I am trying to debug one third party mobile application, specifically network calls, When I am using fiddler and charles proxy on the first network call itself. the app shows error that client certificate on the device is not trusted and ask me to switch to mobile network instead of wifi. also when I accept the risk using the same network. The app shows that there is no internet connection.
I think the app is able to detect that the ceritificate is not the orignal client cert. and thus throwing the warning. Can I download the website or app HTTPS certificate and put it in PC as well as iPhone just like I did for fiddler root certificate.
Same issue is happening with charles proxy also.
I see that you are using an iPhone, have you looked at About/Certificate Trust Settings and enabled the full trust switch after installing the (Charles) certificate?
Related
I am supposed to do a performance test for a Hybrid App.
First, from my adroid device i have modified the proxy settings by choosing Manual option and entered my system IP address as proxy server 192.168.1.10 and entered Port as 8080.
And then from Jmeter 3 i took Recording Controller Template from HTTPS Script Recorder I entered the port as 8080.
After Starting HTTPS Script Recorder when i opened my hybrid app it was not working. "Unfortunately we cannot find your account information". This means that Hybrid apps is not connecting internet through Proxy mode.
But i am able to get response from other apps installed in my android device.
I tried Neoload, Blazemeter as well https://guide.blazemeter.com/hc/en-us/articles/207420545-BlazeMeter-Proxy-Recorder-Mobile-and-web-.
But the same issue i faced every where.
Please provide me a solution to make the Hybird App work even after connecting internet through Proxy Mode.
Thanks
N Ali
You need to find out the main error using i.e. Logcat Command to narrow down the possible reasons as there could be too may of them.
The below hints are applicable for HTTPS traffic only, however I'm pretty sure that modern applications use HTTPS protocol.
You may need to use a 3rd-party application in order to set up HTTPS proxy, i.e. ProxyDroid
You will definitely need to install JMeter's self-signed certificate onto device so JMeter could decrypt and record secure traffic.
Locate ApacheJMeterTemporaryRootCA.crt under "bin" folder of your JMeter installation and transfer it to your android device (i.e. send it to yourself via the email)
Click at the attached certificate
Follow android system certificate installation dialog to get it set up
Be aware that JMeter's certificate has limited life time (7 days) so you won't be able to record secure traffic if it is expired.
More information:
HTTPS recording and certificates
Load Testing Mobile Apps Made Easy
In addition to Dimitri's answer reg JMeter, NeoLoad also has a similar CA certificate which needs to be added to the device.
You can locate this certificate from
C drive -> Users -> Username -> Appdata -> Roaming -> Neotys -> CA certificate
Copy this certificate to your device (or mail it to yourself) and install it either by directly selecting it or from the security settings.
Once the certificate is installed in the device, you should be able to record the HTTPs traffic from the application via proxy.
P.S. Ensure that you are able to view all hidden files coz by default Appdata is hidden.
Full disclosure, I asked this question over at Ask Different (https://apple.stackexchange.com/questions/96776/always-get-a-security-error-for-internal-https-website) but didn't get much helpful feedback. I'm hoping this question fits better here.
My company recently changed an internal site to use HTTPS instead of HTTP (it is our Jira site in case that matters). From what I can tell, this site is using an internal certificate. On our work computers this certificate appears to be pre installed so the website comes up without trouble in IE, Firefox, and Chrome. However, my personal computer is a Mac (OS X 10.8.4) and I am having major troubles accessing the site through any browser. I have followed instructions to install the certificate in my Keychain and I believe I have successfully done that, but I am still not able to access the site.
When Accessing the site I Get:
Chrome: Invalid Server Certificate You attempted to reach jira.surescripts.local, but the server presented an invalid certificate.
Safari: Safari can't open the page Safari can't open the page "https://jira.local:8081/" because Safari can't establish a secure connection to the server "jira.local"
In Chrome when I view the certificate information it I see: Intermediate certificate authority. Expires: Thursday, May 21, 2015 1:19:28 PM Central Daylight Time. This certificate is valid
To make sure that it wasn't something strange with our company's VPN, I installed a Windows 7 virtual machine on my Mac and installed the certificate in Windows and am able to successfully log on to the site how I always would.
I am not much of an expert with certificates and I really don't know where to go from here. Any help would be greatly appreciated! Thanks.
It almost sounds like you need to trust a self-signed certificate? Perhaps follow: https://confluence.atlassian.com/display/SOURCETREEKB/Resolving+SSL+Self-Signed+Certificate+Errors
Sefl signed certificate always triger warnings in web browsers.
To validate a server certificate you must have in the client browser the CA certificate wich was used to sign the SSL server certificate.
Your company should create a CA cert, then create a server SSL cert. signed with the CA and put it on the web server. The clients install public part of the CA cert in "Trusted CA" certificate store. When client conect to the web server the server sent the signed SSL certificate, the client check if it is a "trusted" cert (was signed by a trusted CA) and if everithing is Ok the client doesn't show the warning.
You ended with this cert chain:
CA cert->SSL cert
CA cert public part is installed in client broser as trusted CA. SSL is put in the web server. Client validate SSL cert agaist its Trusted CA certs installed in its Certificate Stores.
It is like CyberTrus CA. You can see how you have Baltimore Cyber Trust Root and Cybertrust Public SureServer SB CA installed in your computer and when you enter into https://www.bancosantander.es/cssa/Satellite?pagename=SantanderComercial/Page/SAN_Index you can see that *.bancosantander.es certificate is valid because you are trusting in the chain.
Your company needs to create the root, then create the SSL signed by the root. The root (public part) is distributed to the client for install. The server sends the SSL to client in HTTPS protocol.
Check this link for more info.
The problem is probably the encryption protocols that your Mac and the company web site don't match up.
