of course, downgrading OpenSSL is easier. :wink:


#7

I could definitely see that helping in some cases. I finally got it working by using an older openssl as it appears the 1.1.0 shipped with debian is nerfed at compile time to not allow it to connect to a site configured like that. The way I went was to setup python 3.6 with pyenv on Debian Jessie without jessie-backports. I think this’ll be such a niche problem that it’s not worth time to try to work around in the project. Nobody sane should be running a site like they do (it uses FRAMES for gods sake… :slight_smile: ). Now I’ve just got to write a tool to dump things into a directory structure like I want now that I’ve got all the data I need to make a proper offline manual.