Proxyman | Android | Internal error with 999 error code | SSL Handshake failed

[petrovickristina]

Description

I've installed certificates both on MacBook and Android device, and I've turned Web proxy (HTTP) and Secure web proxy (HTTPS) ON.

Can somebody help me with resolving this issue, I don't know what else should I try?

I think that I've read everything that is on the internet util now :D Thanks in advance!

[NghiaTranUIT]

@petrovickristina May I ask: Have you finished the step 5th on this Docs: https://docs.proxyman.io/debug-devices/android-device

• Add res/xml/network_security_config.xml
• Add to AndroidManifest.xml

New Android API doesn't accept any user certificate until we config it in these files. Otherwise, you will get SSL Error when intercepting HTTPS from your Android app.

[petrovickristina]

Hi @NghiaTranUIT Thanks a lot, adding that additional part of a code helped with Internal errors, but now I can’t see all traffic. I can only see calls for one domain, do you have maybe another proposal what should I try to do for that issue?

[NghiaTranUIT]

So it works.

To see all HTTPS traffic, it depends on what network library you're using?

1. Do you use native Android or flutter or React Native for Android?
2. and what the name of the network library? Some libraries doesn't respect the system proxy, it goes straight to the Internet. Thus, Proxyman or other web proxy tools can't capture all traffic

[petrovickristina]

1. Native
2. We’re using Retrofit

[NghiaTranUIT]

@petrovickristina it seems Retrofit doesn't accept Proxyman self-signed certificate, even though it's trusted in the Android System.

You have to add some config to tell Retrofit to accept it. Here is a code sample: https://futurestud.io/tutorials/retrofit-2-how-to-trust-unsafe-ssl-certificates-self-signed-expired

or

https://gist.github.com/demixdn/3886de5a71dc2812c8f4d27a248a506b

[VidojeMuric]

Hi @NghiaTranUIT , I will also jump in since we are both on a same project :)

I have noticed that we have problem communicating with Firebase Firestore when we turn on Proxyman. We are receiving a message:

Stream closed with status: Status{code=UNAVAILABLE, description=null, cause=java.lang.RuntimeException: TLS ALPN negotiation failed with protocols: [h2]

We have tried all suggestions mentioned above, but nothing helps. Do you have any additional suggestion?

[NghiaTranUIT]

I suggest not using the SSL Proxying on the Firebase domains, to make it works.

Firebase only supports HTTP/2 (h2) that Proxyman doesn't support (only HTTP/1.1)

[NghiaTranUIT]

@VidojeMuric You can open the Tool menu -> SSL Proxying List -> remove the Firebase domains.

By doing it, Proxyman just proxies these data without intercepting it.

[VidojeMuric]

Hi @NghiaTranUIT , thanks for a quick reply and help! In SSL Proxying list we didn't have Firebase domains. Only domains of our app. And the error is the same

[WatchStream]: (7208c20) Stream closed with status: Status{code=UNAVAILABLE, description=null, cause=java.lang.RuntimeException: TLS ALPN negotiation failed with protocols: [h2] at io.grpc.okhttp.OkHttpProtocolNegotiator.negotiate

[jsonITP]

Hi @NghiaTranUIT, I'm experiencing the same issue. We've added both xml files with the exception of <certificates src="user" /> in <base-config cleartextTrafficPermitted="true"> This is also React-native with OKhttp as network lib. All certificates should be correct, but when i'm using proxy with Android I keep getting:

[NghiaTranUIT]

From what I google, OkHTTP doesn't use the certificate in your system Android. You have to accept it manually. Here is the tutorial on how to accept a self-signed certificate: https://www.baeldung.com/okhttp-self-signed-cert

If it's okay, then, Proxyman can decrypt your HTTPS data.

Sample Code: https://gist.github.com/rybalkinsd/940a35ccefb9849c887ccf32d3be744b

[bitcrumb]

@NghiaTranUIT Why is there a <debug-overrides> in the network config when the types of certificates trusted (user & system) in the <base-config> are exactly the same?

Shouldn't the <base-config> exclude user certificates by default for security reasons?

<network-security-config>
  <debug-overrides>
    <trust-anchors>
      <!-- Trust user added CAs while debuggable only -->
      <certificates src="user" />
      <certificates src="system" />
    </trust-anchors>
  </debug-overrides>

  <base-config cleartextTrafficPermitted="true">
    <trust-anchors>
      <certificates src="system" />
      <certificates src="user" /> <!-- shouldn't this be removed? !-->
    </trust-anchors>
  </base-config>
</network-security-config>