some data does not go through mitm on android 4.4.4 (TLS handshake failed) ?

[kolet]

Problem Description

A clear and concise description of what the bug is.

some of the data of an app goes through mitm , and some does not .
there is an application that i investigating right now , for it to work it need internet , to query data .
for example when updating the application or when going into a browser i see all the data that going through (some of the data is via websocket)

however querying the data in the application which basically fetch the data from the server is not seen by MITM

Steps to reproduce the behavior:

installed a root ca on an costume old android 4.4.4 on a rockchip board, i dont have root on it because it is a highly customized android if i attempt to root the device , the device will be permately disable by the provider (the device cost around 800$) .

the way i installed the root certificate is to dump the whole emmc memory , mount the system partition , add the root ca into the folder umount and reflash the emmc - system partition .

to install the cert i followed the guide on the website
https://docs.mitmproxy.org/stable/howto-install-system-trusted-ca-android/

hashed_name=openssl x509 -inform PEM -subject_hash_old -in mitmproxy-ca-cert.cer | head -1 && cp mitmproxy-ca-cert.cer $hashed_name.0

it worked well because i am able to see https data from the browser and some apps on the device .
however this particular request is not showing on mitm .

System Information

Paste the output of "mitmproxy --version" here.
running on the latest , mitmproxy-10.3.0-linux-x86_64

[kolet]

a lil update , i've seen that when i query the data , there is a log on the terminal saying

Client TLS handshake failed. Client and mitmproxy cannot agree on a TLS version to use. You may need to adjust mitmproxy's tls_version_client_min option.

i re-ran the mitm , "./mitmweb --set tls_version_client_min=SSL3"
i also set the min version for the server side to SSL3 on via the option in the web

also set everything to unbounded . same thing happen , i also tried to force it by setting up everything to tls1.2
same thing happen ..

and received the same error when querying the info .

i checked via wireshark , and the handshake is done on TLS1.2

i also tried to edit ciphers_client to , TLS1.2 TLS1.1 SSL3 , and received this error every time

`[17:17:53.704] Addon error: SSL cipher specification error: [('SSL routines', '', 'no cipher match')]
Traceback (most recent call last):
File "mitmproxy/net/tls.py", line 127, in _create_ssl_context
File "OpenSSL/SSL.py", line 1338, in set_cipher_list
File "OpenSSL/_util.py", line 71, in openssl_assert
File "OpenSSL/_util.py", line 57, in exception_from_error_queue
OpenSSL.SSL.Error: [('SSL routines', '', 'no cipher match')]

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
File "mitmproxy/addons/tlsconfig.py", line 286, in tls_start_server
File "mitmproxy/net/tls.py", line 152, in create_proxy_server_context
File "mitmproxy/net/tls.py", line 129, in _create_ssl_context
RuntimeError: SSL cipher specification error: [('SSL routines', '', 'no cipher match')]
[17:17:53.711][10.0.0.191:45632] No TLS context was provided, failing connection.
[17:17:53.714][10.0.0.191:45632] Server TLS handshake failed. connection closed
[17:17:53.716][10.0.0.191:45632] Unable to establish TLS connection with server (connection closed). Trying to establish TLS with client anyway. If you plan to redirect requests away from this server, consider setting connection_strategy to lazy to suppress early connections.
`

i even tried to match the cipher_client to what i saw on wireshark , with forcing TLS1.2

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

then i tried ciphers_client and ciphers_server , then ciphers_server alone , same thing happen on all ocassion

i still got

Client TLS handshake failed. Client and mitmproxy cannot agree on a TLS version to use. You may need to adjust mitmproxy's tls_version_client_min option.

[kolet]

i wonder to myself , is that possible to view the encrypted info in wireshark ?
or since it wasnt able to negotiate a handshake via mitmproxy it wont be possible to view the data ?

[mhils]

Have you tried an older mitmproxy version? Depending on which OpenSSL version is pulled in, it may not have support for TLS 1.1 compiled in anymore.

[kolet]

Have you tried an older mitmproxy version? Depending on which OpenSSL version is pulled in, it may not have support for TLS 1.1 compiled in anymore.

i have not , which version should i try ?

do i need reset the certificate aswell or i can keep the one that was created by the latest version ?

thanks !

[kolet]

so i tried v10 v9 v8 v7

and in V7 i got a different error

10.0.0.191:49401: Client TLS handshake failed. The client may not trust the proxy's certificate for xxxx...com (OpenSSL Error([('SSL routines', 'tls_early_post_process_client_hello', 'unsupported protocol')]))

so i changed the tls version to SSL3 and it worked (yet some of the handshake are
TLS version: TLSv1
cipher name: ECDHE-RSA-AES128-SHA

and

TLS version: TLSv1.3
cipher name: TLS_AES_256_GCM_SHA384

so not sure about that , anyway no more errors .

however , there is still data that i dont see ... , the same data that i query does not show up .

[kolet]

thing is , even with sslkeylogfile enable on mitmproxy and loaded to wireshark ,
this exact handshake and data communication are not clear in wireshark , and cannot be "decoded as http"

almost everything else is , and also showing on mitmproxy in the gui .