Self created CA/Client certificates

kungfu71186 · August 25, 2017, 3:08pm

I followed the directions the best that I could. Not sure if I’m missing something.

I create the PEM file using the CA cert and Key.

I create the client cert using the client cert and key.

Doing:

openssl s_client -connect website.internal.com:443 -cert website.internal.com.pem -CAfile mitmproxy-ca.pem -showcerts

return is:

SSL handshake has read 2791 bytes and written 2559 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: CB1A9F13985DC7E9AABD5C0A38473BFF59381F5790ED7E91667CF9D3ACDCD438
Session-ID-ctx:
Master-Key: 3526267F9810D7138CC22DF59BC1F0DC7F2A60A0E7F22AE95689BEB858E1CF825E22F8B544BBFDF920AFF4B77682462C
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1503671106
Timeout : 300 (sec)
Verify return code: 0 (ok)

That looks all good. Now when trying to do the same with mitm proxy, I get various issues.

mitmdump.exe --upstream-trusted-ca mitmproxy-ca.pem --client-certs website.internal.com.pem

I get

<< Certificate Verification Error for website.internal.com: self signed certificate in certificate chain (errno: 19, depth: 1)

Doing:

mitmdump.exe --cadir C:\mitm\ --client-certs website.internal.com.pem

I get the same

Using the same exact pem files when doing an openssl connect works fine.

Am i missing something?

mhils · August 25, 2017, 3:20pm

Hi,

It looks like your problem is that mitmproxy tries to authenticate the upstream certificate it received from the server against certifi’s CA bundle. If that’s the case, mitmproxy should work if you pass --insecure or by setting a trusted ca file/dir.

kungfu71186 · August 25, 2017, 3:34pm

Doing --insecure, how would i set the ca file/dir. I did include --cadir with not change

127.0.0.1:49704: Certificate Verification Error for website.internal.com: self signed certificate in certificate chain (errno: 19, depth: 1
)
127.0.0.1:49704: Ignoring server verification error, continuing with connection
127.0.0.1:49704: CONNECT website.internal.com:443 << Cannot establish TLS with client (sni: website.internal.com): TlsException("(10053, 'WSAECONNABORTED')",)

Interesting thing. I just tried spinning up a docker app. Run the docker app with the same parameters and did a curl. Got a 200 response. So it works there. Not working on my windows box though. I’ll try running with docker and see if I can get it to connect.

mhils · August 25, 2017, 4:23pm

The error you have here now shows that we successfully establish a connection with the server, but now it fails establishing TLS with the client.

Topic		Replies	Views
Https with custom ca bundle help	14	8850	March 10, 2017
How to use own certificates in mitmproxy help	1	5011	June 10, 2016
Custom certificate does not work for reverse proxy	1	1758	February 18, 2019
Set Client Cert as a cert bundle help	0	619	June 21, 2018
CA issue with client certificate help	4	2939	February 1, 2018

Self created CA/Client certificates

Related Topics