search

lightbody / browsermob-proxy

A free utility to help web developers watch and manipulate network traffic from their AJAX applications.
http://bmp.lightbody.net
Apache License 2.0
2.17k stars 659 forks source link

get error message No subject alternative names matching IP address when use TrustSource add #493

Closed seveniruby closed 8 years ago

seveniruby commented 8 years ago

my proxyServer config

val trustSource = TrustSource.defaultTrustSource().add(new File("/tmp/sslkeystore.bks"))
  val mitmManager = ImpersonatingMitmManager.builder()
    .trustSource(trustSource) // use an explicit trust source, or:
    //.trustAllServers(true) // do not validate servers' certificates
    .build()
  proxyServer.setMitmManager(mitmManager)

when i use this command, i get a 502 error message

curl -i -s -k  -X 'GET'     -H 'User-Agent: Xueqiu Android 8.2-rc-120' -H 'host: api.xueqiu.com'     -b 'xq_a_token=XqTest7f274a04a3047fe580bf9693ffb911a712961d5b; u=5708953570'     'https://124.250.3.102/stock/industry/list_stock_by_ind_code.json?_t=1GENYMOTION0325b24d972b9a5d85870d95fcb5bbb4.5708953570.1467775770273.1467775903883&indClass=SW2014&indCode=370000&trace_id=57089535701GENYMOTION0325b24d972b9a5d85870d95fcb5bbb4&x=0.598&'  -x  http://127.0.0.1:7777
HTTP/1.1 502 Bad Gateway
Content-Length: 30
Content-Type: text/html; charset=UTF-8

the bmp error log (not debug) was 

29146 [LittleProxy-0-ProxyToServerWorker-3] ERROR org.littleshoot.proxy.impl.ProxyToServerConnection  - (DISCONNECTED) [id: 0x5ed20747, L:/192.168.0.214:62463 ! R:/124.250.3.102:443]: Caught an exception on ProxyToServerConnection
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:418)
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:245)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:292)
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:278)
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:962)
    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:131)
    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:528)
    at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:485)
    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:399)
    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:371)
    at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:112)
    at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1098)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:970)
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:904)
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:387)
    ... 11 more
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1497)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
    at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1124)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1009)
    ... 13 more
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 124.250.3.102 found
    at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:167)
    at sun.security.util.HostnameChecker.match(HostnameChecker.java:93)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1484)
    ... 21 more

so how can i avoid the error

jekh commented 8 years ago

The site you're visiting, https://124.250.3.102, presents a certificate issued for xueqiu.com and .xueqiu.com. You can either make the request using a .xueqiu.com domain that resolves to that IP address, or you can disable hostname verification completely using the setTrustAllServers(true) method.

seveniruby commented 8 years ago

thank you for the reply. i already use the setTrustAllServers(true) it can't work i also add this 

  val verifier = new javax.net.ssl.HostnameVerifier() {
    def verify(hostname: String, session: javax. net.ssl.SSLSession): Boolean = {
      log.info(hostname)
      return true
    }
  }
  javax.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier(verifier)

it can't work too

also i can't use hostname to replace the ip. because sometime i need use same hostname but different ip for multi environments

seveniruby commented 8 years ago

for recording requests base on bmp, i use burpsuite and set upsteam proxy to bmp , it works if only use bmp, it's not work

jekh commented 8 years ago

If you can't use the hostname, then server certificate validation will fail. The server, xueqiu.com, is returning a certificate for *.xueqiu.com, not for an IP address. There is simply no way to make that work. One possible work-around would be to modify your /etc/hosts file.

Alternatively, you can bypass validation completely by setting trustAllServers to true (that line is commented out in your code snippet). That will definitely work, just make sure you're using the latest version of BMP.

seveniruby commented 8 years ago

i create two cases , one for bmp and one for little proxy i found that only the little proxy can work this is demo code 

package com.xueqiu.httpapi.framework

import java.net.InetSocketAddress

import com.fasterxml.jackson.databind.{SerializationFeature, ObjectMapper}
import com.fasterxml.jackson.module.scala.DefaultScalaModule
import io.netty.channel.ChannelHandlerContext
import io.netty.handler.codec.http.{HttpResponse, HttpObject, HttpRequest}
import net.lightbody.bmp.BrowserMobProxyServerLegacyAdapter
import net.lightbody.bmp.filters.RequestFilter
import net.lightbody.bmp.util.{HttpMessageInfo, HttpMessageContents}
import org.littleshoot.proxy.{HttpFiltersAdapter, HttpFilters, HttpFiltersSourceAdapter, HttpFiltersSource}
import org.littleshoot.proxy.impl.DefaultHttpProxyServer

import net.lightbody.bmp.BrowserMobProxyServer
import net.lightbody.bmp.proxy.LegacyProxyServer
import org.scalatest.FunSuite

