Skip to content

1.5. SSL TLS MITM using CANAPE

Koutto edited this page Jun 13, 2017 · 4 revisions

CANAPE support SSL/TLS deciphering; thus it can be used to perform man-in-the-middle on an encrypted channel. To do so, it is just necessary to add a layer "SSL Network Layer" to the SOCKS proxy in CANAPE. This layer must be configured on the correct port.

Nevertheless, it is still possible that the tested application stops working correctly and trigger some alerts. This behavior actually means that the application verifies the validity of the SSL/TLS certificate that it receives. Since the Certificate Authority used to sign the CANAPE's certificate is not into the trusted CA store, the application rejects the CANAPE's certificate. In order to bypass this, it is usually necessary to add the CANAPE CA's certificate into the Windows trusted CA store (available via "Start > Run > certmgr.msc"): to do so, just use the feature "Trust > Install Root Cert" in CANAPE.

In the case where the application embeds the server's certificate (usually inside the installation directory), it should be replaced by the CANAPE's certificate.

Moreover, if the thick client is using JAVA technology, the CANAPE CA'certificate should be added into the JAVA Keystore, using the binary "keytool.exe" with the following command:

keytool.exe –importcert –file canape_root_ca.cer –keystore keystore_file

You can’t perform that action at this time.