TLS 1.2
Charles Proxy 3.9 uses the bouncycastle 1.4 for SSL/TLS, but TLS 1.2 is not yet supported in bcprov’s latest release(1.51), that’s why I got a
|
1 |
SSL: Received fatal alert: protocol_version |
on some sites.
I tried to upgrade bcprov.jar, some incompatible exceptions were thrown.
To check if a https site uses TLSv1.2:
|
1 |
openssl s_client |
Examples:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
# openssl s_client -connect cascade-quest-prod.parseapp.com:443 CONNECTED(00000003) depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance CA-3 verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=San Francisco/O=Parse, Inc./CN=*.parseapp.com i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA ... SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA Session-ID: 0438BBB986DA6C3B387E7BC55D96C9F7BBDD8382A33B43F262BF45AC48DD241D Session-ID-ctx: Master-Key: A191572EBEE63D0CA8AFF393EDEC1EC2CA42A1C19B3C34A22BCF20EA91A0D06A9839D901563A706FCF3F8AD93FE58805 Key-Arg : None PSK identity: None PSK identity hint: None ... |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
# openssl s_client -connect buy.itunes.apple.com:443 CONNECTED(00000003) depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=California/businessCategory=Private Organization/serialNumber=C0806592/C=US/postalCode=95014/ST=California/L=Cupertino/street=1 Infinite Loop/O=Apple Inc./OU=ISG Delivery Ops/CN=buy.itunes.apple.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority ... SSL-Session: Protocol : TLSv1 Cipher : RC4-MD5 Session-ID: B3F8F0396FDAF2BC30B689233AD0B56A3DD1F1ABFA9AA70142BD7414915D09EE Session-ID-ctx: Master-Key: 1DB8183C927A8E3483432CA073D6E722F782D222748F7E9F5CDD069A7BFCCA27A534C2BF4D22F56F240A1EAE80B5A665 Key-Arg : None ... |
Hijack Cascade
For those I want to hijack, like the cascade-quest-prod.parseapp.com, I choose to set up an nginx proxy and sign my own certificates.
BigFish’s Cascade is a boring match-3 game, its save file is neither a plain text nor a known database file, but it offers a chance winning one prize everyday.
The API on https://cascade-quest-prod.parseapp.com requires Internet connection, Charles Proxy is the best choice analyzing.
But as I said above, the protocol_version error occurs.
The idea solving the problem is setting up a proxy using nginx as I mentioned above.
So I created a CA, installed certs on my iPhone, then signed a cert for *.parseapp.com, and got a nginx server done.
An empty nginx server would be enough the request URLs. For more, like http headers, I coded a simple php script, logging requests.
To make app working, I added an reverse proxy to, I tested, port 80.
nginx conf
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
server { listen 443; server_name parseapp.com *.parseapp.com; root /var/www/proxy; index index.html index.htm; access_log /var/log/nginx/parse-access.log; error_log /var/log/nginx/parse-error.log warn; ssl on; ssl_certificate /etc/nginx/certs/parseapp.crt; ssl_certificate_key /etc/nginx/certs/parseapp.key; ssl_session_timeout 5m; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES"; ssl_prefer_server_ciphers on; location / { rewrite ^/gifting/wheel$ /proxy.php; proxy_pass http://54.85.210.248:80; proxy_set_header host $http_host; } location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; include fastcgi_params; } } |
proxy.php
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
<?php $method = $_SERVER['REQUEST_METHOD']; $uri = $_SERVER['REQUEST_URI']; $protocol = $_SERVER['SERVER_PROTOCOL']; $content = file_get_contents('php://input'); $headers = ''; if (!function_exists('getallheaders')) { function getallheaders() { $headers = array(); foreach($_SERVER as $key => $value) { if (substr($key, 0, 5) <> 'HTTP_') { continue; } $header = str_replace(' ', '-', ucwords(str_replace('_', ' ', strtolower(substr($key, 5))))); $headers[$header] = $value; } return $headers; } } #$h = apache_request_headers(); $h = getallheaders(); foreach ($h as $k=>$v) { $headers .= "{$k}: {$v}\n"; } file_put_contents('/tmp/proxy.log', "$method $uri $protocol\n$headers\n\n$content\n\n==\n", FILE_APPEND); if ($uri == '/gifting/wheel') { header('Content-Type: application/json'); if ($method == 'GET') echo '{"isWheelAvailable":true}'; elseif ($method = 'POST') echo '{"giftAccepted":true}'; exit; } |
DNSMASQ
|
1 |
address=/cascade-quest-prod.parseapp.com/106.186.27.96 |
Hijack HTTPS over TLS 1.2 without Charles Proxy by @sskaje: https://sskaje.me/2014/09/charles-proxy-tls-1-2/
Incoming search terms:
Link to this post!