Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CA mode does not work with iOS #14

Open
ju916 opened this issue Jan 27, 2012 · 6 comments
Open

CA mode does not work with iOS #14

ju916 opened this issue Jan 27, 2012 · 6 comments

Comments

@ju916
Copy link

ju916 commented Jan 27, 2012

We have a test environment with sslsniff in CA mode, that works fine with Firefox on Linux/Windows.
When we try to use it with iOS we don't get a connection to the server. Safari simply complains that it cannot make a secure connection to the server. Targeted mode seems to work though.

I am willing to provide more details but I have not yet found a way to get any meaningfull output from Safari.
@droe
Copy link

droe commented Jan 28, 2012

FWIW, this incompatibility, plus the fact that he prefers python to C++, seems to be the reason why Hubert wrote iSniff. In his 28C3 lightning talk about iSniff, at 2:17, he mentions what he thinks is the technical reason for the incompatibility.

https://github.com/hubert3/iSniff
https://www.youtube.com/watch?v=fqB7MwwxkOk
http://www.ruxcon.org.au/assets/Presentations/Ruxmon/iPwnyouriPhone2.pptx

@ju916
Copy link
Author

ju916 commented Jan 31, 2012

Fix extracted from the above:

certificate/AuthorityCertificateManager.cpp:

  • X509_set_version(request, 3);
  • X509_set_version(request, 1);

seems to work for us, no side effects yet.

@droe
Copy link

droe commented Jan 31, 2012

My guess is that the missing X509v3 extensions are the problem.
One way to fix it is to mark the certificate as v1 (your workaround),
the other way would be to add the required v3 extensions.

@droe
Copy link

droe commented Jan 31, 2012

Can you try this patch?

droe/sslsniff@5b66f8c

If it works for you, I'll submit a pull request.

@ju916
Copy link
Author

ju916 commented Feb 1, 2012

Not in the Office today. Will try it tomorrow

bye, ju

Am 31.01.2012 um 19:20 schrieb Daniel Roethlisberger [email protected]:

Can you try this patch?

droe/sslsniff@5b66f8c

If it works for you, I'll submit a pull request.

Reply to this email directly or view it on GitHub:
#14 (comment)

@droe
Copy link

droe commented Feb 1, 2012

D'oh, sslsniff has been generating version 4 certificates:

$ openssl x509 -in test.crt -text
Certificate:
    Data:
        Version: 4 (0x3)
        Serial Number: ... (...)
        Signature Algorithm: sha1WithRSAEncryption
        ...

The version passed to X509_set_version() is zero-based, that is, an argument of 3 corresponds to X509v4. Not what we want.

The fix: droe/sslsniff@1b64bc6

The full changeset which adds a standard set of v3 extensions including the server cert's subjectAltName:
droe/sslsniff@master...topic/x509v3ext

Feedback welcome.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@droe @ju916