Closed caluml closed 1 week ago
Hi @caluml, what you have experienced is - normal. Chromium/Chrome tries to avoid Man-in-the-middle (mitm) attacks and does not allow to use this proxy for security reasons (to be honest, by using this proxy for Chromium, you would be able to have access to all HTTPS content, including usernames/passwords, credit card infos etc) - so this behavior is expected. This tool is not to be used to hack HTTPS line.
Hi Tamás.
I have an IoT device on my network, and I want to see what information it is sending out.
I was just trying Chromium to check that mitm-java-proxy worked as expected, and was surprised that it didn't seem to work transparently (or Firefox for that matter)
But interestingly curl works fine without warnings:
curl --cacert ~/path/to/cybervillainsCA.cer --proxy 127.0.0.1:8080 https://google.com/
https://mitmproxy.org/ also works fine in Chromium too, so it feels like there's something missing from the SSL response in mitm-java-proxy
It seems like the SSL response is missing a Subject Alternative Name.
Here is a request through mitmproxy: Subject news.ycombinator.com SAN news.ycombinator.com Valid from Sat, 24 Aug 2024 17:37:55 GMT Valid until Tue, 26 Aug 2025 17:37:55 GMT Issuer mitmproxy
The same request through mitm-java-proxy says: Certificate: Subject Alternative Name missing The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.
Hi @caluml, thank you for the hint, sounds promising. Will look after what we can do.
@caluml
It seems like the SSL response is missing a Subject Alternative Name.
Here is a request through mitmproxy: Subject news.ycombinator.com SAN news.ycombinator.com Valid from Sat, 24 Aug 2024 17:37:55 GMT Valid until Tue, 26 Aug 2025 17:37:55 GMT Issuer mitmproxy
The same request through mitm-java-proxy says: Certificate: Subject Alternative Name missing The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.
Pls let me know exactly how I can repro it. I would like to check the update, if it is still a problem or not.
Hi @tkohegyi
Sure.
I made a simple new project with mitm-java-proxy 2.5.27.114 as a dependency The main class was just
public static void main(String[] args) throws Exception {
ProxyServer proxyServer = new ProxyServer();
proxyServer.setPort(8080);
proxyServer.start(100000);
}
And run this.
Run Chromium (or Chrome?) specifying the proxy
chromium --proxy-server=127.0.0.1:8080
and in the settings import the cybervillainsCA.cer cert as a CA cert (trusted to identify websites)
Then got to any https site, and you should get the error I mentioned. You should see this in the certificate details:
Issued to: Common Name (CN) site.name.whatever Organization (O) CyberVillainsCA Organizational Unit (OU) Test Issued by: Common Name (CN)
Organization (O) CyberVillians.com Organizational Unit (OU) CyberVillians Certification Authority
If you use F12 in Chromium, you can see the Security tab in the Dev tools, which will give you the information about the missing SAN:
This page is not secure (broken HTTPS).
Certificate - Subject Alternative Name missing The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address
Certificate - missing This site is missing a valid, trusted certificate (net:ERR_CERT_COMMON_NAME_INVALID)
I'm guessing that the SAN extension isn't being added when the certificate is generated on the fly. There's a bit more information about it on https://en.wikipedia.org/wiki/Subject_Alternative_Name which says that the commonName is deprecated, and the SAN is now the preferred way of adding DNS names to certificates.
Hope this is OK.
@tkohegyi
Redid the PR - #23 better matches your formatting, and doesn't have the getFirst() in it.
Hi @caluml thank you - this code requires a bit more update, but the SAN issue will be addressed - thank you for your report and suggestion + PR.
@caluml pls check
Will be in the next release.
pom.xml
Java
I have imported the cybervillainsCA.cer from the website.magyar:mitm-java-proxy:2.5.27.114 jar into Chromium 120.0.6099.224.
But trying to go to any https site in Chromium gives an error:
Your connection is not private Attackers might be trying to steal your information from google.com (for example, passwords, messages, or credit cards). Learn more NET::ERR_CERT_COMMON_NAME_INVALID
Is there something I am doing wrong/have missed out?