mitmproxy ios certificate about mitmproxy HOT 17 CLOSED

Hey Yannik,

That's odd - we definitely generate these certs with a far-future expiry date. I've just generated and regenerated using mitmproxy, and it works for me.

What version of OpenSSL are you using? Which platform are you on? Is there anything else odd about your configuration? Are you using a checkout from trunk?

Cheers,

Aldo

from mitmproxy.

Hey,

Platform: Debian GNU/Linux 6.01
OpenSSL: OpenSSL 0.9.8o 01 Jun 2010
Python: Python 2.6.6

Nothing odd about it, it's just a clean install of debian ;-)

I just used this release: http://mitmproxy.org/download/mitmproxy-0.4.tar.gz

My iOS version is 4.3.3

-----Ursprüngliche Nachricht-----
Von: cortesi [mailto:[email protected]]
Gesendet: Dienstag, 24. Mai 2011 05:00
An: [email protected]
Betreff: Re: [mitmproxy] mitmproxy ios certificate (#1)

Hey Yannik,

That's odd - we definitely generate these certs with a far-future expiry date. I've just generated and regenerated using mitmproxy, and it works for me.

What version of OpenSSL are you using? Which platform are you on? Is there anything else odd about your configuration? Are you using a checkout from trunk?

Cheers,

Aldo

Reply to this email directly or view it on GitHub:
cortesi#1 (comment)

from mitmproxy.

Yannik,

Could you please try this with a current checkout of the code? I'm totally unable to reproduce this - I even went so far as to do a Debian install to see if it acts differently!

Aldo

from mitmproxy.

Hi,

i installed it all over again, but the 'Valid until' date is still in 1902 :(

-----Ursprüngliche Nachricht-----
Von: cortesi [mailto:[email protected]]
Gesendet: Samstag, 11. Juni 2011 05:29
An: [email protected]
Betreff: Re: [mitmproxy] mitmproxy ios certificate (#1)

Yannik,

Could you please try this with a current checkout of the code? I'm totally unable to reproduce this - I even went so far as to do a Debian install to see if it acts differently!

Aldo

Reply to this email directly or view it on GitHub:
cortesi#1 (comment)

from mitmproxy.

It is valid from 19.06.2011 (today) until 28.09.1902.

Any ideas?

-----Ursprüngliche Nachricht-----
Von: cortesi [mailto:[email protected]]
Gesendet: Samstag, 11. Juni 2011 05:29
An: [email protected]
Betreff: Re: [mitmproxy] mitmproxy ios certificate (#1)

Yannik,

Could you please try this with a current checkout of the code? I'm totally unable to reproduce this - I even went so far as to do a Debian install to see if it acts differently!

Aldo

Reply to this email directly or view it on GitHub:
cortesi#1 (comment)

from mitmproxy.

Content of the certificate:

-----BEGIN CERTIFICATE-----
MIICfzCCAeigAwIBAgIJAOZ2xv4/Jg3/MA0GCSqGSIb3DQEBBQUAMCgxEjAQBgNV
BAoTCW1pdG1wcm94eTESMBAGA1UEAxMJbWl0bXByb3h5MCAXDTExMDYxOTE2Mjgy
MFoYDzE5MDIwOTI4MTAwMDA0WjAoMRIwEAYDVQQKEwltaXRtcHJveHkxEjAQBgNV
BAMTCW1pdG1wcm94eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyNMkgJN5
aeAXjCBcOB1D6qqiRqC4Vk2y10mZxfg8MEou43HPx/evc4hxRTDAG/sSaUki1aie
wNcWxCzBn7B2a3kUWG9tV5jb3eAxIenPJdRzWQpdkSGNnD01jFSubzywgF0cZIN7
EsclX6xDsS/v90opPikJ3ZUiJg3kVe4J2l0CAwEAAaOBrjCBqzAPBgNVHRMBAf8E
BTADAQH/MAsGA1UdDwQEAwIBBjB4BgNVHSUEcTBvBggrBgEFBQcDAQYIKwYBBQUH
AwIGCCsGAQUFBwMEBggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYK
KwYBBAGCNwoDAQYKKwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBMBEG
CWCGSAGG+EIBAQQEAwICBDANBgkqhkiG9w0BAQUFAAOBgQClfjV1lNjPLmL5gkLC
y7Sep780aSq1Sn2OIFNg7mgvXd1I5seppz4tykCBPckES9KA8tAMiBDd/0BVAS9U
StchZYzO6HK3ugCIo38d7qF2XAmABB1lukomiAV3Bw6nUD9d+HsEAWBg7JJJoMs0
ZeqQP4tkXIyHmyhpbigAiyZAtA==
-----END CERTIFICATE-----

from mitmproxy.

Hmm... Do you see the same notAfter date on the CA cert? If you do, I might send you some commands to manually generate a cert in the same way mitmproxy does, so we can try to get to the bottom of this. Thanks for helping me track this down!

from mitmproxy.

Yeah, the mitmproxy-ca.pem & mitmproxy-ca-cert.pem valid until date is completely the same.

from mitmproxy.

I do believe we've hit a 2038 overflow bug in your version of OpenSSL here.
Could you try an experiment for me? In utils.py, change all the occurances
of 9999 to something lower, say, 100, and see if that fixes things. If so,
we've hit an interesting overflow problem...

On Tue, Jun 21, 2011 at 3:49 AM, Yannik <
[email protected]>wrote:

Yeah, the mitmproxy-ca.pem & mitmproxy-ca-cert.pem valid until date is
completely the same.

Reply to this email directly or view it on GitHub:
cortesi#1 (comment)

Aldo Cortesi
www.nullcube.com
+64 210 718 900

from mitmproxy.

Nope, this did not change anything.

New utils.py: http://pastebin.com/A7DcCZSp

from mitmproxy.

@cortesi - thanks, I'm new to the product using cygwin on windows 7, openssl 0.9.8r. Initially only mitmproxy-ca.pem was created with an expired 1902 date. Tried running openssl by hand with 9999 and sure enough the new certificates have also expired! Assuming that the bug is in openssl 0.9.8r??

Following your advice, changed each 9999 to 365 in utils.py, ran setup.py clean, setup.py install, deleted contents of ~/.mitm-proxy then reran mitmproxy. This time mitmproxy-ca-cert.p12, mitmproxy-ca-cert.pem, mitmproxy-ca.pem were created each with valid expiry dates. I'm happy!

from mitmproxy.

Mark - that's good to hear. I'll drop the default certificate expiry time to something like 3 years to try to avoid this OpenSSL bug.

Yannik - could you please re-try Mark's method and see if you still have the problem? Remember to clear the ~/.mitmproxy directory and then restart to re-create the certificates.

from mitmproxy.

Okay, I will try it again. I will inform you about the result later.

from mitmproxy.

Yep, that fixed it! I had to edit it before using setup.py. Thanks alot! Great project :-)

from mitmproxy.

Hey chaps,

Just committed a change that drops the cert expiry date to 3 years. I'm re-opening this issue because I'd like to double-check that this doesn't trigger the OpenSSL bug. Could one of you please check for me?

Thanks a lot,

Aldo

from mitmproxy.

Yep, works like a charm :-)

from mitmproxy.

Thanks, Yannik.

from mitmproxy.