[GH-ISSUE #1772] Cannot get the Root Certificate from Android client X509TrustManager #1765

New issue

Closed

opened 2026-03-03 19:54:10 +03:00 by kerem · 22 comments

kerem commented 2026-03-03 19:54:10 +03:00

Owner

Copy link

Originally created by @4332weizi on GitHub (Sep 18, 2023).
Original GitHub issue: https://github.com/ProxymanApp/Proxyman/issues/1772

Originally assigned to: @NghiaTranUIT on GitHub.

Description

We check the last X509Certificate of the chain, which is passed to the checkServerTrusted function in client X509TrustManager. Then we import our Root Certificate into the proxy, it works fine on Charles but cannot work on Proxyman. When using Proxyman, the size of the chain passed is always 1, and doesn't contain the `Root Certificate

Steps to Reproduce

1. Check root cert sha256 in X509TrustManager

    private final String CERT_SHA256 = "xxx...xxx"

    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        X509Certificate signByRootCert = chain[chain.length - 1];
        MessageDigest sha256Digest = MessageDigest.getInstance("SHA-256");
        String sha256ForCert = toHex(sha256Digest.digest(signByRootCert.getEncoded()));
        if(!TextUtils.equals(CERT_SHA256, sha256ForCert)) {
            throw new CertificateException("xxx")
        }
    }

2. Import the Root Certificate into Proxyman and Charles
3. Send a request from Android client
4. When using Charles:

chain.lenght = 2
TextUtils.equals(CERT_SHA256, sha256ForCert) = true
authType = ECDHE_RSA

When using Proxyman:

chain.lenght = 1
TextUtils.equals(CERT_SHA256, sha256ForCert) = false
authType = GENERIC

Current Behavior

The certificate chain doesn't contain Root Certificate

Expected Behavior

The Root Certificate is the last element of the certificate chain

Environment

• App version: Proxyman 4.11.0
• macOS version: macOS Ventura

Originally created by @4332weizi on GitHub (Sep 18, 2023). Original GitHub issue: https://github.com/ProxymanApp/Proxyman/issues/1772 Originally assigned to: @NghiaTranUIT on GitHub. ## Description We check the last `X509Certificate` of the chain, which is passed to the `checkServerTrusted` function in client `X509TrustManager`. Then we import our `Root Certificate` into the proxy, it works fine on Charles but cannot work on Proxyman. When using Proxyman, the size of the `chain` passed is always 1, and doesn't contain the `Root Certificate ## Steps to Reproduce 1. Check root cert sha256 in `X509TrustManager` ``` private final String CERT_SHA256 = "xxx...xxx" @Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { X509Certificate signByRootCert = chain[chain.length - 1]; MessageDigest sha256Digest = MessageDigest.getInstance("SHA-256"); String sha256ForCert = toHex(sha256Digest.digest(signByRootCert.getEncoded())); if(!TextUtils.equals(CERT_SHA256, sha256ForCert)) { throw new CertificateException("xxx") } } ``` 2. Import the `Root Certificate` into Proxyman and Charles 3. Send a request from Android client 4. When using Charles: ``` chain.lenght = 2 TextUtils.equals(CERT_SHA256, sha256ForCert) = true authType = ECDHE_RSA ``` When using Proxyman: ``` chain.lenght = 1 TextUtils.equals(CERT_SHA256, sha256ForCert) = false authType = GENERIC ``` ## Current Behavior The certificate chain doesn't contain `Root Certificate` ## Expected Behavior The `Root Certificate` is the last element of the certificate chain ## Environment - App version: Proxyman 4.11.0 - macOS version: macOS Ventura

kerem 2026-03-03 19:54:10 +03:00

• closed this issue
• added the
  bug
  ✅ Done
  labels

kerem commented 2026-03-03 19:54:11 +03:00

Author

Owner

Copy link

@NghiaTranUIT commented on GitHub (Sep 19, 2023):

Thanks. I will look on it 👍

<!-- gh-comment-id:1724698138 --> @NghiaTranUIT commented on GitHub (Sep 19, 2023): Thanks. I will look on it 👍

kerem commented 2026-03-03 19:54:11 +03:00

Author

Owner

Copy link

@NghiaTranUIT commented on GitHub (Sep 19, 2023):

Just wondering: If Proxyman Certificate doesn't contain the your custom Root Certificate in a certificate chain, are you able to decrypt HTTPS traffic without SSL errors 🤔 ?

