> On Apr 24, 2017, at 6:11 PM, Blumenthal, Uri - 0553 - MITLL <u...@ll.mit.edu>
> wrote:
>
> I went through the capture between the app (local end) and the proxy. It
> appears that the sequence is:
>
> ClientHello -> (from app to proxy, with a ton of cipher suites, including
> 0xc02f)
> <- ServerHello (with TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 – present
> in ClientHello)
> <- CertificateServer Key Exchange, Server Hello Done (includes proxy’s
> cert rather than the remote end’s cert)
>
> Alert (Level: Fatal, Description: Certificate Unknown) ->
>
> So it appears that the app expects the remote end’s cert, and is not happy
> getting the proxy’s cert instead?
Please report tshark output, not an approximate rendition. In what direction
is the alert sent?
It is indeed possible that the application is not configured for and correctly
rejects the forged certificate of the MiTM proxy. It would need the Root CA
of the proxy as a trusted issuer, but that may not be configurable. In which
case you'd need to let the app connect directly to the remote server without
an MiTM-proxy.
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
