No internet connection in Android after using Mitmproxy - proxy

I have configured the android Phone (Samsung Galaxy S8) to use proxy. I can connect to mitm.it. I can also see some requests captured by Mitmproxy.
However, I got no internet connection when I try to search anything in Google.
Any hints on what happened and how to fix it?

Android 7.1 and higher do not longer allow the use of custom certificates manually added by the user but if you have a phone with super user access, you can make it work via ADB.
Android stores its system certificates in /system/etc/security/cacerts/. If you take a look at your device, you will see that the certificates have hashed names, eg. "a1234b0d.0". To intercept app traffic, you need to find out the hash of your certificate
openssl x509 -inform PEM -subject_hash_old -in mitmproxy-ca-cert.pem | head -1
Then rename your certificate accordingly
mv mitmproxy-ca-cert.pem <your_hash_value_in_here_without_carets>.0
And finally move it to where your device's system certificates are. For this, however, you need to remount the system directory first in order to get write access
adb shell su -c "mount -o rw,remount,rw /system"
adb push your_certificate /sdcard/your_certificate
adb shell su -c "mv /sdcard/your_certificate /system/etc/security/cacerts/your_certificate"
adb shell su -c "chmod 644 /system/etc/security/cacerts/your_certificate"
adb reboot
If that doesn't work, I can remember (not the source, though) reading about Android Nougat also not regarding certificates that expire in more than 2 years. The certificates created by mitmproxy should be fine. Burpsuite or Fiddler ones did not work for me though.

Google Apps use certificate pinning and so it can detect the "fake" http://mitm.it/cert/pem that you downloaded to your phone.

Related

Unable to Fetch Keychain Certificate Information from mac

I am facing a weird issue for an Command line application created from Xcode . I am running a script to fetch expiry date of one of the certificates available in Keychain access in Mac using the below command
security find-certificate -c "CertificateNameHere" -p | openssl x509 -text | grep "Not After"
When I run it locally through Xcode I am able to fetch the date. But when I Run the app as a service from one of the Library folder the expiry date is not fetched. Instead I am getting a error
PEM routines:CRYPTO_internal:no start line:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.140.1/libressl-2.8/crypto/pem/pem_lib.c:684:Expecting: TRUSTED CERTIFICATE
Though the certificate is trusted
I tried lot of solutions like Trying to find a proper solution to get the expiry date of one the certificates available in keychain but there is no luck. So I am posting it in stackoverflow. I tried another solution to use Mac Xcode security framework to fetch the date using swift but The issue persists.
The probable reason to your trouble is access permissions.
When the script is run as a service it has another user and different/none environment context (Like crontab service).
You can fix this by providing the service with proper login user, and initialize the service with proper source command to respective .profile or .bash_profile script.

Installing a cert with nss-certutil during our install "sort of" failing with firefox 58

With the latest upgrade of Firefox (version 58), our product install has begun "failing" on Firefox. Basically, our installer code will query Firefox to see if our cert is already installed with nss-certutil -L -n name and if it is not found we then install the cert with nss-certutil -A ....
This is a "root" cert that we have self signed, and is only used for communication with a local node server. This has worked fine up until now (I can duplicate in version 58 .. maybe 57 as well going by some customer reports). The install script runs without error but Firefox can not connect using the secure connection to the node server.
Looking at the list of installed certs from options/security/certificates it's not there, but if I run the nss-certutil -L -n name it is listed.
Evidently the profiles have changed in version 58 but I can not find anything that would relate to this.
Another piece of info is I can manually import the cert, and that works, so the cert itself seems to be fine.
Puzzled and out of ideas. Any thoughts?
It looks like latest FF uses SQL Lite database for certificate trust, but nss-certutil by default uses legacy format.
You need to specify explicit 'sql:' prefix before FF profile path. Example:
-A -n "Test CA" -i "C:\test\ca1.cer" -t "CT,," -d sql:"C:\Users\test\AppData\Roaming\Mozilla\Firefox\Profiles\mgr140m4.default"
Please refer
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_tools_:_certutil and -d option description

How to install one certificate automated into Firefox store?

