Output of mitmdump -v --port 8080:
192.168.27.109:53953: clientconnect
192.168.27.109:53953: Set new server address: ('graph.facebook.com', 443)
192.168.27.109:53953: serverconnect
-> graph.facebook.com:443
192.168.27.109:53953: Establish TLS with server
192.168.27.109:53953: ALPN selected by server: http/1.1
192.168.27.109:53953: Establish TLS with client
192.168.27.109:53953: ALPN for client: b'http/1.1'
192.168.27.109:53953: CONNECT graph.facebook.com:443
<< Cannot establish TLS with client (sni: graph.facebook.com): TlsException("SSL handshake error: Error([('SSL routines', 'ssl3_read_bytes', 'sslv3 alert certificate unknown')],)",)
192.168.27.109:53953: serverdisconnect
-> graph.facebook.com:443
192.168.27.109:53953: clientdisconnect
I've verified my brew-installed python3 uses the brew-installed openssl lib:
$ python3
Python 3.6.0 (default, Dec 24 2016, 08:01:42)
[GCC 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.42.1)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> ssl.OPENSSL_VERSION
'OpenSSL 1.0.2k 26 Jan 2017'
I tried removing and installing the mitm.it cert on my iphone - no luck.
Using a brew-installed curl with openssl from my Macbook (so not my iphone) I am able to query a TLS resource. Below is a curl to google.com, but it also works for graph.facebook.com (the resource mentioned in the reproduction block above).
curl -kv --proxy localhost:8080 https://google.com
* Rebuilt URL to: https://google.com/
* Trying ::1...
* TCP_NODELAY set
* Connection failed
* connect to ::1 port 8080 failed: Connection refused
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to (nil) (127.0.0.1) port 8080 (#0)
* Establish HTTP proxy tunnel to google.com:443
> CONNECT google.com:443 HTTP/1.1
> Host: google.nl:443
> User-Agent: curl/7.52.1
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /usr/local/etc/openssl/cert.pem
CApath: /usr/local/etc/openssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=*.google.com
* start date: Feb 1 21:09:31 2017 GMT
* expire date: Feb 3 21:09:31 2020 GMT
* issuer: CN=mitmproxy; O=mitmproxy
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET / HTTP/1.1
> Host: google.nl
> User-Agent: curl/7.52.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Location: https://www.google.com/
< Content-Type: text/html; charset=UTF-8
< Date: Fri, 03 Feb 2017 21:10:24 GMT
< Expires: Sun, 05 Mar 2017 21:10:24 GMT
< Cache-Control: public, max-age=2592000
< Server: gws
< Content-Length: 219
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< Alt-Svc: quic=":443"; ma=2592000; v="35,34"
<
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
* Curl_http_done: called premature == 0
* Connection #0 to host (nil) left intact
Digging even deeper I finally found the cause. My certs in ~/.mitmproxy were expired. After removing that dir, starting mitmproxy and re-installing the ca cert on my iphone it all worked.
I have created a separate ticket (https://github.com/mitmproxy/mitmproxy/issues/1987) for checking for expired certs in ~/.mitmproxy.
I'm getting this error using an Android as the client. For me, I installed the certificate (3 times) today so it can't have expired. Any ideas?
<< Cannot establish TLS with client (sni: mdh-pa.googleapis.com): TlsException("SSL handshake error: Error([('SSL routines', 'ssl3_read_bytes', 'sslv3 alert certificate unknown')],)",)
The device connects briefly but disconnects quickly. Any help would be greatly appreciated!
I have the same issue as @rsewell97, but with another url.
If we enable --verbose mode we can see that one request goes through with no TLS handshake error, but the next gives an handshake error, and this is happens always in an alternative sequence, one request succeeds, the next fails.
Starting the proxy:
mitmweb --verbose --listen-host wifi.ip.address --web-iface wifi.ip.address
Web server listening at http://wifi.ip.address:8081/
No web browser found. Please open a browser and point it to http://wifi.ip.address:8081/
Proxy server listening at http://wifi.ip.address:8080
Succeeded:
mobile.device.ip.address:37767: clientconnect
mobile.device.ip.address:37767: Set new server address: free.currencyconverterapi.com:443
mobile.device.ip.address:37767: Establish TLS with client
mobile.device.ip.address:37767: request
-> Request(GET /api/v6/convert?q=GBP_EUR&compact=ultra&apiKey=ommited)
mobile.device.ip.address:37767: serverconnect
-> ('free.currencyconverterapi.com', 443)
mobile.device.ip.address:37767: Establish TLS with server
mobile.device.ip.address:37767: ALPN selected by server: -
mobile.device.ip.address:37767: response
-> Response(200 OK, application/json; charset=utf-8, 20b)
mobile.device.ip.address:37767: serverdisconnect
-> ('free.currencyconverterapi.com', 443)
mobile.device.ip.address:37767: clientdisconnect
Failed:
mobile.device.ip.address:46876: clientconnect
mobile.device.ip.address:46876: Set new server address: free.currencyconverterapi.com:443
mobile.device.ip.address:46876: serverconnect
-> ('free.currencyconverterapi.com', 443)serverconnect
mobile.device.ip.address:46876: Establish TLS with server
mobile.device.ip.address:46876: Establish TLS with client
mobile.device.ip.address:46876: serverdisconnect
-> ('free.currencyconverterapi.com', 443)
mobile.device.ip.address:46876: clientdisconnect
Now if look with attention we can see the on the request that fails the serverconnect, Establish TLS with client, and Establish TLS with server don't happen in the same sequence, plus other entries are missing in the failed request.
Any idea why this is happening, because if I use another proxy I don't have this issue.
I tried different ways of starting the proxy and all reveal the same issue, and yes I installed the mitmproxy certificate n the device as per instructed in the docs.
The mobile device is running Android 4.3.
refer this SO post to use tls_passthrough.py, such as:
mitmproxy -s tls_passthrough.py
to passthrough tls can fix this problem
Most helpful comment
Digging even deeper I finally found the cause. My certs in ~/.mitmproxy were expired. After removing that dir, starting mitmproxy and re-installing the ca cert on my iphone it all worked.
I have created a separate ticket (https://github.com/mitmproxy/mitmproxy/issues/1987) for checking for expired certs in ~/.mitmproxy.