sslsniff icon indicating copy to clipboard operation
sslsniff copied to clipboard

Published 20 hours ago verified publisher icon moxie0

CA mode does not work with iOS

Open ju916 opened this issue 13 years ago • 6 comments

We have a test environment with sslsniff in CA mode, that works fine with Firefox on Linux/Windows. When we try to use it with iOS we don't get a connection to the server. Safari simply complains that it cannot make a secure connection to the server. Targeted mode seems to work though.

I am willing to provide more details but I have not yet found a way to get any meaningfull output from Safari.

ju916 avatar Jan 27 '12 16:01 ju916

FWIW, this incompatibility, plus the fact that he prefers python to C++, seems to be the reason why Hubert wrote iSniff. In his 28C3 lightning talk about iSniff, at 2:17, he mentions what he thinks is the technical reason for the incompatibility.

https://github.com/hubert3/iSniff https://www.youtube.com/watch?v=fqB7MwwxkOk http://www.ruxcon.org.au/assets/Presentations/Ruxmon/iPwnyouriPhone2.pptx

droe avatar Jan 28 '12 14:01 droe

Fix extracted from the above:

certificate/AuthorityCertificateManager.cpp:

  • X509_set_version(request, 3);
  • X509_set_version(request, 1);

seems to work for us, no side effects yet.

ju916 avatar Jan 31 '12 10:01 ju916

My guess is that the missing X509v3 extensions are the problem. One way to fix it is to mark the certificate as v1 (your workaround), the other way would be to add the required v3 extensions.

droe avatar Jan 31 '12 12:01 droe

Can you try this patch?

droe/sslsniff@5b66f8c

If it works for you, I'll submit a pull request.

droe avatar Jan 31 '12 18:01 droe

Not in the Office today. Will try it tomorrow

bye, ju

Am 31.01.2012 um 19:20 schrieb Daniel Roethlisberger [email protected]:

Can you try this patch?

droe/sslsniff@5b66f8c

If it works for you, I'll submit a pull request.

Reply to this email directly or view it on GitHub: https://github.com/moxie0/sslsniff/issues/14#issuecomment-3744629

ju916 avatar Feb 01 '12 07:02 ju916

D'oh, sslsniff has been generating version 4 certificates:

$ openssl x509 -in test.crt -text
Certificate:
    Data:
        Version: 4 (0x3)
        Serial Number: ... (...)
        Signature Algorithm: sha1WithRSAEncryption
        ...

The version passed to X509_set_version() is zero-based, that is, an argument of 3 corresponds to X509v4. Not what we want.

The fix: droe/sslsniff@1b64bc6

The full changeset which adds a standard set of v3 extensions including the server cert's subjectAltName: https://github.com/droe/sslsniff/compare/master...topic%2Fx509v3ext

Feedback welcome.

droe avatar Feb 01 '12 19:02 droe