I have a app (.NET) that automatically adds a certificate to the Windows root store via:
X509Store rootStore = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
rootStore.Open(OpenFlags.ReadWrite);
rootStore.Add(certificate);
rootStore.Close();
Internet Explorer then knows this certificate. But Firefox don't as it has its own certificate store.
Is there any way to accomplish this without overriding current Firefox certificates (read somewhere to copy cert8.db but thats not possible due to multiple customers)?
I simply want to automatically "add" one certificate to the Firefox store.
Thank you in advance.
You can use NSS to manage certificates on the local install. Not sure how well it plays with .NET (if at all) but if the environment is predictable you could probably resort to running an executable.
First try which already works nearly as I want:
The documentation is here: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil
I downloaded the binaries from:
https://www.felixrr.pro/wp-content/uploads/2012/06/nss-3.13.5-nspr-4.9.1-compiled-x86.zip
Then run the following commands from within the extracted zip-directory (otherwise CMD would use certutil of Windows) which worked:
// Add certificate to cert8.db (Db will be reloaded on next FF start)
certutil.exe -A -n "SomeName" -t "Cu,p,p" -i "C:\Test\cert.pem" -d "%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\5drs48sb.default"
// Show all certificates in cert8.db
certutil.exe -L -d "%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\5drs48sb.default"
After restarting FF I could successfully navigate to my SSL page without certificate error.
The only command that didnt work yet is the delete command which returns the error 'certutil.exe: could not find certificate named "SomeName": security library: bad database.':
certutil.exe -D -n "SomeName" -d "%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\5drs48sb.default"

Do you want the application "WebStorm.app" to accept incoming network connections?

Webstorm keeps asking to accept incoming network connections on Mac OS X Yosemite.
I had to create my own certificate on Keychain Access then 'codesign' Webstorm via terminal.
Open Keychain Access (Applications/Utilities)
Keychain Access > Certificate Assistant > Create a Certificate
Add 'your certificate name' > Identity Type 'Self Signed Root' > Certificate Type 'Code Signing'
Open Terminal
$ sudo codesign -s "your certificate name" -f /Applications/WebStorm.app/
Restart computer (not always)
Open WebStorm.app
Accept incoming network connections for the last time
The same process should work for any JetBrains IDE e.g. PhpStorm, PyCharm, etc.
Such errors usually indicate broken application signature. They may occur after changing info.plist or other files in WebStorm installation directory

Docker on Mac behind proxy that changes ssl certificate

My eventual workaround for the issue below was to convince our IT guys not to man-in-the-middle the dockerhub registry. I was not able to get anything else to work, alas.
I am running into a problem with my initial attempt to get Docker running on my Mac at work, which is running 10.8.5. It appears that my company's certificate-rewriting proxy seems to be getting in the way of fetching images:
orflongpmacx8:docker pohl_longsine$ docker run hello-world
Unable to find image 'hello-world:latest' locally
Pulling repository hello-world
FATA[0001] Get https://index.docker.io/v1/repositories/library/hello-world/images: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "bcauth")
(Indeed, when I log onto the guest wireless – which does not have the meddlesome proxy – I can get past this step. However, I need to figure out how to make this work through the proxy since using the guest wireless is untenable as a long-term solution.)
My issue, on the surface, appears to be very much like the one answered in this question. However, the accepted answer in that question does not work for me, since the root_unix.go file they discuss does not get invoked on a Mac. (From browsing around, I would guess that root_cgo_darwin.go and/or root_darwin.go would be involved instead.)
That doesn't really tell me how, operationally, I need to do the equivalent work of installing some sort of trusted certificate. I managed to get my hands on a *.cer file that I believe to be the one that I need, but I'm at a loss as to what to do with it.
I'm hoping that someone can point me in the right direction.
Edit: I thought that maybe I needed to to something akin to what this page suggests, to add the certificate. Alas, my attempt at following those instructions failed in the following way:
orflongpmacx8:docker pohl_longsine$ sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "~/Desktop/Certs/redacted.cer"
Password:
***Error reading file ~/Desktop/Certs/redacted.cer***
Error reading file ~/Desktop/Certs/redacted.cer
Edit 2: I may have come one step closer to solving this. I should have known better to use a path with a tilde inside quotation marks. If I use an absolute path instead, I can successfully run the above command to add certs.
Alas, this did not alleviate the ultimate symptom:
FATA[0001] Get https://index.docker.io/v1/repositories/library/hello-world/images: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "bcauth")
According to the boot2docker README
Insecure Registry
As of Docker version 1.3.1, if your registry doesn't support HTTPS, you must add it as an insecure registry.
$ boot2docker init
$ boot2docker up
$ boot2docker ssh
$ echo 'EXTRA_ARGS="--insecure-registry <YOUR INSECURE HOST>"' | sudo tee -a /var/lib/boot2docker/profile
$ sudo /etc/init.d/docker restart
then you should be able to do a docker push/pull.
The source of http://golang.org/src/crypto/x509/root_darwin.go shows that the command:
cmd := exec.Command("/usr/bin/security", "find-certificate", "-a", "-p", "/System/Library/Keychains/SystemRootCertificates.keychain")
is used to find the certificate.
Try adding the .cer file into the OSX certificate key-chain.
If you use the docker-machine
edit $USER/.docker/machine/machines/default/config.json
"EngineOptions": {
"InsecureRegistry": [
"XXX.XXX.virtual"
],
}

Resources