<!-- gh-comment-id:1724698781 --> @NghiaTranUIT commented on GitHub (Sep 19, 2023): Just wondering: If Proxyman Certificate doesn't contain the your custom Root Certificate in a certificate chain, are you able to decrypt HTTPS traffic without SSL errors 🤔 ?

kerem commented 2026-03-03 19:54:11 +03:00

Author

Owner

Copy link

@4332weizi commented on GitHub (Sep 19, 2023):

I can find the Root Certificate on Chrome Certificate Viewer, I don't know why checkServerTrusted(X509Certificate[] chain, String authType) receives only one X509Certificate.

<!-- gh-comment-id:1724759634 --> @4332weizi commented on GitHub (Sep 19, 2023): I can find the Root Certificate on Chrome Certificate Viewer, I don't know why `checkServerTrusted(X509Certificate[] chain, String authType)` receives only one X509Certificate.

kerem commented 2026-03-03 19:54:11 +03:00

Author

Owner

Copy link

@NghiaTranUIT commented on GitHub (Sep 19, 2023):

if Proxyman can decrypt HTTPS traffic from your Android, it means the Proxyman Certificate is generated by your custom root certificate -> It also means that it's already in the Certificate Chain.

If it's not true, you get SSL Error on Android devices.

<!-- gh-comment-id:1724766216 --> @NghiaTranUIT commented on GitHub (Sep 19, 2023): if Proxyman can decrypt HTTPS traffic from your Android, it means the Proxyman Certificate is generated by your custom root certificate -> It also means that it's already in the Certificate Chain. If it's not true, you get SSL Error on Android devices.

kerem commented 2026-03-03 19:54:12 +03:00

Author

Owner

Copy link

@4332weizi commented on GitHub (Sep 19, 2023):

Yes, maybe bugs in my app. I will look into it later.

<!-- gh-comment-id:1724773168 --> @4332weizi commented on GitHub (Sep 19, 2023): Yes, maybe bugs in my app. I will look into it later.

kerem commented 2026-03-03 19:54:12 +03:00

Author

Owner

Copy link

@4332weizi commented on GitHub (Sep 26, 2023):

Proxyman:

Charles:

It seems Proxyman does not send the root CA to the certificates list, the server can omit the root CA.

Reference (RFC 5246 - TLS v1.2, sec. 7.4.2. - Server Certificate):

certificate_list
    This is a sequence (chain) of certificates.  The sender's
    certificate MUST come first in the list.  Each following
    certificate MUST directly certify the one preceding it.  Because
    certificate validation requires that root keys be distributed
    independently, the self-signed certificate that specifies the root
    certificate authority MAY be omitted from the chain, under the
    assumption that the remote end must already possess it in order to
    validate it in any case.

<!-- gh-comment-id:1735176292 --> @4332weizi commented on GitHub (Sep 26, 2023): Proxyman:  Charles:  It seems Proxyman does not send the root CA to the certificates list, the server can omit the root CA. Reference ([RFC 5246 - TLS v1.2, sec. 7.4.2. - Server Certificate](https://www.rfc-editor.org/rfc/rfc5246#section-7.4.2)): ``` certificate_list This is a sequence (chain) of certificates. The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case. ```

kerem commented 2026-03-03 19:54:12 +03:00

Author

Owner

Copy link

@4332weizi commented on GitHub (Sep 27, 2023):

@NghiaTranUIT Can you include an option to send the root CA in the certificate chain?

<!-- gh-comment-id:1736569265 --> @4332weizi commented on GitHub (Sep 27, 2023): @NghiaTranUIT Can you include an option to send the root CA in the certificate chain?

kerem commented 2026-03-03 19:54:12 +03:00

Author

Owner

Copy link

@4332weizi commented on GitHub (Oct 18, 2023):

please

<!-- gh-comment-id:1767902001 --> @4332weizi commented on GitHub (Oct 18, 2023): please

kerem commented 2026-03-03 19:54:12 +03:00

Author

Owner

Copy link

@NghiaTranUIT commented on GitHub (Oct 18, 2023):

@4332weizi can you use Charles Proxy and print the Root CA ? chain[0] to see the name of the CA Certificate.

