node-http-mitm-proxy icon indicating copy to clipboard operation
node-http-mitm-proxy copied to clipboard

Published 20 hours ago verified publisher icon joeferner

Error: socket hang up, ECONNRESET

Open flippyhead opened this issue 8 years ago • 3 comments

First, thanks for making this!

Second, using your examples I've got a proxy running. On some HTTPS sites it works as expected however on some it fails with the error:

proxy error: { [Error: socket hang up] code: 'ECONNRESET', sslError: undefined }

For example https://github.com and https://en.wikipedia.org fail to load. Safari, for example, indicates that it's not able to establish a secure connection to the web server.

Any suggestions?

flippyhead avatar Jan 10 '16 11:01 flippyhead

http-mitm-proxy generate a SSL certificates for each sites on the fly, from a fake authority certificate also generated at first launch. (you can get more info on that in this thread https://github.com/joeferner/node-http-mitm-proxy/issues/50)

This "Authority" is not Trusted by default by your Browser and OS, this is why you get warnings on some HTTPS website and be blocked on some others (this is your browser that reset the connection).

I don't know why some sites just get a warning and others are blocked, and I would be glad to know it.

But if you makes the generated authority Trusted by your Browser or OS, it solves the problem.

Here how to do (this should be added to the documentation one day): The certificate is located in options.sslCaDir + '/certs/ca.pem' (by default .http-mitm-proxy/certs/ca.pem which is hidden but still accessible on mac)

  • Firefox have it own Authorities store (Settings > Advanced > Certificates) where you can import the certificate as new Authority
  • Other browsers use the OS Certificates store where you need to import the certificate (Double click on ca.pem or use keychains manager on Mac OS X).

felicienfrancois avatar Jan 11 '16 17:01 felicienfrancois

I don't know why some sites just get a warning and others are blocked, and I would be glad to know it.

It's probably about Certificate Pinning: The Browser assumes it knows exactly which certificate (or CA, dunno) the site will use, thus recognizes your cert as a MitM attempt, and decides to protect you from this attack. Afaik this really verifies the cert, not the key, so if you ever manage to create a key that matches the certificate, you might be able to circumvent it.

mk-pmb avatar Jan 16 '17 12:01 mk-pmb