Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cannot validate certificate hostname without SNI

See original GitHub issue

I get the following error message (example.com replaced with actual website) and can’t figure out why and what to do about it:

<< Cannot establish TLS with webmail.chalmers.se:443 (sni: None): TlsException(‘Cannot validate certificate hostname without SNI’,)

Steps to reproduce the problem:

mitmdump -vw filename
Connect (add as proxy) with android phone and install certificate (using mitmproxy.it)
Connect to some server

Any other comments? What have you tried so far?

It seems to work for some https-sites but not others. Examples that cause the errors are webmail.chalmers.se and m.handelsbanken.se.

System information

Mitmproxy version: 0.18.2
Python version: 3.5.2
Platform: Linux-4.7.2-1-ARCH-x86_64-with-arch
SSL version: OpenSSL 1.0.2h  3 May 2016
Linux distro: arch

Issue Analytics

State:
Created 7 years ago
Reactions:5
Comments:14 (3 by maintainers)

Top GitHub Comments

10reactions

mhilscommented, Dec 12, 2016

Which client are your using? I suspect an old version of Android?

The problem is as follows: When mitmproxy connects upstream, it verifies the certificate the server presents. One part of the verification is to check if the certificate matches the hostname the client is expecting. Modern versions of TLS mandate the client to send a Server Name Indication (SNI) extension during the TLS handshake which names the expected site. However, if your client does not send a SNI extension, there’s no way for us to verify the authenticity of the server’s certificate as we don’t know which site the client is expecting and we fail the connection in the way you described. You can work around this by disabling certificate verification with mitmproxy --insecure - be warned that you are subject to man-in-the-middle attacks then.

3reactions

ploxilncommented, Mar 16, 2018

I have another idea to work-around this problem: a reverse-dns table in the mitmproxy config.

So, if there are a couple of IP addresses which I know ahead of time will receive requests for a particular domain name, I could put that in the mitmproxy config, like:

assume_hostname:
    "1.2.3.4": "foo.example.com"
    "5.6.7.7": "bar.test.net"

Then, when mitmproxy intercepts a TLS connection to 1.2.3.4, it uses the hostname foo.example.com to check the certificate, if the client did not include TLS-SNI, and it otherwise does not yet know the hostname.

Just an idea, which would help with my use case at least.