starred/Proxyman

Fork 0

mirror of https://github.com/ProxymanApp/Proxyman.git synced 2026-04-26 00:25:56 +03:00

[GH-ISSUE #1013] SSLStrip / Fake SSL certs for emulated domains #1009

New issue

Open

opened 2026-03-03 19:23:44 +03:00 by kerem · 8 comments

kerem commented

2026-03-03 19:23:44 +03:00

Owner

Originally created by @lessless on GitHub (Oct 5, 2021).
Original GitHub issue: https://github.com/ProxymanApp/Proxyman/issues/1013

Originally assigned to: @NghiaTranUIT on GitHub.

Hi,

I know that it's a bit away from the mainline of business, but something that I'd be happy to pay for, so here it is.

I have an app on iOS that talks to a remote server that I can't control and it doesn't work for God know why.
I'd like to debug what it's doing and write my own client but I can't because it can't connect to the remote host handshakeFailed(NIOSSL.BoringSSLError.sslError([])) .

I can spawn a local HTTP server and start reverse-engineering the API but in order to do that, I need to trick iOS to accept a root cert with which I signed an SSL cert for emulated domain on the localhost.

It'd be great if I could generate an SSL cert for a specific host off the ProxyMan CA cert which is already installed on the iOS (thanks for the handy procedure btw) or if ProxyMan could strip SSL.

Originally created by @lessless on GitHub (Oct 5, 2021). Original GitHub issue: https://github.com/ProxymanApp/Proxyman/issues/1013 Originally assigned to: @NghiaTranUIT on GitHub. Hi, I know that it's a bit away from the mainline of business, but something that I'd be happy to pay for, so here it is. I have an app on iOS that talks to a remote server that I can't control and it doesn't work for God know why. I'd like to debug what it's doing and write my own client but I can't because it can't connect to the remote host `handshakeFailed(NIOSSL.BoringSSLError.sslError([]))` . I can spawn a local HTTP server and start reverse-engineering the API but in order to do that, I need to trick iOS to accept a root cert with which I signed an SSL cert for emulated domain on the localhost. It'd be great if I could generate an SSL cert for a specific host off the ProxyMan CA cert which is already installed on the iOS (thanks for the handy procedure btw) or if ProxyMan could strip SSL.

kerem commented

2026-03-03 19:23:44 +03:00

Author

Owner

@NghiaTranUIT commented on GitHub (Oct 6, 2021):

handshakeFailed(NIOSSL.BoringSSLError.sslError([])

if you get this error from the iOS app, even though you have installed and trusted the Proxyman Certificate on your iOS device, it seems that the app is using SSL-Pinning, which prevents Proxyman to intercept its HTTPS Traffic.

You can verify it by trying to intercept https://google.com on Safari on your iOS devices. If you can intercept it => You set up properly. Then trying on your iOS app => If it doesn't work -> It's likely that the app is using SSL Pinning.

In this case, there is no way to intercept the app because it always rejects all invalid HTTPS connections.

I need to trick iOS to accept a root cert with which I signed an SSL cert for emulated domain on the localhost.

I'm not sure why you need to generate an SSL Certificate on your own? Because Proxyman is automatically done that. If you follow the iOS Guideline and set it up properly. Proxyman dynamically generates a leaf certificate from a self-signed Proxyman Root certificate, which you've installed on your device.

Spawn a local HTTP server and start reverse-engineering

If you would like to capture from your HTTP server. You can step the following diagram:

Your iOS app -> Proxyman -> Proxy to your fake localhost by using the Scripting tool with this snippet code.

However, you have to make sure that in this step: Your iOS app -> Proxyman, Proxyman is able to capture HTTPS traffic without any errors.

@NghiaTranUIT commented on GitHub (Oct 6, 2021): > handshakeFailed(NIOSSL.BoringSSLError.sslError([]) if you get this error from the iOS app, even though you have [installed and trusted](https://docs.proxyman.io/debug-devices/ios-device) the Proxyman Certificate on your iOS device, it seems that the app is using SSL-Pinning, which prevents Proxyman to intercept its HTTPS Traffic. You can verify it by trying to intercept https://google.com on Safari on your iOS devices. If you can intercept it => You set up properly. Then trying on your iOS app => If it doesn't work -> It's likely that the app is using SSL Pinning. In this case, there is no way to intercept the app because it always rejects all invalid HTTPS connections. > I need to trick iOS to accept a root cert with which I signed an SSL cert for emulated domain on the localhost. I'm not sure why you need to generate an SSL Certificate on your own? Because Proxyman is automatically done that. If you follow the [iOS Guideline](https://docs.proxyman.io/debug-devices/ios-device) and set it up properly. Proxyman dynamically generates a leaf certificate from a self-signed Proxyman Root certificate, which you've installed on your device. > Spawn a local HTTP server and start reverse-engineering If you would like to capture from your HTTP server. You can step the following diagram: Your iOS app -> Proxyman -> Proxy to your fake localhost by using the Scripting tool with this [snippet code](https://docs.proxyman.io/scripting/snippet-code#change-request-destination-scheme-host-port-path). However, you have to make sure that in this step: `Your iOS app -> Proxyman`, Proxyman is able to capture HTTPS traffic without any errors.

kerem commented

2026-03-03 19:23:44 +03:00

Author

Owner

@lessless commented on GitHub (Oct 6, 2021):

Thanks for the quick response @NghiaTranUIT.

