Error: 0407006A: rsa routines: RSA_padding_check_PKCS1_type_1: block type is not 01


#1

Hi,
I would like to use transparent mode with HTTPS connection but it doesn’t work for me. I have installed certificates from ~/.mitmproxy/… but there is still some problems with verification.
Do you have any idea what I do wrong please?

There are two machines.
I use this command on the first machine:
sudo mitmdump -p 8080 --mode transparent --showhost

And then on the second one:
curl https://www.google.com -v
Result:

    * Rebuilt URL to: https://www.google.com
    * Hostname was NOT found in DNS cache
    *   Trying 172.217.23.228...
    * Connected to www.google.com (172.217.23.228) port 443 ( #0)
    * successfully set certificate verify locations:
    *   CAfile: none
      CApath: /etc/ssl/certs
    * SSLv3, TLS handshake, Client hello (1):
    * SSLv3, TLS handshake, Server hello  (2):
    * SSLv3, TLS handshake, CERT (11):
    * SSLv3, TLS alert, Server hello (2):
    * error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
    * Closing connection 0
    * SSLv3, TLS alert, Client hello (1):
    curl: ( 35) error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01

but for command:
curl https://www.google. com -v --insecure > /dev/null
result is:

    * Rebuilt URL to: https://www.google.com/
    * Hostname was NOT found in DNS cache
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                             Dload  Upload   Total   Spent    Left  Speed
      0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 172.217.23.228...
    * Connected to www.google.com (172.217.23.228) port 443 (#0)
    * successfully set certificate verify locations:
    *   CAfile: none
      CApath: /etc/ssl/certs
    * SSLv3, TLS handshake, Client hello (1):
    } [data not shown]
    * SSLv3, TLS handshake, Server hello (2):
    { [data not shown]
    * SSLv3, TLS handshake, CERT (11):
    { [data not shown]
    * SSLv3, TLS handshake, Server key exchange (12):
    { [data not shown]
    * SSLv3, TLS handshake, Server finished (14):
    { [data not shown]
    * SSLv3, TLS handshake, Client key exchange (16):
    } [data not shown]
    * SSLv3, TLS change cipher, Client hello (1):
    } [data not shown]
    * SSLv3, TLS handshake, Finished (20):
    } [data not shown]
    * SSLv3, TLS change cipher, Client hello (1):
    { [data not shown]
    * SSLv3, TLS handshake, Finished (20):
    { [data not shown]
    * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
    * Server certificate:
    *        subject: CN=172.217.23.228
    *        start date: 2018-06-25 09:08:04 GMT
    *        expire date: 2021-06-26 09:08:04 GMT
    *        issuer: CN=mitmproxy; O=mitmproxy
    *        SSL certificate verify result: certificate signature failure (7), continuing anyway.
    > GET / HTTP/1.1
    > User-Agent: curl/7.38.0
    > Host: www.google.com
    > Accept: */*
    >
    < HTTP/1.1 200 OK
    < Date: Wed, 27 Jun 2018 09:09:47 GMT
    < Expires: -1
    < Cache-Control: private, max-age=0
    < Content-Type: text/html; charset=ISO-8859-1
    < P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
    * Server gws is not blacklisted
    < Server: gws
    < X-XSS-Protection: 1; mode=block
    < X-Frame-Options: SAMEORIGIN
    < Set-Cookie: 1P_JAR=2018-06-27-09; expires=Fri, 27-Jul-2018 09:09:47 GMT; path=/; domain=.google.com
    < Set-Cookie: NID=133=CJmrrNkiXaYVIVmRL1DKlniWhd41op6D_Vv5F0aZ6kEb0sZunYE-jSOBMf7ga1u9OCN1Vjd8C3dtkmfekaoPWTFDHQzTwBZ7-OPL1dh8FgfCs_DT0kNOyX4gyGIIUNcD;         expires=Thu, 27-Dec-2018 09:09:47 GMT; path=/; domain=.google.com; HttpOnly
    < Alt-Svc: quic=":443"; ma=2592000; v="43,42,41,39,35"
    < Accept-Ranges: none
    < Vary: Accept-Encoding
    < Transfer-Encoding: chunked
    <
    { [data not shown]
    100 11136    0 11136    0     0  34801      0 --:--:-- --:--:-- --:--:-- 34909
    * Connection #0 to host www.google.com left intact

and for command:
openssl s_client -connect google.com:443 -prexit
result:

    CONNECTED(00000003)
    depth=1 CN = mitmproxy, O = mitmproxy
    verify return:1
    depth=0 CN = 216.58.201.78
    verify error:num=7:certificate signature failure
    verify return:1
    depth=0 CN = 216.58.201.78
    verify return:1
    ---
    Certificate chain
     0 s:/CN=216.58.201.78
       i:/CN=mitmproxy/O=mitmproxy
     1 s:/CN=mitmproxy/O=mitmproxy
       i:/CN=mitmproxy/O=mitmproxy
    ---
    ....
    Verify return code: 7 (certificate signature failure)

mitmdump --version

    Mitmproxy: 4.0.3
    Python:    3.6.6rc1+
    OpenSSL:   OpenSSL 1.1.0f  25 May 2017
    Platform:  Linux-3.16.57-odroidc2-aarch64-with-debian-9.4