I'm not sure how to configure it when using TLSConfiguration.

One of these properties can be fixed:

• github.com/apple/swift-nio-ssl@c05ca760bd/Sources/NIOSSL/TLSConfiguration.swift (L278)
• github.com/apple/swift-nio-ssl@c05ca760bd/Sources/NIOSSL/TLSConfiguration.swift (L325)

<!-- gh-comment-id:1767917187 --> @NghiaTranUIT commented on GitHub (Oct 18, 2023): @4332weizi can you use Charles Proxy and print the Root CA ? `chain[0]` to see the name of the CA Certificate. I'm not sure how to configure it when using TLSConfiguration. One of these properties can be fixed: - https://github.com/apple/swift-nio-ssl/blob/c05ca760bd3e3a593372e3beec15e3cb60703c35/Sources/NIOSSL/TLSConfiguration.swift#L278 - https://github.com/apple/swift-nio-ssl/blob/c05ca760bd3e3a593372e3beec15e3cb60703c35/Sources/NIOSSL/TLSConfiguration.swift#L325

kerem commented 2026-03-03 19:54:12 +03:00

Author

Owner

Copy link

@4332weizi commented on GitHub (Oct 18, 2023):

yes, chain[chain.length - 1] is the Root CA

<!-- gh-comment-id:1767966824 --> @4332weizi commented on GitHub (Oct 18, 2023): yes, `chain[chain.length - 1]` is the Root CA  <img width="550" alt="image" src="https://github.com/ProxymanApp/Proxyman/assets/5563945/f4ebbbf9-f2f9-47ee-aeca-50a32d3c85a2">

kerem commented 2026-03-03 19:54:12 +03:00

Author

Owner

Copy link

@NghiaTranUIT commented on GitHub (Oct 18, 2023):

Can you print out the Alternative Subject Name and the Issuer Object?

<!-- gh-comment-id:1767968288 --> @NghiaTranUIT commented on GitHub (Oct 18, 2023): Can you print out the Alternative Subject Name and the Issuer Object?

kerem commented 2026-03-03 19:54:12 +03:00

Author

Owner

Copy link

@4332weizi commented on GitHub (Oct 18, 2023):

chain[0]:

Issuer: C=CN, ST=Shanghai, L=Shanghai, O=Anjuke, OU=Mobile, CN=QA-CN/emailAddress=bianwei02@58ganji.com
X509v3 Subject Alternative Name: DNS:*.fang.anjuke.com, DNS:anjuke.com, DNS:jikejia.cn, DNS:vip.58ganji.com, DNS:cloud-passport.58ganji.com, DNS:*.zu.anjuke.com, DNS:*.xzl.anjuke.com, DNS:*.sp.anjuke.com, DNS:*.news.anjuke.com, DNS:*.haiwai.anjuke.com, DNS:*.brand.anjuke.com, DNS:*.anjuke.com, DNS:*.jikejia.cn, DNS:*.xinfang.anjuke.com, DNS:zu.anjuke.com, DNS:xzl.anjuke.com, DNS:sp.anjuke.com, DNS:news.anjuke.com, DNS:haiwai.anjuke.com, DNS:brand.anjuke.com, DNS:xinfang.anjuke.com, DNS:fang.anjuke.com

<!-- gh-comment-id:1767976640 --> @4332weizi commented on GitHub (Oct 18, 2023): `chain[0]`: ``` Issuer: C=CN, ST=Shanghai, L=Shanghai, O=Anjuke, OU=Mobile, CN=QA-CN/emailAddress=bianwei02@58ganji.com X509v3 Subject Alternative Name: DNS:*.fang.anjuke.com, DNS:anjuke.com, DNS:jikejia.cn, DNS:vip.58ganji.com, DNS:cloud-passport.58ganji.com, DNS:*.zu.anjuke.com, DNS:*.xzl.anjuke.com, DNS:*.sp.anjuke.com, DNS:*.news.anjuke.com, DNS:*.haiwai.anjuke.com, DNS:*.brand.anjuke.com, DNS:*.anjuke.com, DNS:*.jikejia.cn, DNS:*.xinfang.anjuke.com, DNS:zu.anjuke.com, DNS:xzl.anjuke.com, DNS:sp.anjuke.com, DNS:news.anjuke.com, DNS:haiwai.anjuke.com, DNS:brand.anjuke.com, DNS:xinfang.anjuke.com, DNS:fang.anjuke.com ```

kerem commented 2026-03-03 19:54:12 +03:00

Author

Owner

Copy link

@NghiaTranUIT commented on GitHub (Oct 18, 2023):

May I ask: Are you using Custom Certificate ? Or just use as normal (Use Proxyman CA Certificate).

