[Ubuntu] 將 mitmproxy Root CA 憑證加入信任清單

[Ubuntu] 將 mitmproxy Root CA 憑證加入信任清單

之前有寫一篇 [Mac] 將 mitmproxy Root CA 憑證加入信任清單

今天因為想要在 Ubuntu 上,

用 mitmproxy 查看 Hybrid Golang Samples 它送出的 HTTPS 請求,

因此得把 mitmproxy 的 Root CA 憑證也加到 Ubuntu 的信任清單~

 

先在 Ubuntu 上執行 mitmproxy,

然後透過 mitmproxy,用 curl 去連 www.google.com 看看…

如預期的收到了錯誤訊息 self signed certificate in certificate chain,

因為 mitmproxy Root CA 並不被信任:

$ curl -L -v -x http://127.0.0.1:8080 https://www.google.com

*   Trying 127.0.0.1:8080...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to www.google.com:443
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> User-Agent: curl/7.68.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate in certificate chain
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

 

將 mitmproxy 的 Root CA 憑證複製到 /usr/local/share/ca-certificates 目錄下,

副檔名記得要改成 .crt,不然待會的步驟會失敗:

sudo cp ~/.mitmproxy/mitmproxy-ca-cert.cer /usr/local/share/ca-certificates/mitmproxy-ca-cert.crt

 

執行  sudo update-ca-certificates ,

這會在 /etc/ssl/certs 目錄下製作一個符號連結 (symbolic link) ,

指向 /usr/local/share/ca-certificates 目錄下的 *.crt 檔案。

這裡應該要看到  1 added ,如果沒看到的話,

除非之前已經加過了,不然就是沒有加成功:

$ sudo update-ca-certificates

Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

 

再試一次 curl,這次就可以順利連上 www.google.com 了:

$ curl -L -v -x http://127.0.0.1:8080 https://www.google.com

*   Trying 127.0.0.1:8080...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to www.google.com:443
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> User-Agent: curl/7.68.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=www.google.com
*  start date: Jul 20 03:01:24 2022 GMT
*  expire date: Jul 21 03:01:24 2024 GMT
*  subjectAltName: host "www.google.com" matched cert's "www.google.com"
*  issuer: CN=mitmproxy; O=mitmproxy
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x559765bf2b00)
> GET / HTTP/2
> Host: www.google.com
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< date: Fri, 22 Jul 2022 03:01:25 GMT
......

 

參考資料:

Ubuntu Manpage: update-ca-certificates – update /etc/ssl/certs and ca-certificates.crt

mitmproxy – Certificates

(本頁面已被瀏覽過 592 次)

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料