Skip to content

Instantly share code, notes, and snippets.

@chayanforyou

chayanforyou/MITMProxy SSL handshake error.md

Last active September 4, 2024 07:01
Show Gist options
  • Save chayanforyou/2669485ed65b32dce98e9b7228d33cfc to your computer and use it in GitHub Desktop.
Save chayanforyou/2669485ed65b32dce98e9b7228d33cfc to your computer and use it in GitHub Desktop.
Download ZIP
Monitoring/Inspecting Network on Android or iOS Apps Using mitmproxy
Raw
MITMProxy SSL handshake error.md

SSL handshake error

192.168.0.14:56294: CONNECT android.googleapis.com:443
 << Cannot establish TLS with client (sni: android.googleapis.com): TlsException("SSL handshake error: Error([('SSL routines', 'ssl3_read_bytes', 'sslv3 alert certificate unknown')],)",)

sslv3_alert_certificate_unknown

Solution

Android 7.1 and higher do not longer allow the use of custom certificates manually added by the user but if you have a phone with super user access, you can make it work via ADB.

Android stores its system certificates in /system/etc/security/cacerts/. If you take a look at your device, you will see that the CA Certificates in Android are stored by the name of their hash, with a ‘0’ as extension (Example: c8450d0d.0). To intercept app traffic, you need to find out the hash of your CA certificate and copy it to a file with this hash as filename. Otherwise Android will ignore the certificate.

By default, the mitmproxy CA certificate is located in this file: ~/.mitmproxy/mitmproxy-ca-cert.cer

Instructions

  • Enter your certificate folder: cd ~/.mitmproxy/
  • Generate hash and copy certificate : hashed_name=`openssl x509 -inform PEM -subject_hash_old -in mitmproxy-ca-cert.cer | head -1` && cp mitmproxy-ca-cert.cer $hashed_name.0

It will generate hash like this c8750f0d.0

Insert certificate into system certificate store

Now we have to place our CA certificate inside the system certificate store located at /system/etc/security/cacerts/ in the Android filesystem. By default, the /system partition is mounted as read-only. For this, however, you need to remount the system directory first in order to get write access

adb shell su -c "mount -o rw,remount,rw /system"
adb push your_certificate /sdcard/your_certificate
adb shell su -c "mv /sdcard/your_certificate /system/etc/security/cacerts/your_certificate"
adb shell su -c "chmod 644 /system/etc/security/cacerts/your_certificate"
adb reboot

If that doesn't work, I can remember (not the source, though) reading about Android Nougat also not regarding certificates that expire in more than 2 years. The certificates created by mitmproxy should be fine. Burpsuite or Fiddler ones did not work for me though.

How to root AVDs without Play Store (Google APIs) out of the box

emulator -list-avds
 	Pixel_3a_XL_API_30
 
emulator -avd Pixel_3a_XL_API_30 -writable-system
adb root
adb shell avbctl disable-verification
adb disable-verity
adb reboot
adb root
adb remount
adb shell
emulator_arm64:/ #
adb push /Users/{USER}/desktop/c8750f0d.0 /system/etc/security/cacerts
adb shell chmod 664 /system/etc/security/cacerts/c8750f0d.0
adb reboot

Some Resources

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment