search

ProxymanApp / Proxyman

Modern. Native. Delightful Web Debugging Proxy for macOS, iOS, and Android ⚡️
https://proxyman.io
5.59k stars 187 forks source link

Proxyman CA cert doesn't have `Server Authentication ( 1.3.6.1.5.5.7.3.1 ) OID` which is required by macOS 10.15 #367

Closed TingluoHuang closed 4 years ago

TingluoHuang commented 4 years ago

Proxyman version? (Ex. Proxyman 1.4.3)

1.13.0

macOS Version? (Ex. mac 10.14)

10.15.2

Steps to reproduce

Check Proxyman CA cert details in keychain

Expected behavior

The CA cert has extended key usage Server Authentication ( 1.3.6.1.5.5.7.3.1 )

According to https://support.apple.com/en-us/HT210176 and http://blog.nashcom.de/nashcomblog.nsf/dx/more-strict-server-certificate-handling-in-ios-13-macos-10.15.htm?opendocument&comments

When use proxyman with dotnet core app, dotnet core can't validate the server ssl cert via native macOS system call when proxyman decrypt SSL traffic.

https://github.com/dotnet/runtime/issues/666

Screenshots (optional)

Other proxy server CA cert has this field (Fiddler) image

NghiaTranUIT commented 4 years ago

Hey @TingluoHuang

Proxyman is already updated with new Apple's requirements, but there is a missing of TLS server certificates. I'm on it now 👍

NghiaTranUIT commented 4 years ago

Hey yo @TingluoHuang

Let check this BETA build: https://proxyman.s3.us-east-2.amazonaws.com/beta/Proxyman_1.13.0_Update_macOS_Certificate_Requirement.dmg

Changelogs

Screen Shot 2020-01-03 at 10 32 00

Please open Help menu -> Debug -> Reset all Certificate & Data to completely remove the old one. Then you can install the new certificate 👍

Please let me know if it works since I couldn't test your case in my local machine. Thank you in advance 🌮

TingluoHuang commented 4 years ago

@NghiaTranUIT thanks for taking look at this. I think we are 1 step closer. :)

Server cert generated by proxyman:

[Version]
  V3

[Subject]
  OU=https://proxyman.io, CN=github.com, O="GitHub, Inc.", L=San Francisco, C=US
  Simple Name: github.com
  DNS Name: github.com

[Issuer]
  OU=https://proxyman.io, CN="Proxyman CA (3 Jan 2020, htl-mac.local)", O=Proxyman Ltd, L=Singapore, C=SG
  Simple Name: Proxyman CA (3 Jan 2020, htl-mac.local)
  DNS Name: Proxyman CA (3 Jan 2020, htl-mac.local)

[Serial Number]
  00E0481A26FA5B92AB

[Not Before]
  1/3/2020 10:11:37 AM

[Not After]
  4/7/2022 11:11:37 AM

[Thumbprint]
  CC915C50F9326979B4284A0454C31F57EA271DE1

[Signature Algorithm]
  sha256RSA(1.2.840.113549.1.1.11)

[Public Key]
  Algorithm: RSA
  Length: 2048
  Key Blob: 3082010A0282010100C4C33B2D758CC80014AF8FDAA5AC74E8FD48512E6E8D3341E57CD6529B9FB771D482FF41AA3C69C694660662FDDCAB926E8572AA5622BD9B2DDD6649DF8D24C17513EF2936F77CD610232D687848A8245E1546255A0FBF04A4E3CE88E0790F665751A39728BCE9173A2845A43B60BF381DA4F73790B5565558244B9672EE6C46537B24177D85DD1836FF282DC6E83A5E82EFE461DEF23243DB75DC93D50270A322240110CE6B3FF1EFB350633335F46FDABC12C9BB5B17A5C309B2DD84A8BA2EAECC780CF3E9AB1A1A60A7F543CCBA24C833FE5D185E01FC82AFB040B7B470AB7F3A84DED57089E54E479AEB884DB24D3BD1B5B95E388E1E186F90CFC7C2C4CF0203010001
  Parameters: 0500

[Extensions]
* X509v3 Key Usage(2.5.29.15):
  030204F0
* (2.5.29.17):
  DNS:github.com, DNS:www.github.com

Server cert generated by Fiddler:

[Version]
  V3

[Subject]
  CN=github.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com
  Simple Name: github.com
  DNS Name: github.com

[Issuer]
  CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com
  Simple Name: DO_NOT_TRUST_FiddlerRoot
  DNS Name: DO_NOT_TRUST_FiddlerRoot

[Serial Number]
  63B8AF1E4656F6A84090B66395D2E778

[Not Before]
  4/13/2015 7:36:49 PM

[Not After]
  4/12/2021 7:36:49 PM

[Thumbprint]
  42727BFCD1483323FFCE37F024DE90947A4D5220

[Signature Algorithm]
  sha256RSA(1.2.840.113549.1.1.11)

[Public Key]
  Algorithm: RSA
  Length: 2048
  Key Blob: 3082010A0282010100B4466BDEBDDB68D0007D4F191E7EECBA6647752BD5B2ADD04206EFBAFAFAF488E9E7A29043EA6076917C1903BB668996D1A876736A78E9FC012C4EBF6EFDC9270CEBC52C1B760C0C95072B2CAECEEE370C334384614CCDED1CB47D88EAC8814B2B82073611053BFAABDDD30FA55F5AB088996FD7881DE82BEDD417D48D49939CBE834D04B7C389BF93C700C75C38D12F4D3BDA8325322C101946BDBCED92F7D771B95D55A87369366A4E69C17B61DABBFA0387A3EF2B548EDC07A55C4784169FF82F5540FFA97402B88452675410960EC28DB705422891DA55A99F7F39F1217A00BBFBD4D84ADAA31FFB370B67612ACEE01EC4989E187AB2521B84EAAB9BFEE30203010001
  Parameters: 0500

[Extensions]
* X509v3 Key Usage(2.5.29.15):
  030204B0
* X509v3 Extended Key Usage(2.5.29.37):
  300A06082B06010505070301
* (2.5.29.17):
  DNS:github.com
* (2.5.29.35):
  3016801460582EA061611E9E3FAA24C6E6E5479664B694B2
* X509v3 Subject Key Identifier(2.5.29.14):
  0414A5672AE0F476D5573D582908A6AD1B2F1DD07961

As you can see the Fiddler cert contains:

* X509v3 Extended Key Usage(2.5.29.37):
  300A06082B06010505070301 ->1.3.6.1.5.5.7.3.1

How do you generate server certificate for each https request? I think you might need to do something like: https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309#gistcomment-3098018

NghiaTranUIT commented 4 years ago

I see, the absent is also from the Certificate, which is generated by Proxyman, not just only the Root Proxyman Certificate. I'm on it now 👍

NghiaTranUIT commented 4 years ago

Here is the updated @TingluoHuang https://proxyman.s3.us-east-2.amazonaws.com/beta/Proxyman_1.13.0_Missing_extension_certificate.dmg

Screen_Shot_2020-01-04_at_10_26_04

Please "Reset all Certificate & Data" before testing since there are cached certificates.

Let me know if it works then I could release a 1.13.1 build 👍 Thank you in advance 🎉

TingluoHuang commented 4 years ago

@NghiaTranUIT it work, thanks!

NghiaTranUIT commented 4 years ago

Glad to know that. Let update to Proxyman 1.13.1, which officially includes the fix 👍