<!-- gh-comment-id:1767981254 --> @NghiaTranUIT commented on GitHub (Oct 18, 2023): May I ask: Are you using [Custom Certificate](https://docs.proxyman.io/advanced-features/custom-certificates) ? Or just use as normal (Use Proxyman CA Certificate).

kerem commented 2026-03-03 19:54:12 +03:00

Author

Owner

Copy link

@4332weizi commented on GitHub (Oct 18, 2023):

I am using a Custom Certificate

<!-- gh-comment-id:1767983861 --> @4332weizi commented on GitHub (Oct 18, 2023): I am using a Custom Certificate

kerem commented 2026-03-03 19:54:12 +03:00

Author

Owner

Copy link

@NghiaTranUIT commented on GitHub (Oct 18, 2023):

Sorry, 1 question: Are you using a Custom Root Certificate, or Server Certificate or Client Certificate ? 🤔

<!-- gh-comment-id:1767989611 --> @NghiaTranUIT commented on GitHub (Oct 18, 2023): Sorry, 1 question: Are you using a Custom Root Certificate, or Server Certificate or Client Certificate ? 🤔

kerem commented 2026-03-03 19:54:12 +03:00

Author

Owner

Copy link

@4332weizi commented on GitHub (Oct 18, 2023):

Custom Root Certificate

<!-- gh-comment-id:1767992806 --> @4332weizi commented on GitHub (Oct 18, 2023): Custom Root Certificate <img width="754" alt="image" src="https://github.com/ProxymanApp/Proxyman/assets/5563945/bbd12554-2736-4f2c-98a5-ed7a187aa9cc">

kerem commented 2026-03-03 19:54:13 +03:00

Author

Owner

Copy link

@NghiaTranUIT commented on GitHub (Oct 18, 2023):

Can you try this build: https://download.proxyman.io/beta/Proxyman_4.12.0_Add_to_rootTrusts.dmg

I add the Root Certificate to the trustRoot property. I can't test it because I don't have your setup.

<!-- gh-comment-id:1768058972 --> @NghiaTranUIT commented on GitHub (Oct 18, 2023): Can you try this build: https://download.proxyman.io/beta/Proxyman_4.12.0_Add_to_rootTrusts.dmg I add the Root Certificate to the `trustRoot` property. I can't test it because I don't have your setup.

kerem commented 2026-03-03 19:54:13 +03:00

Author

Owner

Copy link

@4332weizi commented on GitHub (Oct 18, 2023):

seem nothing changed

<!-- gh-comment-id:1768066084 --> @4332weizi commented on GitHub (Oct 18, 2023): seem nothing changed 

kerem commented 2026-03-03 19:54:13 +03:00

Author

Owner

Copy link

@NghiaTranUIT commented on GitHub (Oct 18, 2023):

How about this build: https://download.proxyman.io/beta/Proxyman_4.12.0_try_to_fix_rootTrusts_v2.dmg

<!-- gh-comment-id:1768244285 --> @NghiaTranUIT commented on GitHub (Oct 18, 2023): How about this build: https://download.proxyman.io/beta/Proxyman_4.12.0_try_to_fix_rootTrusts_v2.dmg

kerem commented 2026-03-03 19:54:13 +03:00

Author

Owner

Copy link

@4332weizi commented on GitHub (Oct 19, 2023):

Nice, I can see the Root CA now, and SSL Proxying works. Thank you so much！

<!-- gh-comment-id:1769757417 --> @4332weizi commented on GitHub (Oct 19, 2023): Nice, I can see the Root CA now, and SSL Proxying works. Thank you so much！

kerem commented 2026-03-03 19:54:13 +03:00

Author

Owner

Copy link

@NghiaTranUIT commented on GitHub (Oct 19, 2023):

@4332weizi can you check this build again: https://download.proxyman.io/beta/Proxyman_4.12.0_Fix_Trust_Root_v3.dmg

I did some refactoring and I think it should work as intended. Sorry, I don't have your setup, so I can't verify it by my own.

