CA mode does not work with iOS

moxie0 / sslsniff

A tool for automated MITM attacks on SSL connections.

Other

546 stars 118 forks source link

CA mode does not work with iOS #14

Open ju916 opened 12 years ago

ju916 commented 12 years ago

We have a test environment with sslsniff in CA mode, that works fine with Firefox on Linux/Windows. When we try to use it with iOS we don't get a connection to the server. Safari simply complains that it cannot make a secure connection to the server. Targeted mode seems to work though.

I am willing to provide more details but I have not yet found a way to get any meaningfull output from Safari.

droe commented 12 years ago

FWIW, this incompatibility, plus the fact that he prefers python to C++, seems to be the reason why Hubert wrote iSniff. In his 28C3 lightning talk about iSniff, at 2:17, he mentions what he thinks is the technical reason for the incompatibility.

https://github.com/hubert3/iSniff https://www.youtube.com/watch?v=fqB7MwwxkOk http://www.ruxcon.org.au/assets/Presentations/Ruxmon/iPwnyouriPhone2.pptx

ju916 commented 12 years ago

Fix extracted from the above:

certificate/AuthorityCertificateManager.cpp:

X509_set_version(request, 3);
X509_set_version(request, 1);

seems to work for us, no side effects yet.

droe commented 12 years ago

My guess is that the missing X509v3 extensions are the problem. One way to fix it is to mark the certificate as v1 (your workaround), the other way would be to add the required v3 extensions.

droe commented 12 years ago

Can you try this patch?

droe/sslsniff@5b66f8c

If it works for you, I'll submit a pull request.

ju916 commented 12 years ago

Not in the Office today. Will try it tomorrow

bye, ju

Am 31.01.2012 um 19:20 schrieb Daniel Roethlisberger reply@reply.github.com:

Can you try this patch?

droe/sslsniff@5b66f8c

If it works for you, I'll submit a pull request.

Reply to this email directly or view it on GitHub: https://github.com/moxie0/sslsniff/issues/14#issuecomment-3744629

droe commented 12 years ago

D'oh, sslsniff has been generating version 4 certificates:

$ openssl x509 -in test.crt -text
Certificate:
    Data:
        Version: 4 (0x3)
        Serial Number: ... (...)
        Signature Algorithm: sha1WithRSAEncryption
        ...

The version passed to X509_set_version() is zero-based, that is, an argument of 3 corresponds to X509v4. Not what we want.

The fix: droe/sslsniff@1b64bc6

The full changeset which adds a standard set of v3 extensions including the server cert's subjectAltName: https://github.com/droe/sslsniff/compare/master...topic%2Fx509v3ext

Feedback welcome.