Open meermanr opened 1 year ago
Hey @meermanr thanks for the detailed reproducible test.
It's hard to say, but I would explain how Proxyman constructs the self-signed certificate.
commonName
and alternative_names
For example: Connect to https://www.producthunt.com/
<NIOSSLCertificate;serial_number=5f94d6b623d326554e87bb18d395ee2;common_name=sni.cloudflaressl.com;alternative_names=*.producthunt.com,sni.cloudflaressl.com,producthunt.com>
commonName
and alternative_names
) and signs by Proxyman self-signed Root Certificate.If Proxyman could not connect to the destination server (in the 1st step), Proxyman would generates a fake certificate, with the SNI is the host name, or the IP address.
From what I see, you're using the IP
, so NIOSSLClientHandler
doesn't accept it -> Proxyman generates a fake certificate with your IP instead of the real SNI.
I suppose that we can fix it using a real new hostname.
proxychains4 -f ~/.proxychains.conf socat -d -d FILE:/dev/null OPENSSL:my_server.com:443
Description
Proxyman does not appear to use to Server Name Indication (SNI) to determine the Common Name (or Subject Alternate Names (SANs)) of the certificate it generates when performing SSL Proxying.
I'm attempting to debug a legacy application which does not use system roots of trust, but instead uses a baked-in self-signed certificate for which I have the CA and private key. The application is unusual in that always sends a fixed SNI, irrespective of the server's address.
Steps to Reproduce
I've replicated this using standard tools:
proxychains4
installed viabrew install proxychains-ng
(version: stable 4.16 (bottled), HEAD)socat
installed viabrew install socat
(version: stable 1.7.4.4 (bottled))127.0.0.1:9090
in my case~/.proxychains.conf
and populate it with:proxychains4 -f ~/.proxychains.conf socat -d -d FILE:/dev/null OPENSSL:192.168.111.30:443,snihost=example.com
192.168.111.30
, and not the SNIexample.com
For completeness, you can verify that socat is indeed emitting an SNI request:
socat -d TCP-LISTEN:11223,fork,reuseaddr SYSTEM:'xxd >&2'
, which will listen for traffic on TCP port 11223 and write it to a subprocess,xxd >&2
, effectively dumping the request on STDERR.socat -d -d FILE:/dev/null OPENSSL:127.0.0.1:11223,snihost=example.com
to make a requestexample.com
, appears in the output fromxxd
Current Behavior
Auto-generated certificate's common name is set to network address (i.e.
192.168.111.30
) specified by CONNECTExpected Behavior
Auto-generated certificate's common name should be set to the value given by the request's Server Name Indication (SNI), i.e.
example.com
.Environment