<!-- gh-comment-id:1769794533 --> @NghiaTranUIT commented on GitHub (Oct 19, 2023): @4332weizi can you check this build again: https://download.proxyman.io/beta/Proxyman_4.12.0_Fix_Trust_Root_v3.dmg I did some refactoring and I think it should work as intended. Sorry, I don't have your setup, so I can't verify it by my own.

kerem commented 2026-03-03 19:54:13 +03:00

Author

Owner

Copy link

@4332weizi commented on GitHub (Oct 19, 2023):

Just like the previous version!

<!-- gh-comment-id:1769799698 --> @4332weizi commented on GitHub (Oct 19, 2023): Just like the previous version!

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

6.9.0

6.8.0

6.7.0

6.6.0

6.5.0

6.4.0

6.3.0

6.2.0

6.1.0

6.0.2

6.0.0

6.0.1

5.25.0

5.24.0

5.23.0

5.23.1

5.22.0

5.20.0

5.21.0

5.19.0

5.18.0

5.17.0

5.16.0

5.15.0

5.14.0

5.12.2

5.12.1

5.12.0

5.11.0

5.10.0

5.8.0

5.9.0

5.7.0

5.6.1

5.6.0

5.5.0

5.4.0

5.2.0

5.3.0

5.1.1

5.0.0

4.16.0

4.15.0

4.14.0

4.13.0

4.12.0

4.11.0

4.10.0

4.9.1

4.9.0

4.8.2

4.8.1

4.8.0

4.7.1

4.7.0

4.6.1

4.6.0

4.5.0

4.4.0

4.3.1

4.3.0

4.2.1

4.2.0

4.1.0

4.0.0

3.15.0

3.14.0

3.13.0

3.12.0

3.11.0

3.10.0

3.9.0

3.8.0

3.7.0

3.6.2

3.6.1

3.6.0

3.5.2

3.5.1

3.5.0

3.4.0

3.3.0

3.2.0

3.1.0

3.0.0

2.35.4

2.35.3

2.35.2

2.35.1

2.35.0

2.34.1

2.34.0

2.33.0

2.32.1

2.32.0

2.31.0

2.30.0

2.29.0

2.28.0

2.27.0

2.26.0

2.25.0

2.24.0

2.23.0

2.22.0

2.21.1

2.21.0

2.20.0

2.19.0

2.18.0

2.17.0

2.16.1

2.16.0

2.15.2

2.15.1

2.15.0

2.14.2

2.14.1

2.14.0

2.13.0

2.12.0

2.11.1

2.11.0

2.10.0

2.9.1

2.9.0

2.8.0

2.7.0

2.6.0

2.5.3

2.5.2

2.5.1

2.5.0

2.4.2

2.4.1

2.4.0

2.3.0

2.2.0

2.1.1

2.1.0

2.0.1

2.0.0

1.24.0

1.23.0

1.22.0

1.21.0

1.20.0

1.19.0

1.18.1

1.18.0

1.17.1

1.17.0

1.16.0

1.15.0

1.14.1

1.14.0

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.7

1.4.6

1.4.5.1

1.4.5

1.4.4.1

1.4.4

1.4.3

1.4.2

1.4.1.1

1.4.1

1.4

1.3.9

1.3.8

1.3.7

1.3.6

1.3.5

1.3.4.3

1.3.4.2

1.3.4.1

1.3.4

1.3.3

1.3.2

1.3.1

1.3

1.2

1.1.2

1.1.1

1.1

1.0.3

1.0.2

1.0

0.8.1

0.8

0.7

0.6

0.5.1

0.5

v0.4.1

Labels

Clear labels   

Discussion

  

Feature request

  

In Progress...

  

Plugins

  

Waiting response

  

Windows

  

Windows

  

bug

  

duplicate

  

enhancement

  

feature

  

good first issue

  

iOS

  

macOS 10.11

  

question

  

wontfix

  

✅ Done

No labels

Discussion

Feature request

In Progress...

Plugins

Waiting response

Windows

Windows

bug

duplicate

enhancement

feature

good first issue

iOS

macOS 10.11

question

wontfix

✅ Done

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/Proxyman#1765

No description provided.