Safari Browsers for OS X before Safari 7 (up to 6.0.7 which was on OS X 10.8.4) use the SSL 3.0 protocol, which has vulnerabilities and is considered insecure. Most newer and well-designed web sites use TLS 1.1 and/or TLS 1.2.
Browser encryption capabilities for Safari 6.0.4
Find out from your company if that is what is set up. The same site that has the specs I linked to allow you to enter a web site, and they'll throw a battery of test transactions at it to test it's security and what will connect, but I doubt you can use that for an internal site. Ask your IT folks what encryption protocols they are using.
As a solution, I believe there are versions of Firefox and/or Chrome that can run on 10.8.4 that use TLS 1.2.
List of major browser versions that support TLS 1.2
I've been playing with the twitter API for an iPhone test application, and I've missed the ability to proxy the requests I did to the twitter API with a software like Charles (http://www.charlesproxy.com/). Even though it has a SSL Proxying feature, twitter seems to not like the fact that there's a different certificate in the middle signing the requests.
Is there any way to do this? I'd be very useful to be able to see the requests and the way Charles formats the JSON responses, etc...
Twitter can't know that there is a man in the middle. I've not used Charles, but I've used Fiddler2. Try that one.
http://www.charlesproxy.com/documentation/proxying/ssl-proxying/
http://www.fiddler2.com/fiddler/help/httpsdecryption.asp
Decrypting HTTPS works by the proxy making its own certificate, and giving it to the browser. The browser will notice it connects with a bad certificate and give a warning, but the server (Twitter) will just see the proxy as another browser. The proxy-server connection uses Twitter's certificate, so it's still secure.
Perhaps this is your problem:
Q: Can Fiddler intercept traffic from Apple iOS devices like
iPad/iPhone/iPod Touch and Android devices? A: Yes, but these devices
may not be compatible with the default certificates Fiddler generates.
To resolve the incompatibility, you may replace Fiddler's default
certificate generator with one that generates certificates containing
flags (e.g. AKID, SKID) that are compatible with these platforms.
Simply download and install the new Certificate Maker and restart
Fiddler.
I am using some of the local machine's resources using COM interop functionality provided in Silverlight 4.0. Hence, naturally I need OOB with elevated permissions. However, in my case I am consuming the WCF services hosted on HTTPS channel. Here is where I am facing the problem. The OOB with elevated permissions applied, doesn't allow me consuming the HTTPS service hosted on either different or the same domain, giving me a NotFound exception. Please note that I have used the self-signed certificate for the development environment. The same is also installed in the Trusted Root folder of the client machine on which I am testing.
Interestingly, when I set the Fiddler options (in Fiddler session, Toos -> Fiddler Options -> HTTPS tab) to intercept the HTTPS traffic, with Decrypt HTTPS traffic checkbox set, I am able to use the same HTTPS service without any exception. But for that, I was told by Fiddler to store a temporary certificate inside my user profile's Fiddler directory, and I must have at least one Fiddler session at that time. Hence, it seems to be a certification issue. But does it relate in anyway to signing of the XAP file with the required certificate ? I am not sure. I tried with a self-signed certificate and bind my layer service URL to use that certificate. Then I install the same certificate to Trusted root folder of the client. But i was not successful in signing the XAP with that certificate.
Please let me know if you have any work-around.
If the code is running in a different user's context, you need to put your "Self-signed" certificate into the Machine Trusted Root store. Start mmc.exe. On the File menu, choose to Add a Snap-in. Add the Certificates snap-in. Pick Local Machine. Import the Self-signed root into the Trusted Root store.
I had the same problem and found out, that the SSL settings in IIS were wrong.
I configured IIS 7.5 to SSL only and to accept client certificates. With this settings, I ended up with the service not found error in OOB. After setting IIS to ignoring client certificates the OOB Application works fine.
I'm running mitmdump (from mitmproxy) on my Macbook Pro, and I'm connecting to the proxy through my Windows desktop PC.
However, Chrome (running on the PC) refuses to connect to so many sites because of the invalid certificates which mitmproxy provides.
Chrome throws the error: ERR::NET_CERT_AUTHORITY_INVALID
Here's what mitmdump shows:
But why? What's wrong with mitmproxy's certificates, why can't it just send back google's as if nothing happened?
I'd like to know how I can fix this and make (force) my desktop PC to connect to any website through my Macbook's mitmproxy.
Answering this question for people who may find this important now. To get the proxy working, you have to add the certificate as trusted in your browser.
For windows follow this: https://www.nullalo.com/en/chrome-how-to-install-self-signed-ssl-certificates/2/
For linux follow this: https://dev.to/suntong/using-squid-to-proxy-ssl-sites-nj3
For Mac-os follow this: https://www.andrewconnell.com/blog/updated-creating-and-trusting-self-signed-certs-on-macos-and-chrome/#add-certificate-to-trusted-root-authority
There are some additional details in the above links; tldr; import the certificate in your chrome://settings url and add the certificate as trusted. That shall do.
This will make your browser trust your self-signed certificate(mitm auto generated certificates too.)
The default certificates of mitmproxy is at ~/.mitmproxy/ directory.
Per the Getting Started page of the docs you add the CA by going to http://mitm.it while mitmproxy is running and selecting the operating system that you are using. This should solve your problem and will allow https sites to work with mitmproxy.
This is the expected behavior.
mitmproxy performes a Man-In-The-Middle attack to https connections by providing on-the-fly generated fake certificates to the client while it keeps communicating to the server over fully encrypted connection using the real certificates.
This way the communication between client and proxy can be decrypted. But the client has to actively approve using those fake certificates.
If that wasn't the case then SSL would be broken - which it isn't.
The whole story is very well explained here:
http://docs.mitmproxy.org/en/stable/howmitmproxy.html