Closed TingluoHuang closed 4 years ago
Hey @TingluoHuang
Proxyman is already updated with new Apple's requirements, but there is a missing of TLS server certificates
. I'm on it now 👍
Hey yo @TingluoHuang
Let check this BETA build: https://proxyman.s3.us-east-2.amazonaws.com/beta/Proxyman_1.13.0_Update_macOS_Certificate_Requirement.dmg
Please open Help menu -> Debug -> Reset all Certificate & Data to completely remove the old one. Then you can install the new certificate 👍
Please let me know if it works since I couldn't test your case in my local machine. Thank you in advance 🌮
@NghiaTranUIT thanks for taking look at this. I think we are 1 step closer. :)
Server cert generated by proxyman:
[Version]
V3
[Subject]
OU=https://proxyman.io, CN=github.com, O="GitHub, Inc.", L=San Francisco, C=US
Simple Name: github.com
DNS Name: github.com
[Issuer]
OU=https://proxyman.io, CN="Proxyman CA (3 Jan 2020, htl-mac.local)", O=Proxyman Ltd, L=Singapore, C=SG
Simple Name: Proxyman CA (3 Jan 2020, htl-mac.local)
DNS Name: Proxyman CA (3 Jan 2020, htl-mac.local)
[Serial Number]
00E0481A26FA5B92AB
[Not Before]
1/3/2020 10:11:37 AM
[Not After]
4/7/2022 11:11:37 AM
[Thumbprint]
CC915C50F9326979B4284A0454C31F57EA271DE1
[Signature Algorithm]
sha256RSA(1.2.840.113549.1.1.11)
[Public Key]
Algorithm: RSA
Length: 2048
Key Blob: 3082010A0282010100C4C33B2D758CC80014AF8FDAA5AC74E8FD48512E6E8D3341E57CD6529B9FB771D482FF41AA3C69C694660662FDDCAB926E8572AA5622BD9B2DDD6649DF8D24C17513EF2936F77CD610232D687848A8245E1546255A0FBF04A4E3CE88E0790F665751A39728BCE9173A2845A43B60BF381DA4F73790B5565558244B9672EE6C46537B24177D85DD1836FF282DC6E83A5E82EFE461DEF23243DB75DC93D50270A322240110CE6B3FF1EFB350633335F46FDABC12C9BB5B17A5C309B2DD84A8BA2EAECC780CF3E9AB1A1A60A7F543CCBA24C833FE5D185E01FC82AFB040B7B470AB7F3A84DED57089E54E479AEB884DB24D3BD1B5B95E388E1E186F90CFC7C2C4CF0203010001
Parameters: 0500
[Extensions]
* X509v3 Key Usage(2.5.29.15):
030204F0
* (2.5.29.17):
DNS:github.com, DNS:www.github.com
Server cert generated by Fiddler:
[Version]
V3
[Subject]
CN=github.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com
Simple Name: github.com
DNS Name: github.com
[Issuer]
CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com
Simple Name: DO_NOT_TRUST_FiddlerRoot
DNS Name: DO_NOT_TRUST_FiddlerRoot
[Serial Number]
63B8AF1E4656F6A84090B66395D2E778
[Not Before]
4/13/2015 7:36:49 PM
[Not After]
4/12/2021 7:36:49 PM
[Thumbprint]
42727BFCD1483323FFCE37F024DE90947A4D5220
[Signature Algorithm]
sha256RSA(1.2.840.113549.1.1.11)
[Public Key]
Algorithm: RSA
Length: 2048
Key Blob: 3082010A0282010100B4466BDEBDDB68D0007D4F191E7EECBA6647752BD5B2ADD04206EFBAFAFAF488E9E7A29043EA6076917C1903BB668996D1A876736A78E9FC012C4EBF6EFDC9270CEBC52C1B760C0C95072B2CAECEEE370C334384614CCDED1CB47D88EAC8814B2B82073611053BFAABDDD30FA55F5AB088996FD7881DE82BEDD417D48D49939CBE834D04B7C389BF93C700C75C38D12F4D3BDA8325322C101946BDBCED92F7D771B95D55A87369366A4E69C17B61DABBFA0387A3EF2B548EDC07A55C4784169FF82F5540FFA97402B88452675410960EC28DB705422891DA55A99F7F39F1217A00BBFBD4D84ADAA31FFB370B67612ACEE01EC4989E187AB2521B84EAAB9BFEE30203010001
Parameters: 0500
[Extensions]
* X509v3 Key Usage(2.5.29.15):
030204B0
* X509v3 Extended Key Usage(2.5.29.37):
300A06082B06010505070301
* (2.5.29.17):
DNS:github.com
* (2.5.29.35):
3016801460582EA061611E9E3FAA24C6E6E5479664B694B2
* X509v3 Subject Key Identifier(2.5.29.14):
0414A5672AE0F476D5573D582908A6AD1B2F1DD07961
As you can see the Fiddler cert contains:
* X509v3 Extended Key Usage(2.5.29.37):
300A06082B06010505070301 ->1.3.6.1.5.5.7.3.1
How do you generate server certificate for each https request? I think you might need to do something like: https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309#gistcomment-3098018
I see, the absent is also from the Certificate, which is generated by Proxyman, not just only the Root Proxyman Certificate. I'm on it now 👍
Here is the updated @TingluoHuang https://proxyman.s3.us-east-2.amazonaws.com/beta/Proxyman_1.13.0_Missing_extension_certificate.dmg
Please "Reset all Certificate & Data" before testing since there are cached certificates.
Let me know if it works then I could release a 1.13.1 build 👍 Thank you in advance 🎉
@NghiaTranUIT it work, thanks!
Glad to know that. Let update to Proxyman 1.13.1, which officially includes the fix 👍
Proxyman version? (Ex. Proxyman 1.4.3)
1.13.0
macOS Version? (Ex. mac 10.14)
10.15.2
Steps to reproduce
Check Proxyman CA cert details in keychain
Expected behavior
The CA cert has extended key usage
Server Authentication ( 1.3.6.1.5.5.7.3.1 )
According to https://support.apple.com/en-us/HT210176 and http://blog.nashcom.de/nashcomblog.nsf/dx/more-strict-server-certificate-handling-in-ios-13-macos-10.15.htm?opendocument&comments
When use proxyman with dotnet core app, dotnet core can't validate the server ssl cert via native macOS system call when proxyman decrypt SSL traffic.
https://github.com/dotnet/runtime/issues/666
Screenshots (optional)
Other proxy server CA cert has this field (Fiddler)