Indeed Scripting might help here, but I'm struggling to make it work - the request still goes to the original host

@lessless commented on GitHub (Oct 6, 2021): Thanks for the quick response @NghiaTranUIT. Indeed Scripting might help here, but I'm struggling to make it work - the request still goes to the original host ![Main Window](https://i.imgur.com/DdFIB8p.png) ![Tools](https://i.imgur.com/Tsogktb.png)

kerem commented

2026-03-03 19:23:45 +03:00

Author

Owner

@NghiaTranUIT commented on GitHub (Oct 6, 2021):

Just wondering:

If you don't use the Scripting. Are you able to see HTTPS traffic from this domain? It needs to be working before using the Scripting.
Have you installed and trusted the certificate on your iOS device from https://docs.proxyman.io/debug-devices/ios-device ?

@NghiaTranUIT commented on GitHub (Oct 6, 2021): Just wondering: 1. If you don't use the Scripting. Are you able to see HTTPS traffic from this domain? It needs to be working before using the Scripting. 2. Have you installed and trusted the certificate on your iOS device from https://docs.proxyman.io/debug-devices/ios-device ?

kerem commented

2026-03-03 19:23:45 +03:00

Author

Owner

@NghiaTranUIT commented on GitHub (Oct 6, 2021):

From your Main Window screenshot, it seems that the app doesn't accept SSL handshakes from Proxyman. I suppose that it's using SSL-Pinning.

What app are you trying to intercept? 🤔

@NghiaTranUIT commented on GitHub (Oct 6, 2021): From your Main Window screenshot, it seems that the app doesn't accept SSL handshakes from Proxyman. I suppose that it's using SSL-Pinning. What app are you trying to intercept? 🤔

kerem commented

2026-03-03 19:23:45 +03:00

Author

Owner

@lessless commented on GitHub (Oct 6, 2021):

If you don't use the Scripting. Are you able to see HTTPS traffic from this domain? It needs to be working before using the Scripting.

That app has one screen and one button and that's the only request that I can trigger

Have you installed and trusted the certificate on your iOS device from https://docs.proxyman.io/debug-devices/ios-device ?

Yes, I can open https://google.com without any problems

What app are you trying to intercept? 🤔

https://apps.apple.com/lb/app/track-my-application/id1455491722. As you can see from the comments it's not in the working state and I suspect it's a problem with a client.

@lessless commented on GitHub (Oct 6, 2021): > If you don't use the Scripting. Are you able to see HTTPS traffic from this domain? It needs to be working before using the Scripting. That app has one screen and one button and that's the only request that I can trigger > Have you installed and trusted the certificate on your iOS device from https://docs.proxyman.io/debug-devices/ios-device ? Yes, I can open https://google.com without any problems > What app are you trying to intercept? 🤔 https://apps.apple.com/lb/app/track-my-application/id1455491722. As you can see from the comments it's not in the working state and I suspect it's a problem with a client.

kerem commented

2026-03-03 19:23:45 +03:00

Author

Owner

@lessless commented on GitHub (Oct 6, 2021):

Just to double-check that I've really installed & trusted ProxyMan cert on the iOS device

@lessless commented on GitHub (Oct 6, 2021): Just to double-check that I've really installed & trusted ProxyMan cert on the iOS device ![profile](https://i.imgur.com/hTjXrUM.jpg) ![certificate trust settings](https://i.imgur.com/3MIo5tn.jpg)

kerem commented

2026-03-03 19:23:45 +03:00

Author

Owner

@NghiaTranUIT commented on GitHub (Oct 6, 2021):

It seems that it's the app problem (The app server is down), so I don't know how to fix it.

@NghiaTranUIT commented on GitHub (Oct 6, 2021): It seems that it's the app problem (The app server is down), so I don't know how to fix it.

kerem commented

2026-03-03 19:23:45 +03:00

Author

Owner

@lessless commented on GitHub (Oct 6, 2021):

@NghiaTranUIT https://gw.apim.tlscontact.com/ itself is not down, so I believe it's the problem with an iOS client.

That's why I want to re-route its requests to a local web server running on the the same machine with ProxyMan. But I couldn't do that nor with Scripting neither with Mapping Tool - the requests are still going to the original server.

@lessless commented on GitHub (Oct 6, 2021): @NghiaTranUIT https://gw.apim.tlscontact.com/ itself is not down, so I believe it's the problem with an iOS client. That's why I want to re-route its requests to a local web server running on the the same machine with ProxyMan. But I couldn't do that nor with Scripting neither with Mapping Tool - the requests are still going to the original server.