Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

TlsException("SSL handshake error: SysCallError(-1, \'Unexpected EOF\')",)',)

See original GitHub issue

Hey, I am running mitmproxy in my own python script. I am facing this issue when accessing few websites from Safari. For instance, https://www.pec.it

The complete error provided by the browser is:

502 Bad Gateway
TlsProtocolException('Cannot establish TLS with www.pec.it:443 (sni: www.pec.it): TlsException("SSL handshake error: SysCallError(-1, \'Unexpected EOF\')",)',)

Steps to reproduce the problem:

Visit https://www.pec.it from Safari, with mitmproxy in the middle.

Any other comments? What have you tried so far?

Everything works good using Chrome or Firefox. Apparently, tested websites do not support TLSv1.2. It happens that as soon as the mitmproxy sends the CHELO message, the server sends back a FIN message and interrupts the connection.

System information

Happens on MacOS Sierra Version 10.12.3, Safari Version 10.0.3 (12602.4.8) and mitmproxy (commit 337b1c9399e525a23dc188ef5df1667f109b108e)

$ mitmproxy --version
Mitmproxy version: 2.0.0 (release version)
Python version: 3.5.2
Platform: Darwin-16.4.0-x86_64-i386-64bit
SSL version: OpenSSL 1.0.2j  26 Sep 2016
Mac version: 10.12.3 ('', '', '') x86_64

Thanks,

Stefano

Issue Analytics

State:
Created 7 years ago
Reactions:2
Comments:11 (6 by maintainers)

Top GitHub Comments

6reactions

Shakedcommented, Mar 17, 2018

@mhils - yes for all domains. No corporate proxy

EDIT:

@mhils if there’s any thing I can provide e.g logs/info please let me know. I’d like to figure why this is happening 🙂 Thank you!

EDIT 2:

Adding some more verbose logs using $ mitmdump -v --flow-detail 3. Trying on my own blog:

192.168.15.10:54771: clientconnect
::ffff:192.168.15.10:54771: Set new server address: shakedos.com:443
::ffff:192.168.15.10:54771: serverconnect
  -> ('shakedos.com', 443)
::ffff:192.168.15.10:54771: Establish TLS with server
::ffff:192.168.15.10:54771: ALPN selected by server: -
::ffff:192.168.15.10:54771: Establish TLS with client
::ffff:192.168.15.10:54771: ALPN for client: b'http/1.1'
192.168.15.10:54771: CONNECT shakedos.com:443
    Host: shakedos.com
    User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_1 like Mac OS X) AppleWebKit/604.1.34 (KHTML, like Gecko) CriOS/64.0.3282.112 Mobile/15C153 Safari/604.1
    Connection: keep-alive
    Proxy-Connection: keep-alive
 << Cannot establish TLS with client (sni: shakedos.com): TlsException("SSL handshake error: SysCallError(-1, 'Unexpected EOF')",)
::ffff:192.168.15.10:54771: serverdisconnect
  -> ('shakedos.com', 443)
192.168.15.10:54771: clientdisconnect
::ffff:192.168.15.10:54755: request
  -> Request(GET www.gstatic.com:80/generate_204)
::ffff:192.168.15.10:54755: response
  -> Response(204 No Content, no content)

Trying on nomadlist.com:

192.168.15.10:54801: clientconnect
::ffff:192.168.15.10:54801: Set new server address: nomadlist.com:443
::ffff:192.168.15.10:54801: serverconnect
  -> ('nomadlist.com', 443)
::ffff:192.168.15.10:54801: Establish TLS with server
::ffff:192.168.15.10:54801: ALPN selected by server: h2
::ffff:192.168.15.10:54801: Establish TLS with client
192.168.15.10:54801: CONNECT nomadlist.com:443
    Host: nomadlist.com
    User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_1 like Mac OS X) AppleWebKit/604.1.34 (KHTML, like Gecko) CriOS/64.0.3282.112 Mobile/15C153 Safari/604.1
    Connection: keep-alive
    Proxy-Connection: keep-alive
 << Cannot establish TLS with client (sni: nomadlist.com): TlsException("SSL handshake error: Error([('SSL routines', 'ssl_bytes_to_cipher_list', 'inappropriate fallback')],)",)
::ffff:192.168.15.10:54801: serverdisconnect
  -> ('nomadlist.com', 443)
192.168.15.10:54801: clientdisconnect
::ffff:192.168.15.10:54755: request
  -> Request(GET www.gstatic.com:80/generate_204)
::ffff:192.168.15.10:54755: response
  -> Response(204 No Content, no content)

SOLVED!

I figured that I missed the instructions at the bottom of mitm.it and that on iOS 10.2 and above I had to go to general->about->certs and allow mitmproxy’s certificate.

Sorry for bothering.

0reactions

mhilscommented, Feb 25, 2018

@Shaked: For all domains? That shouldn’t be the case. Any corporate proxy?