Intercept not working - key values mismatch
TwoUnderscorez opened this issue · comments
Check FAQs
Please check Frequently Asked Questions
before opening a bug report. - Checked, not working.
Describe the bug
Getting SSL key values mismatch.
To Reproduce
Steps to reproduce the behavior:
- Follow instructions here.
- run proxy with
python -m proxy --ca-key-file ca-key.pem --ca-cert-file ca-cert.pem --hostname 192.168.50.118 --ca-signing-key-file ca-signing-key.pemand get error
2024-04-07 18:30:50,533 - pid:151988 [I] plugins.load:85 - Loaded plugin proxy.http.proxy.HttpProxyPlugin
2024-04-07 18:30:50,534 - pid:151988 [I] tcp.listen:80 - Listening on [192.168.50.118:8899](http://192.168.50.118:8899/)
2024-04-07 18:30:50,576 - pid:151988 [I] pool.setup:105 - Started 12 acceptors in threadless (local) mode
2024-04-07 18:31:06,461 - pid:151999 [E] server.wrap_client:833 - OSError when wrapping client for upstream: [incoming.telemetry.mozilla.org](http://incoming.telemetry.mozilla.org/)
Traceback (most recent call last):
File "/home/ronyu/wslsource/proxy/proxy/http/proxy/server.py", line 800, in wrap_client
self.client.wrap(self.flags.ca_signing_key_file, generated_cert)
File "/home/ronyu/wslsource/proxy/proxy/core/connection/client.py", line 45, in wrap
self._conn = ssl.wrap_socket(
File "/usr/lib/python3.10/ssl.py", line 1468, in wrap_socket
context.load_cert_chain(certfile, keyfile)
ssl.SSLError: [X509: KEY_VALUES_MISMATCH] key values mismatch (_ssl.c:3921)
- Try with known good certificates from burpsuite like so
python -m proxy --ca-key-file burp_key.pem --ca-cert-file burp_cacert.pem --hostname 192.168.50.118 --ca-signing-key-file burp_key.pem
2024-04-07 18:33:18,674 - pid:153144 [I] plugins.load:85 - Loaded plugin proxy.http.proxy.HttpProxyPlugin
2024-04-07 18:33:18,675 - pid:153144 [I] tcp.listen:80 - Listening on [192.168.50.118:8899](http://192.168.50.118:8899/)
2024-04-07 18:33:18,720 - pid:153144 [I] pool.setup:105 - Started 12 acceptors in threadless (local) mode
2024-04-07 18:33:23,820 - pid:153154 [I] server.access_log:384 - [192.168.50.86:62540](http://192.168.50.86:62540/) - GET [detectportal.firefox.com:80/canonical.html](http://detectportal.firefox.com/canonical.html) - None None - 0 bytes - 5064.24ms
2024-04-07 18:33:33,067 - pid:153152 [E] server.wrap_client:833 - OSError when wrapping client for upstream: [www.googleapis.com](http://www.googleapis.com/)
Traceback (most recent call last):
File "/home/ronyu/wslsource/proxy/proxy/http/proxy/server.py", line 800, in wrap_client
self.client.wrap(self.flags.ca_signing_key_file, generated_cert)
File "/home/ronyu/wslsource/proxy/proxy/core/connection/client.py", line 45, in wrap
self._conn = ssl.wrap_socket(
File "/usr/lib/python3.10/ssl.py", line 1468, in wrap_socket
context.load_cert_chain(certfile, keyfile)
ssl.SSLError: [X509: KEY_VALUES_MISMATCH] key values mismatch (_ssl.c:3921)
Expected behavior
No crash.
Version information
- OS: WSL2 on Windows 11
- Browser Firefox / Edge
- Device: Surface Pro 7+
- proxy.py Version 2.4.3
Additional context
I'm running from source after git checkout v2.4.3 in an attempt to develop a plugin.
The keys do in fact match:
((venv) ) ronyu@RONYU:~/wslsource/proxy$ openssl rsa -modulus -in ca-key.pem -noout | openssl md5
MD5(stdin)= 1b05c47e836aed3bc24a91f1c2d35bf0
((venv) ) ronyu@RONYU:~/wslsource/proxy$ openssl x509 -modulus -in ca-cert.pem -noout | openssl md5
MD5(stdin)= 1b05c47e836aed3bc24a91f1c2d35bf0
((venv) ) ronyu@RONYU:~/wslsource/proxy$ openssl rsa -modulus -in burp_key.pem -noout | openssl md5
MD5(stdin)= ced1020484d9025eecfa21d9809f4b64
((venv) ) ronyu@RONYU:~/wslsource/proxy$ openssl x509 -modulus -in burp_cacert.pem -noout | openssl md5
MD5(stdin)= ced1020484d9025eecfa21d9809f4b64
I am not sure what the signing key is for
((venv) ) ronyu@RONYU:~/wslsource/proxy$ openssl rsa -modulus -in ca-signing-key.pem -noout | openssl md5
MD5(stdin)= a687f5e25cc71615b94225156efb74cb
Thanks!
Had to rm -rf ~/.proxy.
Had to
rm -rf ~/.proxy.
Makes sense, certificates are cached under proxy.py data directory which defaults to ~/.proxy
PS: I forgot to post this comment last night, however now it doesn't matter, glad that you figured it out :)
I followed the instructions here https://github.com/abhinavsingh/proxy.py?tab=readme-ov-file#tls-interception and tried URLs from your logs. Unsure why am I unable to reproduce this issue at my end.
╰─ curl -v -x localhost:8899 --cacert ca-cert.pem http://incoming.telemetry.mozilla.org/ ─╯
* Trying 127.0.0.1:8899...
* Connected to localhost (127.0.0.1) port 8899 (#0)
> GET http://incoming.telemetry.mozilla.org/ HTTP/1.1
> Host: incoming.telemetry.mozilla.org
> User-Agent: curl/8.1.2
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
< Server: openresty
< Date: Fri, 12 Apr 2024 16:06:05 GMT
< Content-Type: text/plain
< Content-Length: 0
< Strict-Transport-Security: max-age=31536000
< X-Frame-Options: DENY
< Access-Control-Allow-Methods: GET, POST, PUT, OPTIONS
< Access-Control-Max-Age: 1728000
< Access-Control-Allow-Headers: Accept-Encoding,Connection,Content-Encoding,Content-Length,Content-Type,DNT,Date,Sec-Fetch-Dest,Sec-Fetch-Mode,Sec-Fetch-Site,User-Agent,X-Client-Type,X-Client-Version,X-Debug-ID,X-Forwarded-For,X-Pingsender-Version,X-Pipeline-Proxy,X-Source-Tags,X-Telemetry-Agent
< Via: 1.1 google
<
* Connection #0 to host localhost left intact
*
and
╰─ curl -v -x localhost:8899 --cacert ca-cert.pem http://detectportal.firefox.com/canonical.html ─╯
* Trying 127.0.0.1:8899...
* Connected to localhost (127.0.0.1) port 8899 (#0)
> GET http://detectportal.firefox.com/canonical.html HTTP/1.1
> Host: detectportal.firefox.com
> User-Agent: curl/8.1.2
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
< Server: nginx
< Content-Length: 90
< Via: 1.1 google
< Date: Thu, 11 Apr 2024 23:10:31 GMT
< Age: 61067
< Content-Type: text/html
< Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
<
* Connection #0 to host localhost left intact
<meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>%