Closed JG127 closed 5 years ago
Got it! To answer my own question: Yes it does. The signature is different when the certificate chain was modified by the MITM decryption. And indeed the login succeeds when the new signature is added. (Although I am not certain this is the best way to solve such an issue. But in the meantime it gets me going.)
For posterity then:
/* mitm modified certificate of www.lastpass.com */
"< signature from step 1 >",
Hope this helps somebody else on its way too.
In my case lpass login immediately fails with the error "Error: Peer certificate cannot be authenticated with given CA certificates." I've upgraded to the 1.3.3 release and checked pins.h for missing signatures. The signatures are all there. So it can't be the usual cause.
According to the certificate chain I see from https://www.lastpass.com my company's CA has issued the Lastpass certificate. MITM.
Could it be this also changes the signature ? It would explain the error.
If this is the case, can somebody tell me how I can compute the signature ? I'll add it into pins.h and recompile.