starred/Proxyman
1
0
Fork 0
mirror of https://github.com/ProxymanApp/Proxyman.git synced 2026-04-29 01:55:51 +03:00
Code Issues 1.2k Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #367] Proxyman CA cert doesn't have Server Authentication ( 1.3.6.1.5.5.7.3.1 ) OID which is required by macOS 10.15 #363

New issue
Closed
opened 2026-03-03 19:17:49 +03:00 by kerem · 7 comments
kerem commented 2026-03-03 19:17:49 +03:00
Owner
Copy link

Originally created by @TingluoHuang on GitHub (Jan 3, 2020).
Original GitHub issue: https://github.com/ProxymanApp/Proxyman/issues/367

Originally assigned to: @NghiaTranUIT on GitHub.

Proxyman version? (Ex. Proxyman 1.4.3)

1.13.0

macOS Version? (Ex. mac 10.14)

10.15.2

Steps to reproduce

Check Proxyman CA cert details in keychain

Expected behavior

The CA cert has extended key usage Server Authentication ( 1.3.6.1.5.5.7.3.1 )

According to https://support.apple.com/en-us/HT210176 and http://blog.nashcom.de/nashcomblog.nsf/dx/more-strict-server-certificate-handling-in-ios-13-macos-10.15.htm?opendocument&comments

When use proxyman with dotnet core app, dotnet core can't validate the server ssl cert via native macOS system call when proxyman decrypt SSL traffic.

https://github.com/dotnet/runtime/issues/666

Screenshots (optional)

Other proxy server CA cert has this field (Fiddler)
image

Originally created by @TingluoHuang on GitHub (Jan 3, 2020). Original GitHub issue: https://github.com/ProxymanApp/Proxyman/issues/367 Originally assigned to: @NghiaTranUIT on GitHub. ### Proxyman version? (Ex. Proxyman 1.4.3) 1.13.0 ### macOS Version? (Ex. mac 10.14) 10.15.2 ### Steps to reproduce Check Proxyman CA cert details in keychain ### Expected behavior The CA cert has extended key usage `Server Authentication ( 1.3.6.1.5.5.7.3.1 )` According to https://support.apple.com/en-us/HT210176 and http://blog.nashcom.de/nashcomblog.nsf/dx/more-strict-server-certificate-handling-in-ios-13-macos-10.15.htm?opendocument&comments When use proxyman with dotnet core app, dotnet core can't validate the server ssl cert via native macOS system call when proxyman decrypt SSL traffic. https://github.com/dotnet/runtime/issues/666 ### Screenshots (optional) Other proxy server CA cert has this field (Fiddler) ![image](https://user-images.githubusercontent.com/1750815/71702393-3d502780-2d9d-11ea-8573-be618afb441d.png)
kerem 2026-03-03 19:17:49 +03:00
kerem commented 2026-03-03 19:17:51 +03:00
Author
Owner
Copy link

@NghiaTranUIT commented on GitHub (Jan 3, 2020):

Hey @TingluoHuang

Proxyman is already updated with new Apple's requirements, but there is a missing of TLS server certificates. I'm on it now 👍

<!-- gh-comment-id:570435167 --> @NghiaTranUIT commented on GitHub (Jan 3, 2020): Hey @TingluoHuang Proxyman is already updated with new Apple's requirements, but there is a missing of `TLS server certificates`. I'm on it now 👍
kerem commented 2026-03-03 19:17:51 +03:00
Author
Owner
Copy link

@NghiaTranUIT commented on GitHub (Jan 3, 2020):

Hey yo @TingluoHuang

Let check this BETA build: https://proxyman.s3.us-east-2.amazonaws.com/beta/Proxyman_1.13.0_Update_macOS_Certificate_Requirement.dmg

Changelogs

  • Fixed 825 expired day
  • Added missing ExtendedKeyUsage for server auth
Screen Shot 2020-01-03 at 10 32 00

Please open Help menu -> Debug -> Reset all Certificate & Data to completely remove the old one. Then you can install the new certificate 👍

Please let me know if it works since I couldn't test your case in my local machine. Thank you in advance 🌮

