Login/Register
Google Chrome doesn't trust mitmproxy's certfificates
Asked Answered
windowsmacosgoogle-chromemitmproxy
R

3

5

I'm running mitmdump (from mitmproxy) on my Macbook Pro, and I'm connecting to the proxy through my Windows desktop PC.

However, Chrome (running on the PC) refuses to connect to so many sites because of the invalid certificates which mitmproxy provides.

Your connection is not private / Attackers might be trying to steal your information. NET::ERR_CERT_AUTHORITY_INVALID

Chrome throws the error: ERR::NET_CERT_AUTHORITY_INVALID

Here's what mitmdump shows:

Client handshake failed

But why? What's wrong with mitmproxy's certificates, why can't it just send back google's as if nothing happened?

I'd like to know how I can fix this and make (force) my desktop PC to connect to any website through my Macbook's mitmproxy.

Revile answered 6/2, 2016 at 10:47 Comment(7)
It sounds that this question should be on Ask DifferentImputable
@Thomas Maybe, I myself wasn't sure where to post it. If more people express this sentiment, I'll flag it for moderator attention.Revile
HTTPs is designed exactly to avoid this kind of thing, it's obvious that it doesn't work without fiddling with the browser's certificates... It cannot use Google's certificate, since only the public key is available.Eyespot
@MatteoItalia Then how do I fiddle with the browser's certificates?Revile
@minseong: you have to add the mitmproxy CA to the trusted CAs of the browser.Eyespot
@MatteoItalia How do I do that for chrome? You could provide an answer here.Revile
@minseong: if I knew I would add an answer, but given that I've never used mitmproxy, rarely use Chrome, never use OS X, and I don't have a computer at hand I don't think I can provide a good answer.Eyespot
F
5

Per the Getting Started page of the docs you add the CA by going to http://mitm.it while mitmproxy is running and selecting the operating system that you are using. This should solve your problem and will allow https sites to work with mitmproxy.

Fanchan answered 15/4, 2016 at 8:40 Comment(2)
At least the instructions for Linux do nothing for chrome/chromium.Stefanstefanac
@Stefanstefanac You are better off using Firefox since you can set a proxy in FireFox directly while Chrome uses your system's proxy settings. Either way, per the instructions "You need to configure your browser or device to route all traffic through mitmproxy." It is up to the user to look up how to do that based on what they are trying to connect to mitmproxy.Fanchan
V
4

Answering this question for people who may find this important now. To get the proxy working, you have to add the certificate as trusted in your browser.

For windows follow this: https://www.nullalo.com/en/chrome-how-to-install-self-signed-ssl-certificates/2/

For linux follow this: https://dev.to/suntong/using-squid-to-proxy-ssl-sites-nj3

For Mac-os follow this: https://www.andrewconnell.com/blog/updated-creating-and-trusting-self-signed-certs-on-macos-and-chrome/#add-certificate-to-trusted-root-authority

There are some additional details in the above links; tldr; import the certificate in your chrome://settings url and add the certificate as trusted. That shall do.

This will make your browser trust your self-signed certificate(mitm auto generated certificates too.)

The default certificates of mitmproxy is at ~/.mitmproxy/ directory.

Valerlan answered 3/3, 2020 at 7:39 Comment(0)
F
1

This is the expected behavior.

mitmproxy performes a Man-In-The-Middle attack to https connections by providing on-the-fly generated fake certificates to the client while it keeps communicating to the server over fully encrypted connection using the real certificates.

This way the communication between client and proxy can be decrypted. But the client has to actively approve using those fake certificates.

If that wasn't the case then SSL would be broken - which it isn't.

The whole story is very well explained here:

http://docs.mitmproxy.org/en/stable/howmitmproxy.html

Freemanfreemartin answered 11/2, 2016 at 16:53 Comment(1)
Not "expected" after one has visited mitm.it and followed the instructions.Stefanstefanac

© 2022 - 2024 — McMap. All rights reserved.