How to avoid the 'tlsv1 alert unknown ca' error in libmproxy?

Asked 2/7, 2013 at 22:51 Answered 16/7, 2014 at 6:1

Currently using libmproxy, which in turn uses telnetlib, to make requests to HTTPS Web pages. However, the following error is raised:

Error: [('SSL routines', 'SSL3_READ_BYTES', 'tlsv1 alert unknown ca')]

I believe this is related to the inability to verify the identity of the CA that vouches for the certificate the page uses. I would think there should be a setting that I can turn on (or off) that enables bypass of verification - I'm not interested in verifying the identity of the digital signer.

I think that a possible, kind of ugly, solution could be to patch the code to catch the exception and ignore it, but I would rather have a cleaner and more-supported way to do it.

What is a good way to avoid/solve this problem?

Thanks very much!

Norty answered 2/7, 2013 at 22:51 Comment(6)

Are you aware that bypassing the verification makes the connection vulnerable to potential MITM attacks? – Slacks 2/7, 2013 at 23:16

Yes. This is an inherently insecure environment and it's "OK" to enter potentially insecure situations. Thanks for the heads up, though :) – Norty 2/7, 2013 at 23:20

I tried to dig into this, but it's not really an "in python" question - the answer is going to be specific to the underlying libraries. It looks like libmproxy uses netlib which uses the openssl library, so I'd have to start by looking at the openssl library and figuring out how to turn off validation there, then see if netlib has a way to activate that, then see if libmproxy has a way to activate make netlib do the thing that makes openssl not validate the cert.. – Ordinate 9/7, 2013 at 22:16

I tried the example from: mitmproxy.org/doc/scripting/libmproxy.html and loaded a website which has no trusted CA successfully. could you post some code about how you are using the lib? or the example link that cause the problem? do you have client side ca files? – Quinonez 16/7, 2013 at 3:38

Have you looked at the Config options? Maybe try setting no_upstream_cert=True? The defaults: Config(certfile = None, cacert = None, clientcerts = None, no_upstream_cert=False, body_size_limit = None, reverse_proxy=None, forward_proxy=None, transparent_proxy=None, authenticator=None) – Lump 10/12, 2013 at 5:7

@springrider, I believe we don't have client-side CA files. @CypressFrankenfeld, I see you have set no_upstream_cert to both True and False, so I'm kind of confused. If you want to, you could fashion this as an answer and I'll take a look. – Norty 13/1, 2014 at 19:8

Seems that you can use the certutil if you have Windows clients.

http://support.microsoft.com/kb/555252

For Linux clients you can use:

sudo mkdir /etc/share/certificates/extra && cp cacert.crt /user/share/certficates/extra/cacert.crt
sudo dpkg-reconfigure ca-certificates

For Mac clients:

sudo security add-trusted-cert -d -r trustRoot -k \
"/Library/Keychains/System.keychain" \
"/private/tmp/certs/certname.cer"

(got this answer from https://apple.stackexchange.com/questions/80623/import-certificates-into-system-keychain-via-the-command-line)

Also, reading libmproxy's webpage it seems that it is able to load up custom certificates. If you already have an internal cert authority that your clients already trust you may want to simply generate certs from there.

Nonmetal answered 16/7, 2014 at 6:1 Comment(0)

This happens when the proxySG certificate that is presented to the user isn't signed by a trusted CA.

I had this error too, I fixed it by pushing the CA (the one used for ssl proxy) to the actual browser, through group policy.

Cestoid answered 10/1, 2014 at 16:58 Comment(1)

Sounds like it might be worth looking into. Could you elaborate on how to do it and what those terms mean? – Norty 13/1, 2014 at 19:10

Recommended topics

Hot tags