<!-- gh-comment-id:570450212 --> @NghiaTranUIT commented on GitHub (Jan 3, 2020): Hey yo @TingluoHuang Let check this BETA build: https://proxyman.s3.us-east-2.amazonaws.com/beta/Proxyman_1.13.0_Update_macOS_Certificate_Requirement.dmg ## Changelogs - Fixed 825 expired day - Added missing ExtendedKeyUsage for server auth <img width="399" alt="Screen Shot 2020-01-03 at 10 32 00" src="https://user-images.githubusercontent.com/5878421/71705993-d0787400-2e14-11ea-9863-b85cee1e9699.png"> Please open Help menu -> Debug -> Reset all Certificate & Data to completely remove the old one. Then you can install the new certificate 👍 Please let me know if it works since I couldn't test your case in my local machine. Thank you in advance 🌮
kerem commented 2026-03-03 19:17:51 +03:00
Author
Owner
Copy link

@TingluoHuang commented on GitHub (Jan 3, 2020):

@NghiaTranUIT thanks for taking look at this.
I think we are 1 step closer. :)

Server cert generated by proxyman:

[Version]
  V3

[Subject]
  OU=https://proxyman.io, CN=github.com, O="GitHub, Inc.", L=San Francisco, C=US
  Simple Name: github.com
  DNS Name: github.com

[Issuer]
  OU=https://proxyman.io, CN="Proxyman CA (3 Jan 2020, htl-mac.local)", O=Proxyman Ltd, L=Singapore, C=SG
  Simple Name: Proxyman CA (3 Jan 2020, htl-mac.local)
  DNS Name: Proxyman CA (3 Jan 2020, htl-mac.local)

[Serial Number]
  00E0481A26FA5B92AB

[Not Before]
  1/3/2020 10:11:37 AM

[Not After]
  4/7/2022 11:11:37 AM

[Thumbprint]
  CC915C50F9326979B4284A0454C31F57EA271DE1

[Signature Algorithm]
  sha256RSA(1.2.840.113549.1.1.11)

[Public Key]
  Algorithm: RSA
  Length: 2048
  Key Blob: 3082010A0282010100C4C33B2D758CC80014AF8FDAA5AC74E8FD48512E6E8D3341E57CD6529B9FB771D482FF41AA3C69C694660662FDDCAB926E8572AA5622BD9B2DDD6649DF8D24C17513EF2936F77CD610232D687848A8245E1546255A0FBF04A4E3CE88E0790F665751A39728BCE9173A2845A43B60BF381DA4F73790B5565558244B9672EE6C46537B24177D85DD1836FF282DC6E83A5E82EFE461DEF23243DB75DC93D50270A322240110CE6B3FF1EFB350633335F46FDABC12C9BB5B17A5C309B2DD84A8BA2EAECC780CF3E9AB1A1A60A7F543CCBA24C833FE5D185E01FC82AFB040B7B470AB7F3A84DED57089E54E479AEB884DB24D3BD1B5B95E388E1E186F90CFC7C2C4CF0203010001
  Parameters: 0500

[Extensions]
* X509v3 Key Usage(2.5.29.15):
  030204F0
* (2.5.29.17):
  DNS:github.com, DNS:www.github.com

Server cert generated by Fiddler:

[Version]
  V3

[Subject]
  CN=github.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com
  Simple Name: github.com
  DNS Name: github.com

[Issuer]
  CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com
  Simple Name: DO_NOT_TRUST_FiddlerRoot
  DNS Name: DO_NOT_TRUST_FiddlerRoot

[Serial Number]
  63B8AF1E4656F6A84090B66395D2E778

[Not Before]
  4/13/2015 7:36:49 PM

[Not After]
  4/12/2021 7:36:49 PM

[Thumbprint]
  42727BFCD1483323FFCE37F024DE90947A4D5220

[Signature Algorithm]
  sha256RSA(1.2.840.113549.1.1.11)

