Self created CA/Client certificates


#1

I followed the directions the best that I could. Not sure if I’m missing something.

I create the PEM file using the CA cert and Key.

I create the client cert using the client cert and key.

Doing:

openssl s_client -connect website.internal.com:443 -cert website.internal.com.pem -CAfile mitmproxy-ca.pem -showcerts

return is:

SSL handshake has read 2791 bytes and written 2559 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: CB1A9F13985DC7E9AABD5C0A38473BFF59381F5790ED7E91667CF9D3ACDCD438
Session-ID-ctx:
Master-Key: 3526267F9810D7138CC22DF59BC1F0DC7F2A60A0E7F22AE95689BEB858E1CF825E22F8B544BBFDF920AFF4B77682462C
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1503671106
Timeout : 300 (sec)
Verify return code: 0 (ok)

That looks all good. Now when trying to do the same with mitm proxy, I get various issues.

mitmdump.exe --upstream-trusted-ca mitmproxy-ca.pem --client-certs website.internal.com.pem

I get

<< Certificate Verification Error for website.internal.com: self signed certificate in certificate chain (errno: 19, depth: 1)

Doing:

mitmdump.exe --cadir C:\mitm\ --client-certs website.internal.com.pem

I get the same

Using the same exact pem files when doing an openssl connect works fine.

Am i missing something?


#2

Hi,

It looks like your problem is that mitmproxy tries to authenticate the upstream certificate it received from the server against certifi’s CA bundle. If that’s the case, mitmproxy should work if you pass --insecure or by setting a trusted ca file/dir.


#3

Doing --insecure, how would i set the ca file/dir. I did include --cadir with not change

127.0.0.1:49704: Certificate Verification Error for website.internal.com: self signed certificate in certificate chain (errno: 19, depth: 1
)
127.0.0.1:49704: Ignoring server verification error, continuing with connection
127.0.0.1:49704: CONNECT website.internal.com:443 << Cannot establish TLS with client (sni: website.internal.com): TlsException("(10053, 'WSAECONNABORTED')",)

Interesting thing. I just tried spinning up a docker app. Run the docker app with the same parameters and did a curl. Got a 200 response. So it works there. Not working on my windows box though. I’ll try running with docker and see if I can get it to connect.


#4

The error you have here now shows that we successfully establish a connection with the server, but now it fails establishing TLS with the client.