SSL handshake failed at /Users/nghiatran/etcetc

[delboy1978uk]

Description

I'm trying to nset up an android device for development here, and my SSL handshake failed.

What I found interesting was that the error path does not exist on my machine!

/Users/nghiatran/Library/Developer/Xcode/DerivedData/NSProxy-chrjhjrygpkcrggquryyaaqcgvhz/SourcePackages/checkouts/swift-nio-ssl/Sources/CNIOBoringSSL/ssl/tls_record.cc:594

@NghiaTranUIT Is this just a display bug, or is something else going on?

[NghiaTranUIT]

@delboy1978uk It's odd 🤔

Just wondering: Have you installed & trusted the Certificate in your Android? You can find it in Certificate Menu -> Install for Android -> Physical Device / Emulator

Especially the 5th step in this Setup Guide: https://docs.proxyman.io/debug-devices/android-device

[delboy1978uk]

Yes I have installed and trusted the certificate. As for the last step, I am on a device which is only running Android 9, but the guide mentioned that the security config is for 10 and above, so I have not performed that step. I'm sure it's just the device (or myself) and not Proxyman, I just found it odd to see the error path coming from /Users/nghiatran/.... :-P

[NghiaTranUIT]

I'm surprised too. It's from Swift NIO

Can you share with me which app you're trying to Intercept 🤔 ?

Please notes that if it's popular apps, such as FB, IG, or Play Store. The high chance that it's protected by SSL Pinning Mechanism.

[delboy1978uk]

Oh, it's just a local server with a self signed SSL. I can access the domain fine via the devices browser, but when i try to deploy the actual android app that's when i get this. That's why I'm sure it isn't Proxyman causing my issues, again I was just drawing attention to your user path in my error:-)

[delboy1978uk]

FYI, that last step also worked for Android 9. My app is working again!

[NghiaTranUIT]

Thanks. I will investigate the error path.

If you have a HTTPS (self-signed) local server, to make it works with Proxyman, make sure your Local Server accepts Proxyman Certificate too.

[delboy1978uk]

@NghiaTranUIT I am using a docker compose LAMP stack and generate my cert in my Apache container here https://github.com/delboy1978uk/lamp/blob/master/build/httpd/Dockerfile#L9 Should I be adding the Proxyman Certificate in there too then?

[ianbby]

I am seeing this as well. I have Proxyman installed with the cert trusted on my Mac. I created a new Android emulator and used the Override button to configure it. That all seemed to go well, but when browsing in the emulator or firing up my local app, I get errors around Invalid Date/Time int he browser that show as Internal Errors in proxyman:

handshakeFailed(NIOSSL.BoringSSLError.sslError([Error: 268436502 error:10000416:SSL routines:OPENSSL_internal:SSLV3_ALERT_CERTIFICATE_UNKNOWN at /Users/nghiatran/Library/Developer/Xcode/DerivedData/NSProxy-dpnvjsvnoedgpgfkomhjjqznnjsa/SourcePackages/checkouts/swift-nio-ssl/Sources/CNIOBoringSSL/ssl/tls_record.cc:594]))

I have confirmed that my Mac and Android emulator dates are correct and that the certificate is present in the emulator as expected. I am able to access sites like Wikipedia without issue, but certain sites are erroring like yahoo in the screenshot above.

[NghiaTranUIT]

On Android, it's important to finish the step 5 in this Setup Guide: https://docs.proxyman.io/debug-devices/android-device

We have to add the domains to security_config.xml file in the source code.

Sine you visit yahoo.com from the WebBrowser, you haven't finished the step 5 yet. Thus, get SSL error.

[ianbby]

Ah, fair play there! And looking beyond Chrome, the part of my app that hit the SSL error was throwing up a Chrome custom tab, which probably doesn't qualify for the network_security_config exclusions. Makes sense!

[NghiaTranUIT]

@ianbby yup, the security on Android devices/emulators is tricky. It doesn't allow you to freely intercept the HTTPS from other apps, unless you are a developer, install & trust the certificate, and add config to network_security_config.xml.

On the other hand, iOS device is easier. They just need to install & Trust the certificate. Then, you can intercept from any Web Browser on iOS devices.