[Public Key]
  Algorithm: RSA
  Length: 2048
  Key Blob: 3082010A0282010100B4466BDEBDDB68D0007D4F191E7EECBA6647752BD5B2ADD04206EFBAFAFAF488E9E7A29043EA6076917C1903BB668996D1A876736A78E9FC012C4EBF6EFDC9270CEBC52C1B760C0C95072B2CAECEEE370C334384614CCDED1CB47D88EAC8814B2B82073611053BFAABDDD30FA55F5AB088996FD7881DE82BEDD417D48D49939CBE834D04B7C389BF93C700C75C38D12F4D3BDA8325322C101946BDBCED92F7D771B95D55A87369366A4E69C17B61DABBFA0387A3EF2B548EDC07A55C4784169FF82F5540FFA97402B88452675410960EC28DB705422891DA55A99F7F39F1217A00BBFBD4D84ADAA31FFB370B67612ACEE01EC4989E187AB2521B84EAAB9BFEE30203010001
  Parameters: 0500

[Extensions]
* X509v3 Key Usage(2.5.29.15):
  030204B0
* X509v3 Extended Key Usage(2.5.29.37):
  300A06082B06010505070301
* (2.5.29.17):
  DNS:github.com
* (2.5.29.35):
  3016801460582EA061611E9E3FAA24C6E6E5479664B694B2
* X509v3 Subject Key Identifier(2.5.29.14):
  0414A5672AE0F476D5573D582908A6AD1B2F1DD07961

As you can see the Fiddler cert contains:

* X509v3 Extended Key Usage(2.5.29.37):
  300A06082B06010505070301 ->1.3.6.1.5.5.7.3.1

How do you generate server certificate for each https request? I think you might need to do something like:
https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309#gistcomment-3098018

<!-- gh-comment-id:570606654 --> @TingluoHuang commented on GitHub (Jan 3, 2020): @NghiaTranUIT thanks for taking look at this. I think we are 1 step closer. :) Server cert generated by proxyman: ``` [Version] V3 [Subject] OU=https://proxyman.io, CN=github.com, O="GitHub, Inc.", L=San Francisco, C=US Simple Name: github.com DNS Name: github.com [Issuer] OU=https://proxyman.io, CN="Proxyman CA (3 Jan 2020, htl-mac.local)", O=Proxyman Ltd, L=Singapore, C=SG Simple Name: Proxyman CA (3 Jan 2020, htl-mac.local) DNS Name: Proxyman CA (3 Jan 2020, htl-mac.local) [Serial Number] 00E0481A26FA5B92AB [Not Before] 1/3/2020 10:11:37 AM [Not After] 4/7/2022 11:11:37 AM [Thumbprint] CC915C50F9326979B4284A0454C31F57EA271DE1 [Signature Algorithm] sha256RSA(1.2.840.113549.1.1.11) [Public Key] Algorithm: RSA Length: 2048 Key Blob: 3082010A0282010100C4C33B2D758CC80014AF8FDAA5AC74E8FD48512E6E8D3341E57CD6529B9FB771D482FF41AA3C69C694660662FDDCAB926E8572AA5622BD9B2DDD6649DF8D24C17513EF2936F77CD610232D687848A8245E1546255A0FBF04A4E3CE88E0790F665751A39728BCE9173A2845A43B60BF381DA4F73790B5565558244B9672EE6C46537B24177D85DD1836FF282DC6E83A5E82EFE461DEF23243DB75DC93D50270A322240110CE6B3FF1EFB350633335F46FDABC12C9BB5B17A5C309B2DD84A8BA2EAECC780CF3E9AB1A1A60A7F543CCBA24C833FE5D185E01FC82AFB040B7B470AB7F3A84DED57089E54E479AEB884DB24D3BD1B5B95E388E1E186F90CFC7C2C4CF0203010001 Parameters: 0500 [Extensions] * X509v3 Key Usage(2.5.29.15): 030204F0 * (2.5.29.17): DNS:github.com, DNS:www.github.com ``` Server cert generated by Fiddler: ``` [Version] V3 [Subject] CN=github.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com Simple Name: github.com DNS Name: github.com [Issuer] CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com Simple Name: DO_NOT_TRUST_FiddlerRoot DNS Name: DO_NOT_TRUST_FiddlerRoot [Serial Number] 63B8AF1E4656F6A84090B66395D2E778 [Not Before] 4/13/2015 7:36:49 PM [Not After] 4/12/2021 7:36:49 PM [Thumbprint] 42727BFCD1483323FFCE37F024DE90947A4D5220 [Signature Algorithm] sha256RSA(1.2.840.113549.1.1.11) [Public Key] Algorithm: RSA Length: 2048 Key Blob: 3082010A0282010100B4466BDEBDDB68D0007D4F191E7EECBA6647752BD5B2ADD04206EFBAFAFAF488E9E7A29043EA6076917C1903BB668996D1A876736A78E9FC012C4EBF6EFDC9270CEBC52C1B760C0C95072B2CAECEEE370C334384614CCDED1CB47D88EAC8814B2B82073611053BFAABDDD30FA55F5AB088996FD7881DE82BEDD417D48D49939CBE834D04B7C389BF93C700C75C38D12F4D3BDA8325322C101946BDBCED92F7D771B95D55A87369366A4E69C17B61DABBFA0387A3EF2B548EDC07A55C4784169FF82F5540FFA97402B88452675410960EC28DB705422891DA55A99F7F39F1217A00BBFBD4D84ADAA31FFB370B67612ACEE01EC4989E187AB2521B84EAAB9BFEE30203010001 Parameters: 0500 [Extensions] * X509v3 Key Usage(2.5.29.15): 030204B0 * X509v3 Extended Key Usage(2.5.29.37): 300A06082B06010505070301 * (2.5.29.17): DNS:github.com * (2.5.29.35): 3016801460582EA061611E9E3FAA24C6E6E5479664B694B2 * X509v3 Subject Key Identifier(2.5.29.14): 0414A5672AE0F476D5573D582908A6AD1B2F1DD07961 ``` As you can see the Fiddler cert contains: ``` * X509v3 Extended Key Usage(2.5.29.37): 300A06082B06010505070301 ->1.3.6.1.5.5.7.3.1 ``` How do you generate server certificate for each https request? I think you might need to do something like: https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309#gistcomment-3098018
kerem commented 2026-03-03 19:17:51 +03:00
Author
Owner
Copy link