/**
  * Created by seveniruby on 16/9/7.
  */
class TestProxyServer extends FunSuite with CommonLog{

  test("proxy server bmp"){
    val proxy=new BrowserMobProxyServer
    //val proxy=new BrowserMobProxyServerLegacyAdapter()
    proxy.setTrustAllServers(true)
    proxy.start(7777)
    proxy.newHar()

    val requestFilter = new RequestFilter {
      override def filterRequest(request: HttpRequest, contents: HttpMessageContents, messageInfo: HttpMessageInfo): HttpResponse = {
        //request.headers().set("accept-encoding", "deflate, br")
        log.info(request.getUri)
        return null
      }
    }
    proxy.addRequestFilter(requestFilter)
    Thread.sleep(2000000)
  }

  test("little proxy"){

    val filter=new HttpFiltersSourceAdapter(){
      override def filterRequest(originalRequest: HttpRequest , ctx: ChannelHandlerContext ): HttpFilters={
        return new HttpFiltersAdapter(originalRequest) {
          override def clientToProxyRequest(httpObject: HttpObject ):HttpResponse= {
            // TODO: implement your filtering here
            log.info(originalRequest.getUri)
            return null;
          }

          override def serverToProxyResponse(httpObject: HttpObject ):HttpObject= {
            // TODO: implement your filtering here
            return httpObject;
          }
        };
      }
    }
    val proxy=DefaultHttpProxyServer.bootstrap()
        .withAddress(new InetSocketAddress("0.0.0.0", 7777))
      //.withPort(7777)
        .withFiltersSource(filter)
      .start()
    Thread.sleep(2000000)
  }
}

the result of little proxy

Testing started at 下午1:12 ...
0 [ScalaTest-run-running-TestProxyServer] INFO org.littleshoot.proxy.impl.DefaultHttpProxyServer  - Starting proxy at address: /0.0.0.0:7777
49 [ScalaTest-run-running-TestProxyServer] INFO org.littleshoot.proxy.impl.DefaultHttpProxyServer  - Proxy listening with TCP transport
336 [ScalaTest-run-running-TestProxyServer] INFO org.littleshoot.proxy.impl.DefaultHttpProxyServer  - Proxy started at address: /0:0:0:0:0:0:0:0:7777
2016-09-07 13:12:25 INFO [TestProxyServer$$anonfun$2$$anon$1$$anon$2.clientToProxyRequest.$F.49] data.flurry.com:443
2016-09-07 13:12:37 INFO [TestProxyServer$$anonfun$2$$anon$1$$anon$2.clientToProxyRequest.$F.49] http://oc.umeng.com/check_config_update
2016-09-07 13:12:38 INFO [TestProxyServer$$anonfun$2$$anon$1$$anon$2.clientToProxyRequest.$F.49] http://oc.umeng.com/check_config_update
2016-09-07 13:12:41 INFO [TestProxyServer$$anonfun$2$$anon$1$$anon$2.clientToProxyRequest.$F.49] 101.201.62.21:443
2016-09-07 13:12:41 INFO [TestProxyServer$$anonfun$2$$anon$1$$anon$2.clientToProxyRequest.$F.49] 101.201.62.21:443
2016-09-07 13:12:41 INFO [TestProxyServer$$anonfun$2$$anon$1$$anon$2.clientToProxyRequest.$F.49] 101.201.62.21:443
2016-09-07 13:12:41 INFO [TestProxyServer$$anonfun$2$$anon$1$$anon$2.clientToProxyRequest.$F.49] 124.250.3.101:443
2016-09-07 13:12:41 INFO [TestProxyServer$$anonfun$2$$anon$1$$anon$2.clientToProxyRequest.$F.49] api.xueqiu.com:443
2016-09-07 13:12:41 INFO [TestProxyServer$$anonfun$2$$anon$1$$anon$2.clientToProxyRequest.$F.49] 124.250.3.101:443
2016-09-07 13:12:41 INFO [TestProxyServer$$anonfun$2$$anon$1$$anon$2.clientToProxyRequest.$F.49] 124.250.3.101:443
2016-09-07 13:12:41 INFO [TestProxyServer$$anonfun$2$$anon$1$$anon$2.clientToProxyRequest.$F.49] http://alog.umeng.com/app_logs
2016-09-07 13:12:41 INFO [TestProxyServer$$anonfun$2$$anon$1$$anon$2.clientToProxyRequest.$F.49] 101.201.62.21:443
2016-09-07 13:12:41 INFO [TestProxyServer$$anonfun$2$$anon$1$$anon$2.clientToProxyRequest.$F.49] http://alog.umeng.com/app_logs
2016-09-07 13:12:41 INFO [TestProxyServer$$anonfun$2$$anon$1$$anon$2.clientToProxyRequest.$F.49] http://alog.umeng.com/app_logs
2016-09-07 13:12:44 INFO [TestProxyServer$$anonfun$2$$anon$1$$anon$2.clientToProxyRequest.$F.49] 101.201.62.21:443
2016-09-07 13:12:46 INFO [TestProxyServer$$anonfun$2$$anon$1$$anon$2.clientToProxyRequest.$F.49] 101.201.62.21:443
2016-09-07 13:12:50 INFO [TestProxyServer$$anonfun$2$$anon$1$$anon$2.clientToProxyRequest.$F.49] data.flurry.com:443

