search

tkohegyi / mitmJavaProxy

HTTP/HTTPS MITM Java Proxy with the possibility of intercepting and investigating/altering both requests and responses.
https://github.com/tkohegyi/mitmJavaProxy
Apache License 2.0
16 stars 6 forks source link

NET::ERR_CERT_COMMON_NAME_INVALID #21

Closed caluml closed 1 week ago

caluml commented 2 weeks ago

pom.xml

<dependency>
    <groupId>website.magyar</groupId>
    <artifactId>mitm-java-proxy</artifactId>
    <version>2.5.27.114</version>
</dependency>

Java

public static void main(String[] args) throws Exception {
  ProxyServer proxyServer = new ProxyServer();
  proxyServer.setPort(8080);

  proxyServer.start(100000);
}

I have imported the cybervillainsCA.cer from the website.magyar:mitm-java-proxy:2.5.27.114 jar into Chromium 120.0.6099.224.

But trying to go to any https site in Chromium gives an error:

Your connection is not private Attackers might be trying to steal your information from google.com (for example, passwords, messages, or credit cards). Learn more NET::ERR_CERT_COMMON_NAME_INVALID

Is there something I am doing wrong/have missed out?

tkohegyi commented 2 weeks ago

Hi @caluml, what you have experienced is - normal. Chromium/Chrome tries to avoid Man-in-the-middle (mitm) attacks and does not allow to use this proxy for security reasons (to be honest, by using this proxy for Chromium, you would be able to have access to all HTTPS content, including usernames/passwords, credit card infos etc) - so this behavior is expected. This tool is not to be used to hack HTTPS line.

caluml commented 2 weeks ago

Hi Tamás.

I have an IoT device on my network, and I want to see what information it is sending out.

I was just trying Chromium to check that mitm-java-proxy worked as expected, and was surprised that it didn't seem to work transparently (or Firefox for that matter)

But interestingly curl works fine without warnings:

curl --cacert ~/path/to/cybervillainsCA.cer --proxy 127.0.0.1:8080 https://google.com/

https://mitmproxy.org/ also works fine in Chromium too, so it feels like there's something missing from the SSL response in mitm-java-proxy

caluml commented 2 weeks ago

It seems like the SSL response is missing a Subject Alternative Name.

Here is a request through mitmproxy: Subject news.ycombinator.com SAN news.ycombinator.com Valid from Sat, 24 Aug 2024 17:37:55 GMT Valid until Tue, 26 Aug 2025 17:37:55 GMT Issuer mitmproxy

The same request through mitm-java-proxy says: Certificate: Subject Alternative Name missing The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.

tkohegyi commented 2 weeks ago

Hi @caluml, thank you for the hint, sounds promising. Will look after what we can do.

tkohegyi commented 2 weeks ago

@caluml

It seems like the SSL response is missing a Subject Alternative Name.

Here is a request through mitmproxy: Subject news.ycombinator.com SAN news.ycombinator.com Valid from Sat, 24 Aug 2024 17:37:55 GMT Valid until Tue, 26 Aug 2025 17:37:55 GMT Issuer mitmproxy

The same request through mitm-java-proxy says: Certificate: Subject Alternative Name missing The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.

Pls let me know exactly how I can repro it. I would like to check the update, if it is still a problem or not.

caluml commented 2 weeks ago

Hi @tkohegyi

Sure.

I made a simple new project with mitm-java-proxy 2.5.27.114 as a dependency The main class was just

public static void main(String[] args) throws Exception {
  ProxyServer proxyServer = new ProxyServer();
  proxyServer.setPort(8080);

  proxyServer.start(100000);
}

And run this.

Run Chromium (or Chrome?) specifying the proxy

chromium --proxy-server=127.0.0.1:8080

and in the settings import the cybervillainsCA.cer cert as a CA cert (trusted to identify websites)

Then got to any https site, and you should get the error I mentioned. You should see this in the certificate details:

Issued to: Common Name (CN) site.name.whatever Organization (O) CyberVillainsCA Organizational Unit (OU) Test Issued by: Common Name (CN) Organization (O) CyberVillians.com Organizational Unit (OU) CyberVillians Certification Authority

If you use F12 in Chromium, you can see the Security tab in the Dev tools, which will give you the information about the missing SAN:

This page is not secure (broken HTTPS).

Certificate - Subject Alternative Name missing The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address

Certificate - missing This site is missing a valid, trusted certificate (net:ERR_CERT_COMMON_NAME_INVALID)

I'm guessing that the SAN extension isn't being added when the certificate is generated on the fly. There's a bit more information about it on https://en.wikipedia.org/wiki/Subject_Alternative_Name which says that the commonName is deprecated, and the SAN is now the preferred way of adding DNS names to certificates.

Hope this is OK.

caluml commented 1 week ago

@tkohegyi

Redid the PR - #23 better matches your formatting, and doesn't have the getFirst() in it.

tkohegyi commented 1 week ago

Hi @caluml thank you - this code requires a bit more update, but the SAN issue will be addressed - thank you for your report and suggestion + PR.

tkohegyi commented 1 week ago

@caluml pls check

tkohegyi commented 1 week ago

Will be in the next release.

tkohegyi commented 1 week ago

https://github.com/tkohegyi/mitmJavaProxy/releases/tag/2.5.28.127 released