Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authority Key Identifier not generated for server certificate #2226

Open
natehaze opened this issue Jan 4, 2025 · 5 comments
Open

Authority Key Identifier not generated for server certificate #2226

natehaze opened this issue Jan 4, 2025 · 5 comments
Assignees
@NghiaTranUIT
Labels
bug Something isn't working ✅ Done Ticket is addressed and fixed.
Milestone
Proxyman 5.14.0

Comments

@natehaze
Copy link

natehaze commented Jan 4, 2025
edited
Loading

Description

I BELIEVE this is a bug, but I am by no means an expert in SSL/TLS. I have always put the Proxyman CA cert into certifi for python and it has worked fine in docker containers. However as of python 3.13, it fails.

I believe this is due to the change in 3.13 to be more strict about ssl.

The create_default_context() API now includes VERIFY_X509_PARTIAL_CHAIN and VERIFY_X509_STRICT in its default flags.

https://docs.python.org/3/whatsnew/3.13.html

Steps to Reproduce

  1. install python 3.13
  2. pip install httpx
  3. cat ca-proxy-certificate.pem >> $(python -m certifi)
  4. all_proxy=host.docker.internal:9090 python -c "import httpx; httpx.get('https://www.google.com').status_code"

I believe this check I ginned up with gpt is correct and also shows the issue, using openssl to show that the chain doesn't validate:

openssl s_client -proxy host.docker.internal:9090 -connect example.com:443 -showcerts < /dev/null \
| sed -ne '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' \
| openssl verify     -x509_strict     -show_chain -CAfile /tmp/debug/ca-proxy-certificate.pem

depth=1 C = US, L = Wilmington, O = Proxyman LLC, CN = "Proxyman CA (17 Dec 2024, nh-m3.local)", OU = https://proxyman.io, ST = Delaware
verify return:1
depth=0 C = US, L = Los Angeles, O = Internet\C2\A0Corporation\C2\A0for\C2\A0Assigned\C2\A0Names\C2\A0and\C2\A0Numbers, CN = www.example.org, ST = California
verify return:1
DONE
C = US, L = Los Angeles, O = Internet\C2\A0Corporation\C2\A0for\C2\A0Assigned\C2\A0Names\C2\A0and\C2\A0Numbers, CN = www.example.org, ST = California
error 85 at 0 depth lookup: Missing Authority Key Identifier
error stdin: verification failed

I also believe this is because the AKI in the server cert generated by proxyman is 0 rather than matching the CA.

            X509v3 Authority Key Identifier:
                0.

Current Behavior

httpx.ConnectError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1018)

(shows in proxyman as a 'ssh handshake failed')

Expected Behavior

should just be a 200

Environment

The example is python 3.13 in docker of course. Any linux python should be the same. Mac python may be somehow magical with the mac keystore, I don't know.
@natehaze natehaze added the bug Something isn't working label Jan 4, 2025
@NghiaTranUIT
Copy link
Member

@natehaze Thanks for the bug report.

Can you try the Automatic Setup to intercept from Python?

Basically, Automatic Setup automatically overrides Python env, to make it trust Proxyman Certificate. It might fix the bug

@NghiaTranUIT
Copy link
Member

@natehaze let's try this Beta build: https://download.proxyman.io/beta/Proxyman_5.12.2_Add_Authority_id_key_to_the_cert.dmg

Server Certificate now includes the Authority Key Identifier, which is the same as the Issuer's Subject Key Identifier 👍

@NghiaTranUIT NghiaTranUIT added this to the Proxyman 5.14.0 milestone Jan 5, 2025
@NghiaTranUIT NghiaTranUIT self-assigned this Jan 5, 2025
@NghiaTranUIT NghiaTranUIT added the ✅ Done Ticket is addressed and fixed. label Jan 5, 2025
@NghiaTranUIT NghiaTranUIT mentioned this issue Jan 5, 2025
Open
3 tasks
@natehaze
Copy link
Author

natehaze commented Jan 5, 2025
edited
Loading

It works!

  • Putting the CA into the certifi CA and going through the proxy with httpx now passes without error.
  • Also, the openssl verify I noted above passes.

Previously, I also did quickly test the script in a virtual env on mac before THIS build (Proxyman_5.12.2_Add_Authority_id_key_to_the_cert.dmg) and that had the same AKI issue that I reported:

pip install httpx
cat ~/.proxyman/proxyman-ca.pem >> $(python -m certifi)
source ~/.proxyman/proxyman_env_automatic_setup.sh
all_proxy=localhost:9090 python -c "import httpx; httpx.get('https://www.google.com').status_code"

@natehaze
Copy link
Author

natehaze commented Jan 5, 2025
edited
Loading

Also. I'm really enjoying using Proxyman as my proxy. Whenever I'm developing I proxy everything out of Docker containers (including TLS - without code modifications) to make sure I know what is really going on. This fix lets me continue doing that simply.

@NghiaTranUIT
Copy link
Member

Awesome, glad to know it's useful for you 🙌

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@NghiaTranUIT NghiaTranUIT

Labels
bug Something isn't working ✅ Done Ticket is addressed and fixed.
Projects
None yet
Milestone
Proxyman 5.14.0
Development

No branches or pull requests
2 participants
@NghiaTranUIT @natehaze
  NODES
COMMUNITY 2
INTERN 4
Note 1
Project 5
USERS 1
Verify 8