browsermob-proxy
browsermob-proxy copied to clipboard
lightbody
Error with BrowserMobProxy temporarily down or it may have moved permanently to a new web address. ERR_TUNNEL_CONNECTION_FAILED
We are running browsermobproxy in Embeddedmode with Chrome Webdriver, when we try to access our application with selfsigned certificate we are seeing " temporarily down or it may have moved permanently to a new web address. ERR_TUNNEL_CONNECTION_FAILED" error on the browser .
We have set setTrustAllServers to true and also followed steps in README.md to add certificate to truststore. When we enable the debug logging we see below exception and messages before the error.
2017-11-08 19:13:43,459 [LittleProxy-0-ProxyToServerWorker-2] DEBUG ProxyToServerConnection:115 - (AWAITING_CONNECT_OK) [id: 0x5fea0e8d, L:/CLIENTHOST:50864 - R:CHAINEDPROXY:80]: Processing connection flow step: HANDSHAKING 2017-11-08 19:13:43,459 [LittleProxy-0-ProxyToServerWorker-3] DEBUG ProxyToServerConnection:115 - (AWAITING_CONNECT_OK) [id: 0x231337f8, L:/CLIENTHOST:50865 - R:CHAINEDPROXY:80]: Processing connection flow step: HANDSHAKING 2017-11-08 19:13:43,460 [LittleProxy-0-ProxyToServerWorker-2] DEBUG ProxyToServerConnection:371 - (HANDSHAKING) [id: 0x5fea0e8d, L:/CLIENTHOST:50864 - R:CHAINEDPROXY:80]: Enabling encryption with SSLEngine: 5993250b[SSLEngine[hostname=DESTINATION_SERVER port=4443] SSL_NULL_WITH_NULL_NULL] 2017-11-08 19:13:43,460 [LittleProxy-0-ProxyToServerWorker-3] DEBUG ProxyToServerConnection:371 - (HANDSHAKING) [id: 0x231337f8, L:/CLIENTHOST:50865 - R:CHAINEDPROXY:80]: Enabling encryption with SSLEngine: 6fbcf72c[SSLEngine[hostname=DESTINATION_SERVER port=4443] SSL_NULL_WITH_NULL_NULL] 2017-11-08 19:13:43,463 [LittleProxy-0-ProxyToServerWorker-2] DEBUG ProxyToServerConnection:209 - (HANDSHAKING) [id: 0x5fea0e8d, L:/CLIENTHOST:50864 - R:CHAINEDPROXY:80]: In the middle of connecting, forwarding message to connection flow: EmptyLastHttpContent 2017-11-08 19:13:43,464 [LittleProxy-0-ProxyToServerWorker-3] DEBUG ProxyToServerConnection:209 - (HANDSHAKING) [id: 0x231337f8, L:/CLIENTHOST:50865 - R:CHAINEDPROXY:80]: In the middle of connecting, forwarding message to connection flow: EmptyLastHttpContent 2017-11-08 19:13:43,464 [LittleProxy-0-ProxyToServerWorker-2] DEBUG ProxyToServerConnection:108 - (HANDSHAKING) [id: 0x5fea0e8d, L:/CLIENTHOST:50864 - R:CHAINEDPROXY:80]: Received message while in the middle of connecting: EmptyLastHttpContent 2017-11-08 19:13:43,464 [LittleProxy-0-ProxyToServerWorker-3] DEBUG ProxyToServerConnection:108 - (HANDSHAKING) [id: 0x231337f8, L:/CLIENTHOST:50865 - R:CHAINEDPROXY:80]: Received message while in the middle of connecting: EmptyLastHttpContent 2017-11-08 19:13:43,793 [LittleProxy-0-ProxyToServerWorker-2] DEBUG ProxyToServerConnection:151 - (HANDSHAKING) [id: 0x5fea0e8d, L:/CLIENTHOST:50864 - R:CHAINEDPROXY:80]: ConnectionFlowStep failed javax.net.ssl.SSLException: Received fatal alert: close_notify at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:1.7.0_67] at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1619) ~[?:1.7.0_67] at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1587) ~[?:1.7.0_67] at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1756) ~[?:1.7.0_67] at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1060) ~[?:1.7.0_67] at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:884) ~[?:1.7.0_67] at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:758) ~[?:1.7.0_67] at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.7.0_67] at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1097) [browsermob-dist-2.1.4.jar:?] at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:968) [browsermob-dist-2.1.4.jar:?] at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:902) [browsermob-dist-2.1.4.jar:?] at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) [browsermob-dist-2.1.4.jar:?] at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248) [browsermob-dist-2.1.4.jar:?] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [browsermob-dist-2.1.4.jar:?] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [browsermob-dist-2.1.4.jar:?] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [browsermob-dist-2.1.4.jar:?] at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [browsermob-dist-2.1.4.jar:?] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [browsermob-dist-2.1.4.jar:?] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [browsermob-dist-2.1.4.jar:?] at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [browsermob-dist-2.1.4.jar:?] at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:129) [browsermob-dist-2.1.4.jar:?] at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:651) [browsermob-dist-2.1.4.jar:?] at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:574) [browsermob-dist-2.1.4.jar:?] at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:488) [browsermob-dist-2.1.4.jar:?] at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:450) [browsermob-dist-2.1.4.jar:?] at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:873) [browsermob-dist-2.1.4.jar:?] at java.lang.Thread.run(Thread.java:745) [?:1.7.0_67] 2017-11-08 19:13:43,796 [LittleProxy-0-ProxyToServerWorker-2] DEBUG ClientToProxyConnection:626 - (NEGOTIATING_CONNECT) [id: 0x4798aee0, L:/CLIENTHOST:411 - R:/CLIENTHOST:50863]: All servers have finished attempting to connect, resuming reading from client. 2017-11-08 19:13:43,796 [LittleProxy-0-ProxyToServerWorker-2] DEBUG ClientToProxyConnection:559 - (NEGOTIATING_CONNECT) [id: 0x4798aee0, L:/CLIENTHOST:411 - R:/CLIENTHOST:50863]: Resumed reading 2017-11-08 19:13:43,797 [LittleProxy-0-ProxyToServerWorker-3] DEBUG ProxyToServerConnection:151 - (HANDSHAKING) [id: 0x231337f8, L:/CLIENTHOST:50865 - R:CHAINEDPROXY:80]: ConnectionFlowStep failed
I also faced similar issue in our application and identified the root cause be TLS HANDSHAKE failure because of mismatch in cipher suite list from client to server. https://github.com/lightbody/browsermob-proxy/blob/master/mitm/src/main/java/net/lightbody/bmp/mitm/util/SslUtil.java#L132-L148
We ran a simple java file
public class test {
public static void main(String[] args) {
try {
System.out.println("This is called for generating cipher list");
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, null, null);
String[] defaultCiphers = sslContext.getServerSocketFactory().getDefaultCipherSu ites();
System.out.println(Arrays.asList(defaultCiphers).toString());
} catch (Throwable t) {
System.out.println("Error in the function");
}
}
}
Output came as follows:
[TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
We can see clearly 256 bit cipher present in the list but when executed in the browsermob process the same code piece outputs the following:
This is called for generating cipher list
[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
We can see missing 256 bit cipher which are essential for tls handshake.
