PowerTunnel icon indicating copy to clipboard operation
PowerTunnel copied to clipboard
verified publisher icon krlvm

Неверный сертификат

Open vadimkara opened this issue 3 years ago • 7 comments

image

На некторых сайтх при переходе по ссылке на субдомены программа выдает сертификат не на тот днс что указан в ссылке

image

vadimkara avatar Aug 01 '22 05:08 vadimkara

Эта проблема связана с Cloudflare, когда модификация SNI выключена, она отсутствует. Думаю, что можно с этим сделать.

krlvm avatar Aug 01 '22 07:08 krlvm

Эта проблема связана с Cloudflare, когда модификация SNI выключена, она отсутствует. Думаю, что можно с этим сделать.

I'm facing same issue. Any workaround for this (with sni, not chuck)?

pundoo avatar May 13 '23 23:05 pundoo

Not yet, but you can disable these warnings in Chrome (this is not a good way though)

krlvm avatar May 13 '23 23:05 krlvm

Not yet, but you can disable these warnings in Chrome (this is not a good way though)

Disabling warnings don't seems to work. These sites are basically behind CDNs, that strictly requires the correct SNI field to serve the right certificate (and the right server to connect to?). Faking SNI simply breaks this mechanism.

I don't know (in-depth) exactly how the HTTPS connection establishes but, is it somehow possible to generate the (self-signed) cert from client request SNI/host (Fiddler does it), so that the CN matches and the handshake is successful. Then after that, somehow tell server the actual site we're trying to connect to via host header or something?

pundoo avatar May 14 '23 15:05 pundoo

Disabling warnings don't seems to work. These sites are basically behind CDNs, that strictly requires the correct SNI field to serve the right certificate (and the right server to connect to?). Faking SNI simply breaks this mechanism.

Yes, that's the problem. IIRC I wrote a detailed explaination in other thread some time ago.

I don't know (in-depth) exactly how the HTTPS connection establishes but, is it somehow possible to generate the (self-signed) cert from client request SNI/host (Fiddler does it), so that the CN matches and the handshake is successful. Then after that, somehow tell server the actual site we're trying to connect to via host header or something?

MITM is done by LittleProxy and its extension LittleProxy-mitm. Certificate generation is requested here, and it the certificates changes then, which is the problem. I tried to debug this previously, but I did not succeed. I will try again today.

krlvm avatar May 14 '23 15:05 krlvm

MITM is done by LittleProxy and its extension LittleProxy-mitm. Certificate generation is requested here, and it the certificates changes then, which is the problem. I tried to debug this previously, but I did not succeed. I will try again today.

Did some read up and seems like it should be fairly simple. We just have to get the SNI/host from the client request and use it as the COMMON_NAME (CN) for self generated certificate (instead of using CN received from server). I don't know Java that much, otherwise I'd test this approach..

pundoo avatar May 14 '23 16:05 pundoo

Yes that's it. Though I don't see a way to obtain it yet.

krlvm avatar May 15 '23 05:05 krlvm