@NghiaTranUIT commented on GitHub (Jan 3, 2020):

I see, the absent is also from the Certificate, which is generated by Proxyman, not just only the Root Proxyman Certificate. I'm on it now 👍

<!-- gh-comment-id:570626381 --> @NghiaTranUIT commented on GitHub (Jan 3, 2020): I see, the absent is also from the Certificate, which is generated by Proxyman, not just only the Root Proxyman Certificate. I'm on it now 👍
kerem commented 2026-03-03 19:17:51 +03:00
Author
Owner
Copy link

@NghiaTranUIT commented on GitHub (Jan 4, 2020):

Here is the updated @TingluoHuang https://proxyman.s3.us-east-2.amazonaws.com/beta/Proxyman_1.13.0_Missing_extension_certificate.dmg

Screen_Shot_2020-01-04_at_10_26_04

Please "Reset all Certificate & Data" before testing since there are cached certificates.

Let me know if it works then I could release a 1.13.1 build 👍 Thank you in advance 🎉

<!-- gh-comment-id:570754015 --> @NghiaTranUIT commented on GitHub (Jan 4, 2020): Here is the updated @TingluoHuang https://proxyman.s3.us-east-2.amazonaws.com/beta/Proxyman_1.13.0_Missing_extension_certificate.dmg <img width="991" alt="Screen_Shot_2020-01-04_at_10_26_04" src="https://user-images.githubusercontent.com/5878421/71759471-fb7bca00-2edf-11ea-9bd4-dd05776b6d7f.png"> Please "Reset all Certificate & Data" before testing since there are cached certificates. Let me know if it works then I could release a 1.13.1 build 👍 Thank you in advance 🎉
kerem commented 2026-03-03 19:17:51 +03:00
Author
Owner
Copy link

@TingluoHuang commented on GitHub (Jan 4, 2020):

@NghiaTranUIT it work, thanks!

