The SSL certificate seems to be invalid on ios13

[leleji]

Before normal use. Recently, the certificate of ios13 is not trusted, and ios12 is normal.

[honfika]

Interesting.. is there any info what is wrong about the certificate? I don't have iphone, so I can't test it.

You can use your own certificate with TWP.

[leleji]

Interesting.. is there any info what is wrong about the certificate? I don't have iphone, so I can't test it.

You can use your own certificate with TWP.

It was normal a few days ago. In these two days, it suddenly showed that the certificate was not trusted on ios13. In windows, ios12 was normal. Neither the certificate using twp nor my certificate can resolve HTTPS

[leleji]

有趣的..是否有任何信息有关证书的问题？我没有iPhone，因此无法测试。 您可以将自己的证书用于TWP。

几天前很正常。在这两天中，它突然显示该证书在ios13上不受信任。在Windows中，ios12正常。使用twp的证书或我的证书都无法解析HTTPS

你有联系方式吗，我也是ios13出现问题，证书信任，但是还是提示不安全的连接

目前没有解决呢。因为解锁网易云https并非刚需就没研究

[xinghusp]

同样的问题，但是其它抓包软件就没毛病。怀疑是twp生成的域名证书的锅

[leleji]

同样的问题，但是其它抓包软件就没毛病。怀疑是twp生成的域名证书的锅

我使用自签证书也是一样。估计是IOS13对伪造中间证书加强了安全检查。

[xinghusp]

同样的问题，但是其它抓包软件就没毛病。怀疑是twp生成的域名证书的锅

不是域名证书，在安卓上使用没问题，ios上用不了。

应该可以确定是TWP的问题了，我测试了Fiddler和Stream，都能正常完成抓包，应该是TWP在生成证书的时候，遗漏了什么东西导致的

[xinghusp]

@justcoding121 Recently, the middleman certificate generated by TWP has a certificate error in ios13.5, and the error code returned is ERR_CERT_INVALID. The root certificate has been trusted in the about menu. At the same time, packets can be captured by using Fiddler and Stream APP. But when I'm tried to use the root certificate generated by Fiddler for TWP, there will be still in trouble. I suspect that some problems occurred when TWP generated the middleman certificate. Could you please give me some advices for troubleshoot?

[justcoding121]

@xinghusp Unfortunately, I am not able to spent time on TWP, I consider myself retired. @honfika may be able to hel when he gets a chance.

[honfika]

Is this a problem with the TWP root certificate or the TWP site/domain certificate?

Did you try to use fiddler's root certificate inTWP? Is that working?

[honfika]

Even in TWP?

Then that is a workaround, use that:)

[honfika]

I don't understand you. You said that fiddler's root certificate is working in TWP. What is the problem then? Generate a root certificate by fiddler or any orher certificate generátor and use that root certificate in TWP

[honfika]

I would appreciate it if you could tell me how the certificate is generated

In TWP?

You can find the code which generate the certificate here: https://github.com/justcoding121/Titanium-Web-Proxy/tree/master/src/Titanium.Web.Proxy/Certificates

[xinghusp]

@honfika @Maxsss @su3817806 I found the problem. When the TWP generating a middleware cert,it set the valid time for very long.When the middleware cert valid time longer than the root certificate,ios will untrust the middleware although the root certificate has been trusted. I saw the TWP source code file [WinCertificateMaker.cs] ,and change the validFrom and validTo paramters to a short time which in the method "makeCertificate".And the problem has been solved.

[keyoti]

Yes the issue is duration, see https://support.apple.com/en-us/HT210176

[justcoding121]

I've reduced the default to 825 days. One can now configure that using ProxyServer.CertificateManager.CertificateValidDaysproperty.

[bbhxwl]

I've reduced the default to 825 days. One can now configure that using ProxyServer.CertificateManager.CertificateValidDaysproperty.

Have you solved it? I have the same problem with Python's mitmproxy.

[keyoti]

@bbhxwl I now have reason to believe that 825 days is still too long. 825 days works fine for iOS with Safari, however iOS running a Xamarin app calling an API fails with 825 days. I didn't have the luxury of experimenting with different durations so just settled on 1 year which worked. Please could you try a year and report back?

[bbhxwl]

@bbhxwl I now have reason to believe that 825 days is still too long. 825 days works fine for iOS with Safari, however iOS running a Xamarin app calling an API fails with 825 days. I didn't have the luxury of experimenting with different durations so just settled on 1 year which worked. Please could you try a year and report back?

I've tried 800 days and I can't, ios14. I'll try 365 days now.

[bbhxwl]

@bbhxwl I now have reason to believe that 825 days is still too long. 825 days works fine for iOS with Safari, however iOS running a Xamarin app calling an API fails with 825 days. I didn't have the luxury of experimenting with different durations so just settled on 1 year which worked. Please could you try a year and report back?

365 days is OK. I have to regenerate the root certificate every 365 days, right?

[keyoti]

Yes you would - I actually modified our version to have the 825 days for the root certificate and 365 for the website certificate, for some reason that works OK.

[bbhxwl]

Yes you would - I actually modified our version to have the 825 days for the root certificate and 365 for the website certificate, for some reason that works OK.

Are these two the same?

e.HttpClient.Request.Url and e.HttpClient.Request.RequestUri

It seems that the method of header and the cookie are not modified? Can only delete the header and add it again?

[bbhxwl]

Yes you would - I actually modified our version to have the 825 days for the root certificate and 365 for the website certificate, for some reason that works OK.

I can't grab my bags now. Can you? Do not know why?

[bbhxwl]

I've reduced the default to 825 days. One can now configure that using ProxyServer.CertificateManager.CertificateValidDaysproperty.

I can't grab my bags now. Can you? Do not know why?

[keyoti]

I think "bags" is the wrong translation - what did you mean?