mitmproxy for says 'sslv3 alert certificate unknown' for traffic from Android

[hinxx]

Problem Description

MITM proxy that Android device want to use reports sslv3 alert certificate unknown after installing the mitmproxy CA certificate according to #2054 and #4838 comments. The certificate is installed under trusted System credentials (not user), in the /system/etc/security/cacerts/c8750f0d.0 file:

-rw-r--r-- 1 root root 4267 2022-07-15 18:45 c8750f0d.0

The message like this is displayed for every request originating from the Android device.

Client TLS handshake failed. The client does not trust the proxy's certificate for graph.facebook.com (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))

I've tested the mitmproxy access to the same site from PC web browser and works as expected and I can see the traffic in mitmproxy without any errors/warnings in the event log (with the same certificate). It does not seem like a mitmproxy issue, but for some reason Android apps (tried ddg browser and another 3rd party app) do not pick up the certificate. The Android version is rather old , Android 9 from 2019, Lineage OS 16.0. I've been using mitmproxy with this exact Android device couple of years ago and it worked fine (I had to reinstall the MITM proxy certificates today FWIW).

System Information

$ ./mitmproxy --version
Mitmproxy: 8.1.1 binary
Python:    3.10.5
OpenSSL:   OpenSSL 3.0.3 3 May 2022
Platform:  Linux-5.4.0-121-generic-x86_64-with-glibc2.27

[hinxx]

After following the https://docs.mitmproxy.org/stable/concepts-certificates/#certificate-pinning (objection method) to unpin the certificates in the desired APKs I was able to see the traffic in the mitmproxy.
I had to do this for DDG app, too (IIRC, this was not the case couple of years ago, but now it seems it is a must)!
Apologize for the noise..

[gokaybiz]

Is there any certificate unpinning methods for .net applications?

[Makariy]

Hello, maybe a bit late, but I faced the same problem.

Before mitmproxy I was using HTTP Toolkit and it worked just fine for every application I needed on my rooted device. It could install the necessary certificate as a systems one so the applications that are not using pinned certificates wont complain. The problem with mitmproxy was that trying to just manually add the certificate to /system/etc/security/cacerts/ via adb shell was not working as expected (the file was successfully added to the directory, but not shown in system certificates in settings), so I tried to find out how does HTTP Toolkit does that.

Here is the source from their repository on GitHub source that was modified to be shown here.

Supposing that you define a variable CERT_FILE as the name of the certificate file stored in /sdcard directory, use a script with this code:

set -e 

mkdir -m 700 /data/local/tmp/htk-ca-copy 
cp /system/etc/security/cacerts/* /data/local/tmp/htk-ca-copy/
mount -t tmpfs tmpfs /system/etc/security/cacerts 
mv /data/local/tmp/htk-ca-copy/* /system/etc/security/cacerts/
mv /sdcard/$CERT_FILE /system/etc/security/cacerts/

chown root:root /system/etc/security/cacerts/*
chmod 644 /system/etc/security/cacerts/*
chcon u:object_r:system_file:s0 /system/etc/security/cacerts/*

rm -r /data/local/tmp/htk-ca-copy
echo "System cert successfully injected"

Here you have the instrucctions:

1. Create a script "install_cert.sh" and insert the code provided before
2. Move the script and certificate to /sdcard adb push install_cert.sh <cert_file> /sdcard
3. Connect to android device via adb adb shell
4. Switch to root su
5. Make the script executable chmod +x install_cert.sh
6. Define the certificate name export CERT_FILE=<cert_file>
7. Execute the script . ./install_cert.sh

(<cert_file> is the name of the certificate file such as c8750f0d.0)

Hope someone gonna need this answer!