Can't get mitmproxy to work with badly configured site

So this started on a thread on reddit before, but I think this is going to be a better place to actually get help.

So I’m running on Debian Sid with python 3.6 and it works for everything except this site (of course it’s the one I WANT to record everything on).

I’m running it in as insecure a method as I can seem to figure out:

$ mitmproxy -a test.flows --insecure --ssl-version-server all --ssl-version-client all --ciphers-server ALL --ciphers-client ALL -p 12345

Here’s the website: https://techinfo.toyota.com/

And according to Qualys, it only supports: https://www.ssllabs.com/ssltest/analyze.html?d=techinfo.toyota.com

Cipher Suites (sorted by strength as the server has no preference; deprecated and SSL 2 suites at the end)
TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK 56
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE 128
TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE 128

Oh, forgot the error I get back:

TlsProtocolException(‘Cannot establish TLS with techinfo.toyota.com:443 (sni: techinfo.toyota.com): TlsException(“SSL handshake error: Error([(‘SSL routines’, ‘ssl3_read_bytes’, ‘sslv3 alert handshake failure’)],)”,)’,)

Did you try passing --ciphers-server ALL?

Yes with no change, you can see the complete command I was using in the top post.

I’ve managed to track this down further for anyone curious. It’s an issue with OpenSSL. 1.0.x seems to work and 1.1.x seems to not. it looks like there’s a change where the weak ciphers and other such stuff is making it hard fail without actually connecting. Still looking into what I can do about this (aside from doing everything in a VM or downgrading openssl)

Thanks, this is super helpful!

I suspect this may be related to https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_level.html. Unfortunately, SSL_CTX_set_security_level is not even exposed in cryptography yet, so attempting a fix isn’t entirely trivial. One would need to add SSL_CTX_set_security_level to cryptography here, recompile cryptography, and then call set_security_level in mitmproxy somewhere around here to check if this is the actual root cause. Of course, downgrading OpenSSL is easier. :wink:

I could definitely see that helping in some cases. I finally got it working by using an older openssl as it appears the 1.1.0 shipped with debian is nerfed at compile time to not allow it to connect to a site configured like that. The way I went was to setup python 3.6 with pyenv on Debian Jessie without jessie-backports. I think this’ll be such a niche problem that it’s not worth time to try to work around in the project. Nobody sane should be running a site like they do (it uses FRAMES for gods sake… :slight_smile: ). Now I’ve just got to write a tool to dump things into a directory structure like I want now that I’ve got all the data I need to make a proper offline manual.

1 Like