the result of bmp

Testing started at 下午1:13 ...
0 [ScalaTest-run-running-TestProxyServer] INFO org.littleshoot.proxy.impl.DefaultHttpProxyServer  - Starting proxy at address: 0.0.0.0/0.0.0.0:7777
34 [ScalaTest-run-running-TestProxyServer] INFO org.littleshoot.proxy.impl.DefaultHttpProxyServer  - Proxy listening with TCP transport
190 [ScalaTest-run-running-TestProxyServer] INFO org.littleshoot.proxy.impl.DefaultHttpProxyServer  - Proxy started at address: /0:0:0:0:0:0:0:0:7777
2016-09-07 13:13:54 INFO [TestProxyServer$$anonfun$1$$anon$3.filterRequest.$F.34] data.flurry.com:443
4696 [LittleProxy-0-ClientToProxyWorker-0] WARN net.lightbody.bmp.mitm.util.SslUtil  - Disabling upstream server certificate verification. This will allow attackers to intercept communications with upstream servers.
2016-09-07 13:13:58 INFO [TestProxyServer$$anonfun$1$$anon$3.filterRequest.$F.34] http://oc.umeng.com/check_config_update
2016-09-07 13:14:01 INFO [TestProxyServer$$anonfun$1$$anon$3.filterRequest.$F.34] 101.201.62.21:443
2016-09-07 13:14:01 INFO [TestProxyServer$$anonfun$1$$anon$3.filterRequest.$F.34] 101.201.62.24:443
2016-09-07 13:14:01 INFO [TestProxyServer$$anonfun$1$$anon$3.filterRequest.$F.34] 101.201.62.24:443
2016-09-07 13:14:01 INFO [TestProxyServer$$anonfun$1$$anon$3.filterRequest.$F.34] 124.250.3.101:443
2016-09-07 13:14:01 INFO [TestProxyServer$$anonfun$1$$anon$3.filterRequest.$F.34] api.xueqiu.com:443
2016-09-07 13:14:03 INFO [TestProxyServer$$anonfun$1$$anon$3.filterRequest.$F.34] 124.250.3.101:443
2016-09-07 13:14:03 INFO [TestProxyServer$$anonfun$1$$anon$3.filterRequest.$F.34] 124.250.3.101:443
2016-09-07 13:14:03 INFO [TestProxyServer$$anonfun$1$$anon$3.filterRequest.$F.34] /jspatch/config.json?app_key=02dfc0390c04c8e8464e0b2d13c5cfcb&app_version=8.4-rc-1460&user_data=%7B%22user_id%22%3A9001459498%2C%22device%22%3A%22Genymotion_Google_Nexus_4_-_4.4.4_-_API_19_-_768x1280%22%2C%22system_version%22%3A%224.4.4%22%2C%22channel_id%22%3A%22xueqiu%22%2C%22user_verify_type%22%3A0%7D
2016-09-07 13:14:03 INFO [TestProxyServer$$anonfun$1$$anon$3.filterRequest.$F.34] 124.250.3.101:443
2016-09-07 13:14:03 INFO [TestProxyServer$$anonfun$1$$anon$3.filterRequest.$F.34] 101.201.62.24:443
2016-09-07 13:14:03 INFO [TestProxyServer$$anonfun$1$$anon$3.filterRequest.$F.34] 101.201.62.23:443
2016-09-07 13:14:04 INFO [TestProxyServer$$anonfun$1$$anon$3.filterRequest.$F.34] 101.201.62.21:443
2016-09-07 13:14:04 INFO [TestProxyServer$$anonfun$1$$anon$3.filterRequest.$F.34] 101.201.62.24:443
14569 [LittleProxy-0-ClientToProxyWorker-2] INFO org.littleshoot.proxy.impl.ClientToProxyConnection  - (NEGOTIATING_CONNECT) [id: 0x54797cbc, L:/192.168.57.1:7777 - R:/192.168.57.101:56421]: An IOException occurred on ClientToProxyConnection: Connection reset by peer
14623 [LittleProxy-0-ProxyToServerWorker-2] INFO org.littleshoot.proxy.impl.ProxyToServerConnection  - (DISCONNECTED) [id: 0x346e8281, L:0.0.0.0/0.0.0.0:52717]: Connection to upstream server failed
java.nio.channels.ClosedChannelException
    at io.netty.handler.ssl.SslHandler.channelInactive(...)(Unknown Source)
2016-09-07 13:14:06 INFO [TestProxyServer$$anonfun$1$$anon$3.filterRequest.$F.34] 101.201.62.25:443
seveniruby commented 8 years ago

i have update my demo code and this is the demo app http://xqfile.imedao.com/android-release/xueqiu_832_08181340.apk

2016-07-19 20:49 GMT+08:00 Jason Hoetger notifications@github.com:

Closed #493 https://github.com/lightbody/browsermob-proxy/issues/493.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/lightbody/browsermob-proxy/issues/493#event-727476782, or mute the thread https://github.com/notifications/unsubscribe-auth/ABKocXpA6HWkiOV0kdlbqecAGcPEX8KIks5qXMfBgaJpZM4JF1KQ .