Custom certifaicate used for *.facebook.com


#1

mitmdump --cert *.facebook.com=cert.pem --insecure

this error while intercept
<< Cannot establish TLS with client (sni: graph.facebook.com): TlsException(“SSL handshake error: Error([(‘SSL routines’, ‘ssl3_read_bytes’, ‘sslv3 alert certificate unknown’)],)”,)

why i am receiving this error.
how can i solve this


#2

as per tested in ssllabs handshake protocol is tls/1.2, can you please describe why it is hapenning and how can i solve it.


#3

@mhils

ac to the documentation is should work, but i am receiving certificate unknown error.

SNI breaks our upstream certificate sniffing process, because when we connect without using SNI, we get served a default certificate that may have nothing to do with the certificate expected by the client. The solution is another tricky complication to the client connection process. After the client connects, we allow the TLS handshake to continue until just after the SNI value has been passed to us. Now we can pause the conversation, and initiate an upstream connection using the correct SNI value, which then serves us the correct upstream certificate, from which we can extract the expected CN and SANs.


#4

Hi,

The error you are getting indicates that your client is not trusting mitmproxy’s certificate. Assuming you have installed mitmproxy’s root CA and other HTTPS websites work, you may unfortunately be running into certificate pinning: http://docs.mitmproxy.org/en/stable/certinstall.html#certificate-pinning


#5

Pinning is not enabled in client side, I have decompiled and checked it manually.
A week ago same app is working with https and now the same app is refusing too accept certificate. is it something with mitmproxy or with backend server?