New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL error from bufferevent: tlsv1 alert unknown ca #131
Comments
For some reason your client is sending a TLSv1 alert "unknown ca" (TLS alert code 48, always fatal) instead of completing the handshake. Why it does this, I don't know. Can you find any information in a client-side debug log? Interesting would be information on the reason for aborting the handshake with TLS alert 48. If this is only traffic from one specific app that connects to specific server infrastructure directly related to the app, it is entirely possible that the app does certificate and/or CA pinning in order to thwart MitM attacks. |
I committed 1d267e6 to |
Do you mean client side as in the Android device? I will compile with the pxyconn.c (1d267e6) from devel to see where the event comes from and get back to you on that. Thanks a lot for the help and quick response! |
Yes, with client-side debug log I mean the application and/or the OS that is initiating the SSL connection that you are intercepting, so either the closed-source App you are reviewing or possibly Android itself. |
just build from dev and I got
The problem seems to be the Android side. I will look further into the log files but it will take me some time. Would it possible to have a "resume on error" option that logs the "tlsv1 alert unknown ca" and retries by passing the original cert so the source connection doesn't fail and later data op other sites/ports from apps might be extracted ? And except looking at log files do you have any other ideas on getting around this? |
HSTS can be the reason for a client to reject a connection with that alert message. You can try to flush the HSTS cache and make sure the device is only connecting through sslsplit https/http proxy specs so HSTS is prevented. The "resume on error" idea is not trivial because the client aborted the connection. We cannot control the client's behaviour after a connection fails. For browsers, an error message would be the norm. We could keep a list of client IPs that sent us an unknown CA alert and prevent them from being intercepted in the future, but this is a very ugly solution both because it requires the management of state and because IP based decision making will cause many connections to be excempted unnecessarily (multiple browsers/apps on same system, multiple clients behind NAT, etc). I will close the issue since it is not a problem in sslsplit itself. If you find that there is something sslsplit can do to make your client like it's certificate better, please re-open/comment. |
Note that your choice of CA certificate related algorithms may be an issue too (use of obsolete algorithms or keysizes). |
Thank you for the clear explanation, Request : I would like to see the 'Error from src bufferevent: 0:- 336151576:1048:tlsv1 alert unknown ca:20:SSL routines:148:SSL3_READ_BYTES' be logged to the log file instead of the logfile being empty. is this a possibility ? |
Makes sense, I moved your suggestion to a separate issue. |
I can't seem to get HTTPS for all sources using sslsplit-0.5.0 on Ubuntu 14.04 when trying to see an Android App.
For the empty logs it seems to generate the following message :
Error from bufferevent: 0:- 336151576:1048:tlsv1 alert unknown ca:20:SSL routines:148:SSL3_READ_BYTES
I set up an ethernet bridge between 2 ethernet devices.
I generated the certs using :
Installed the cert on the android device using : Settings > Security > Install From SD Card ( For VPN & Apps )
Port forwards :
and start sslsplit using :
Debug :
Working :
ERROR :
I can see HTTP traffic logs and HTTPS traffic logs, but SOME of the HTTPS logs are empty (0 bytes).
Am I doing something wrong or forgetting a step or is there another fix that I'm missing? Or is there any way I can get around this error?
Also when this happens, the data is not passed through the proxy, and if there is authentication data in the package the app or site will fail.
If anymore info is needed, please inform me.
Thank you in advance
The text was updated successfully, but these errors were encountered: