Capturing SSL netowork dat with charles proxy with iOS - ios

I had set up charles to intercept proxy http traffic and now, trying to intercept https traffic. I am using charles 3.11.2 and device with iOS 9.2. I have installed charles root proxy on the system and also installed on the iOS device. I have enabled ssl interception for all pages with wild card "*". When I go to safari and hit a secure webpage, I get There was a problem communicating with the secure web proxy server(HTTPS).
In my charles window, I get the error, SSL: Unrecognized SSL message, plaintext connection? and notes stating Exhausted available SSL/TLS protocols, trying with everything enabled.
Is there any thing which I am misssing?

Make sure Charles is running with an up-to-date JVM. I had this same issue and the problem was I had JAVA_HOME set to a Java 6 JRE. Updating the environment to use Java 8 fixed the issue.

Refer the answer here: Cannot see iOS simulator traffic with charles proxy
Ensure that ATS is present for debug builds as commented in the shared thread

Related

Getting SSL handshake failed for Charles Proxy certificate on iOS even after granting full trust

I am constantly getting
SSL handshake with client failed - Remote host terminated the
handshake
error in Charles Proxy from iOS 16.1, which should indicate that certificate isn't trusted, but I granted full trust in the iPhone settings.
Here are steps to reproduce:
Download and install Charles Proxy on macOS and enable SSL Proxying. HTTP proxy port is set to 8888
On iPhone, in wifi settings enable manual proxy and enter the computer's IP and port 8888
Then dialog will appear in Charles Proxy on which need to click "Allow"
On iPhone go to chls.pro/ssl in order to download the certificate
In iPhone's settings install a new profile with a certificate.
Then in Settings -> General -> About -> Certificate Trust Settings set the switch for the certificate to on.
I can see requests in Charles Proxy but they all are with SSL handshake error. Also, Safari on iPhone returns the error "This Connection Is Not Private"
Can someone explain what am I doing wrong?
Here is the screenshot from the Certificate Trust Settings.
Finally, I found the problem. In my case, it was an expired certificate. In order to fix it, it is necessary to go to Help -> SSL Proxying -> Reset Charles Root Certificate.... It will generate a new one. Then it is needed to install it and grant trust to it.
I wasn't noticing it because before I was working only with Android and it didn't check if a certificate was expired, unlike iOS.
Because I wasn't been able to find any troubleshooting checklist for similar situations I will mention it here. Hopefully, it will help somebody:
Make sure that Enable SSL Proxying is enabled in Proxy -> SSL Proxying Settings...
Check that the Exclude list doesn't contain the locations that you are trying to record.
Check that Proxy -> Record Settings doesn't have unneeded excludes or includes
Check if your target device is connected to the same wifi point as a computer.
Check if the wifi proxy on the target device is enabled.
Check if the wifi proxy on the target device is working. It is possible to check by entering incorrect proxy IP and trying to access the internet through a browser. If the proxy is working there will be no access to the Internet. (Note: at the time of writing this answer some iPhones with iOS 16 do have not a working proxy. More info here)
Check if the proxy is configured with the correct IP and port
Check if the target device has Charles's certificate installed
Check if the target device trusts Charles's certificate
Check if Charles's certificate isn't expired. If it is, go to Help -> SSL Proxying -> Reset Charles Root Certificate... and reinstall the certificate.
(for Android) Check if the target app has network_security_config.xml referenced in AndroidManifest.xml

Access Development server with self-signed SSL Certificate

My app needs to connect to an internal web server through https.
The server has a self-signed certificate that is valid until next year:
I have installed this certificate in the iOS Simulator and on the device (Certificate.cer):
I am watching the traffic with Charles and the request does not even "leave" my computer.
The problem seems to be due to the SSL Certificate because when I can access the server through the internal url and the port 8080 everything works fine.
I did try the hack with the category allowsAnyHTTPSCertificateForHost:. This did not work in the simulator as well as on the device.
There seems to be official API to do this: How to use NSURLConnection to connect with SSL for an untrusted cert?
However, since this is only my development environment I would prefer not to change my code base for now. Plus I am using a framework to parse my data and I might have to deeply interfere with that framework to get to the API described above.
So my question is, should it not be possible to install the certificate and then use the server as if there was an official SSL certificate.
Email the self-signed certificate to yourself then open it on your iPhone. You will be taken through the steps to install the certificate on your phone.

Random SSL errors in iOS 8.1. (NSURLErrorDomain:-1200)

In iOS 8.1 we are getting random SSL errors.
There is no issue at the sever and it seems like iOS device issue. AWS support has checked the SSL configuration and the certificate in server, but didn't find any issue.
Error message is this - "An SSL error has occurred and a secure connection to the server cannot be made. (NSURLErrorDomain:-1200)". We are using NSURLConnection to make network connections.
Many of our users started getting this error recently and all were in in iOS 8.1. Is this a known bug?
I have exactly the same issue with iOS8.1 user on my website
on the server side, i have this error :
No hostname was provided via SNI for a name based virtual host
it seems that iOS8.1 doesn't support very well SNI.
The workaround is to configure your webserver tp accept client that doesn't support SNI and set the virtualhost and certificate you want "no SNI client" to be show by default for any all SSL virtualhosts
In apache you have to add :
NameVirtualHost *.443 #before the first SSL virtualhost which will have the default certificate.
SSLStrictSNIVHostCheck off # in this default virtualhost.
Sorry for my english (i'm french) and hope it will help

iOS app SSL handshake failed

I am making an app to login to an aspx website over HTTPS by passing login credentials in a post method. When checking the response using Charles Proxy I can see a SSL Handshake failed error from seal.verisign.com, I am then taken back to the login page. I am not sure what I need to do to solve this issue.
I am testing this in the iPhone simulator.
I do not have access to the server implementation.
Any ideas?
Thank you!
On iOS >= 10.3, after installing the Charles Proxy certificate (as per #ashish-verma's excellent answer), you also need to enable it through Settings -> General -> About -> Certificate Trust Settings:
Full setup here: http://www.devsbedevin.net/debugging-ios-ssl-traffic/
If installing the certificate still doesn't help you, then it may be due to SSL Pinning.
From charlesproxy.com:
SSL Pinning
Note that some apps implement SSL certificate pinning which means they specifically validate the root certificate. Because the app is itself verifying the root certificate it will not accept Charles's certificate and will fail the connection. If you have successfully installed the Charles root SSL certificate and can browse SSL websites using SSL Proxying in Safari, but an app fails, then SSL Pinning is probably the issue.
Perhaps testing on an actual device will give more insight?
To do that in Charles:
Goto Proxy: Proxy Settings...
Proxies tab: Enter "8888" in the HTTP Proxy port: field
SSL Tab: make sure the "Enable SSL Proxying" is on
On your dev machine:
Goto System Preferences: Network: Wifi: Advanced: TCP/IP Tab: Make note of the IPV4 Address: (i.e. 10.0.1.101)
On your iDevice:
Goto http://charlesproxy.com/charles.crt from your device and download Charles SSL certificate
Okay the certificate as trusted (be sure to disable or remove it once you're done)
Goto the Settings App: Wifi: Select the detailed disclosure button (round blue button with the white arrow) for your network
Under HTTP Proxy, select "Manual"
Enter in the address from step (dev machine 1.) into the Server field, and the port number from step (charles 2.)
Finally:
Restart Charles
Run Safari on your iDevice to test. This should prompt Charles to display a dialog box to allow or deny SSL proxying. Obviously allow and you should be good to go.
More Info at Charles's site: http://www.charlesproxy.com/documentation/proxying/ssl-proxying/
Also, are you getting a response to the connection:(NSURLConnection*)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge*)challenge method?
You need to install SSL certificate to resolve this issue.
Follow these steps
Open Safari browser on iOS Simulator
Type "www.charlesproxy.com/getssl" in address bar
Install the SSL certificate
Restart Charles Proxy
It is possible that the server doesn't have a valid certificate for the url you are using.
Did you check that?
If you try the url using a browser, does it give you a warning?
You have to install SSL certificate on mobile device.
Search online for how to install SSL certificate for Charles Proxy.
Remove all old user credentials, then Re-Install new ssl certificate.
If running on the simulator, just restart both Charles Proxy and the simulator, making sure Charles Proxy starts first

Fiddler - Capture and decrypt HTTPS traffic from iPad app

I'm trying to monitor the HTTPS requests/responses for my iPad app using Fiddler. I have a Windows 7 PC running Fiddler and have configured the HTTP proxy on my iPad to point to the PC using port 8888. This works fine and the CONNECT tunnel messages and 'ClientHello' handshakes can be seen in the capture log. However as soon as I enable the 'Decrypt HTTPS traffic' option in Fiddler, the app is blocked from connecting to the server. I've tried installing the Fiddler root certificate on the PC, and I also installed the certificate on my iPad by exporting the certificate to a URL and pointing Safari to the URL on my iPad which then installed it. This hasn't made a difference. Do I need to do something with the SSL certificate installed at the server running my web service?
Download the Fiddler Add-on for iOS/Android then visit http://[proxyip]:[port]/ using your phone browser. You can generate/download your working certificate from there.
And
Turn on your fiddler certificate at Your iPhone Setting -> General -> About -> Certificate Trush Settings
You may not have completely installed the Fiddler certificate.
Email the fiddler certificate to your iPad. Open the email and then open the certificate. iOS will prompt you to trust the certificate, and then install it.
If it is installed correctly, you will have a new iOS setting under Settings->General->Profile called DO_NOT_TRUST_Fiddler. That setting is your installed certificate.
Once the certificate is installed - Fiddler will be able to show you your HTTPS traffic.
I try to open https://github.com for testing. And I have done as Josh said(Install the certificate through email). But I came across "Safari cannot open the page because it cannot establish a secure connection to the server". When I close http proxy, https;//github.com shows up well.
Install "CertMaker Add-on" from this article and try again everything you described in your question - it will work okay.

Resources