<!-- gh-comment-id:570794298 --> @TingluoHuang commented on GitHub (Jan 4, 2020): @NghiaTranUIT it work, thanks!
kerem commented 2026-03-03 19:17:51 +03:00
Author
Owner
Copy link

@NghiaTranUIT commented on GitHub (Jan 5, 2020):

Glad to know that. Let update to Proxyman 1.13.1, which officially includes the fix 👍

<!-- gh-comment-id:570891535 --> @NghiaTranUIT commented on GitHub (Jan 5, 2020): Glad to know that. Let update to [Proxyman 1.13.1](https://github.com/ProxymanApp/Proxyman/releases/tag/1.13.1), which officially includes the fix 👍
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
6.9.0
6.8.0
6.7.0
6.6.0
6.5.0
6.4.0
6.3.0
6.2.0
6.1.0
6.0.2
6.0.0
6.0.1
5.25.0
5.24.0
5.23.0
5.23.1
5.22.0
5.20.0
5.21.0
5.19.0
5.18.0
5.17.0
5.16.0
5.15.0
5.14.0
5.12.2
5.12.1
5.12.0
5.11.0
5.10.0
5.8.0
5.9.0
5.7.0
5.6.1
5.6.0
5.5.0
5.4.0
5.2.0
5.3.0
5.1.1
5.0.0
4.16.0
4.15.0
4.14.0
4.13.0
4.12.0
4.11.0
4.10.0
4.9.1
4.9.0
4.8.2
4.8.1
4.8.0
4.7.1
4.7.0
4.6.1
4.6.0
4.5.0
4.4.0
4.3.1
4.3.0
4.2.1
4.2.0
4.1.0
4.0.0
3.15.0
3.14.0
3.13.0
3.12.0
3.11.0
3.10.0
3.9.0
3.8.0
3.7.0
3.6.2
3.6.1
3.6.0
3.5.2
3.5.1
3.5.0
3.4.0
3.3.0
3.2.0
3.1.0
3.0.0
2.35.4
2.35.3
2.35.2
2.35.1
2.35.0
2.34.1
2.34.0
2.33.0
2.32.1
2.32.0
2.31.0
2.30.0
2.29.0
2.28.0
2.27.0
2.26.0
2.25.0
2.24.0
2.23.0
2.22.0
2.21.1
2.21.0
2.20.0
2.19.0
2.18.0
2.17.0
2.16.1
2.16.0
2.15.2
2.15.1
2.15.0
2.14.2
2.14.1
2.14.0
2.13.0
2.12.0
2.11.1
2.11.0
2.10.0
2.9.1
2.9.0
2.8.0
2.7.0
2.6.0
2.5.3
2.5.2
2.5.1
2.5.0
2.4.2
2.4.1
2.4.0
2.3.0
2.2.0
2.1.1
2.1.0
2.0.1
2.0.0
1.24.0
1.23.0
1.22.0
1.21.0
1.20.0
1.19.0
1.18.1
1.18.0
1.17.1
1.17.0
1.16.0
1.15.0
1.14.1
1.14.0
1.13.1
1.13.0
1.12.0
1.11.0
1.10.0
1.9.3
1.9.2
1.9.1
1.9.0
1.8.0
1.7.2
1.7.1
1.7.0
1.6.2
1.6.1
1.6.0
1.5.1
1.5.0
1.4.7
1.4.6
1.4.5.1
1.4.5
1.4.4.1
1.4.4
1.4.3
1.4.2
1.4.1.1
1.4.1
1.4
1.3.9
1.3.8
1.3.7
1.3.6
1.3.5
1.3.4.3
1.3.4.2
1.3.4.1
1.3.4
1.3.3
1.3.2
1.3.1
1.3
1.2
1.1.2
1.1.1
1.1
1.0.3
1.0.2
1.0
0.8.1
0.8
0.7
0.6
0.5.1
0.5
v0.4.1
Labels
Clear labels   
Discussion

   
Feature request

   
In Progress...

   
Plugins

   
Waiting response

   
Windows

   
Windows

   
bug

   
duplicate

   
enhancement

   
feature

   
good first issue

   
iOS

   
macOS 10.11

   
question

   
wontfix

   
Done
No labels
Discussion
Feature request
In Progress...
Plugins
Waiting response
Windows
Windows
bug
duplicate
enhancement
feature
good first issue
iOS
macOS 10.11
question
wontfix
Done
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/Proxyman#363
No description provided.