krlvm
commented
2 years ago Эта проблема связана с Cloudflare, когда модификация SNI выключена, она отсутствует. Думаю, что можно с этим сделать.
Open vadimkara opened 2 years ago
krlvm
commented
2 years ago Эта проблема связана с Cloudflare, когда модификация SNI выключена, она отсутствует. Думаю, что можно с этим сделать.
pundoo
commented
1 year ago Эта проблема связана с Cloudflare, когда модификация SNI выключена, она отсутствует. Думаю, что можно с этим сделать.
I'm facing same issue. Any workaround for this (with sni, not chuck)?
krlvm
commented
1 year ago Not yet, but you can disable these warnings in Chrome (this is not a good way though)
pundoo
commented
1 year ago Not yet, but you can disable these warnings in Chrome (this is not a good way though)
Disabling warnings don't seems to work. These sites are basically behind CDNs, that strictly requires the correct SNI field to serve the right certificate (and the right server to connect to?). Faking SNI simply breaks this mechanism.
I don't know (in-depth) exactly how the HTTPS connection establishes but, is it somehow possible to generate the (self-signed) cert from client request SNI/host (Fiddler does it), so that the CN matches and the handshake is successful. Then after that, somehow tell server the actual site we're trying to connect to via host header or something?
krlvm
commented
1 year ago Disabling warnings don't seems to work. These sites are basically behind CDNs, that strictly requires the correct SNI field to serve the right certificate (and the right server to connect to?). Faking SNI simply breaks this mechanism.
Yes, that's the problem. IIRC I wrote a detailed explaination in other thread some time ago.
I don't know (in-depth) exactly how the HTTPS connection establishes but, is it somehow possible to generate the (self-signed) cert from client request SNI/host (Fiddler does it), so that the CN matches and the handshake is successful. Then after that, somehow tell server the actual site we're trying to connect to via host header or something?
MITM is done by LittleProxy and its extension LittleProxy-mitm. Certificate generation is requested here, and it the certificates changes then, which is the problem. I tried to debug this previously, but I did not succeed. I will try again today.
pundoo
commented
1 year ago MITM is done by LittleProxy and its extension LittleProxy-mitm. Certificate generation is requested here, and it the certificates changes then, which is the problem. I tried to debug this previously, but I did not succeed. I will try again today.
Did some read up and seems like it should be fairly simple. We just have to get the SNI/host from the client request and use it as the COMMON_NAME (CN) for self generated certificate (instead of using CN received from server). I don't know Java that much, otherwise I'd test this approach..
krlvm
commented
1 year ago Yes that's it. Though I don't see a way to obtain it yet.
На некторых сайтх при переходе по ссылке на субдомены программа выдает сертификат не на тот днс что указан в ссылке