starred/proxyman-windows-linux
1
0
Fork 0
mirror of https://github.com/ProxymanApp/proxyman-windows-linux.git synced 2026-04-27 08:55:50 +03:00
Code Issues 541 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #336] Windows: Firefox MOZILLA_PKIX_CA_CERT_USED_AS_END_ENTITY error when visiting a proxied page #335

New issue
Open
opened 2026-03-03 19:49:57 +03:00 by kerem · 5 comments
kerem commented 2026-03-03 19:49:57 +03:00
Owner
Copy link

Originally created by @cwirving on GitHub (Nov 27, 2023).
Original GitHub issue: https://github.com/ProxymanApp/proxyman-windows-linux/issues/336

Originally assigned to: @NghiaTranUIT on GitHub.

Description

The TLS certificate used by Proxyman for Windows has the CA basic constraint set to true (unlike on macOS where it is false, which means that Firefox fails to validate any intercepted connections. The underlying Mozilla code clearly checks for this condition and has returned an error for many years.

See the Mozilla documentation for an explanation of the error code.

Steps to Reproduce

  1. Install Proxyman for Windows, including Firefox-specific instructions
  2. Start Proxyman
  3. Set up SSL proxying for a domain of your choice
  4. Visit any page in the domain using Firefox: it fails with MOZILLA_PKIX_CA_CERT_USED_AS_END_ENTITY
  5. Visit the same page using another browser: it works and you can see the proxied requests in Proxyman

Current Behavior

Firefox rejects the proxied certificate because it has the Certificate Authority basic constraint set to TRUE.

Expected Behavior

The certificate is acceptable to Firefox and the page opens normally.

Environment

  • App version: Proxyman for Windows 2.8.0
  • Windows version: Windows 11 22H2 (Build 22621.2715)
Originally created by @cwirving on GitHub (Nov 27, 2023). Original GitHub issue: https://github.com/ProxymanApp/proxyman-windows-linux/issues/336 Originally assigned to: @NghiaTranUIT on GitHub. ## Description The TLS certificate used by Proxyman for Windows has the CA basic constraint set to true (unlike on macOS where it is false, which means that Firefox fails to validate any intercepted connections. The [underlying Mozilla code](https://github.com/mozilla/gecko-dev/blob/acab011f9478c025c214139fcb811f2dd4f2fe86/security/nss/lib/mozpkix/lib/pkixcheck.cpp#L703) clearly checks for this condition and has returned an error for many years. See the [Mozilla documentation](https://wiki.mozilla.org/SecurityEngineering/x509Certs#Error_Codes_in_Firefox) for an explanation of the error code. ## Steps to Reproduce 1. Install Proxyman for Windows, including Firefox-specific instructions 2. Start Proxyman 3. Set up SSL proxying for a domain of your choice 4. Visit any page in the domain using Firefox: it fails with MOZILLA_PKIX_CA_CERT_USED_AS_END_ENTITY 5. Visit the same page using another browser: it works and you can see the proxied requests in Proxyman ## Current Behavior Firefox rejects the proxied certificate because it has the Certificate Authority basic constraint set to TRUE. ## Expected Behavior The certificate is acceptable to Firefox and the page opens normally. ## Environment - App version: Proxyman for Windows 2.8.0 - Windows version: Windows 11 22H2 (Build 22621.2715)
kerem commented 2026-03-03 19:49:58 +03:00
Author
Owner
Copy link

@NghiaTranUIT commented on GitHub (Nov 28, 2023):

@cwirving it's not a bug. You have to install & trust the Proxyman Certificate to your Firefox. Here is the docs: https://docs.proxyman.io/debug-devices/firefox

The reason is: Firefox has their own Trust Store, and it doesn't respect the Windows Certificate Manager.

<!-- gh-comment-id:1828884189 --> @NghiaTranUIT commented on GitHub (Nov 28, 2023): @cwirving it's not a bug. You have to install & trust the Proxyman Certificate to your Firefox. Here is the docs: https://docs.proxyman.io/debug-devices/firefox The reason is: Firefox has their own Trust Store, and it doesn't respect the Windows Certificate Manager.
kerem commented 2026-03-03 19:49:58 +03:00
Author
Owner
Copy link

@cwirving commented on GitHub (Nov 28, 2023):

@cwirving it's not a bug. You have to install & trust the Proxyman Certificate to your Firefox. Here is the docs: https://docs.proxyman.io/debug-devices/firefox

The reason is: Firefox has their own Trust Store, and it doesn't respect the Windows Certificate Manager.

@NghiaTranUIT, I’m afraid that I must not explained clearly: the root certificate is installed in the Firefox Trust Store. This is not that error. If you fail to install the root certificate, you get a different error (that, ironically, Firefox does allow you to bypass).

This error is that the certificate served up by the proxy (not the root certificate) is recognized, but rejected because it contains a CA basic authority claim set to true. What is more frustrating is that Firefox will not let you bypass this error. Period.

If you examine the connection certificate in the browser, you will see this. Importantly, the macOS version of Proxyman does not set this CA basic authority claim — Firefox works beautifully in macOS through Proxyman because the certificate does not have this CA basic authority claim. I am happy to screenshot the certificates side by side if you don’t believe me.

<!-- gh-comment-id:1829062803 --> @cwirving commented on GitHub (Nov 28, 2023): > @cwirving it's not a bug. You have to install & trust the Proxyman Certificate to your Firefox. Here is the docs: https://docs.proxyman.io/debug-devices/firefox > > The reason is: Firefox has their own Trust Store, and it doesn't respect the Windows Certificate Manager. @NghiaTranUIT, I’m afraid that I must not explained clearly: the root certificate **is** installed in the Firefox Trust Store. This is not that error. If you fail to install the root certificate, you get a different error (that, ironically, Firefox does allow you to bypass). This error is that the certificate **served up by the proxy** (not the root certificate) is recognized, but rejected because it contains a CA basic authority claim set to true. What is more frustrating is that Firefox will not let you bypass this error. Period. If you examine the connection certificate in the browser, you will see this. Importantly, **the macOS version of Proxyman does not set this CA basic authority claim** — Firefox works beautifully in macOS through Proxyman because the certificate does not have this CA basic authority claim. I am happy to screenshot the certificates side by side if you don’t believe me.
kerem commented 2026-03-03 19:49:58 +03:00
Author
Owner
Copy link

@NghiaTranUIT commented on GitHub (Nov 28, 2023):

@cwirving it'd be great to have a screenshot.

Here is the screenshot. Can you clarify which attributes should be changed from the Windows? We can fix it.

CleanShot 2023-11-28 at 11 45 12@2x

<!-- gh-comment-id:1829068522 --> @NghiaTranUIT commented on GitHub (Nov 28, 2023): @cwirving it'd be great to have a screenshot. Here is the screenshot. Can you clarify which attributes should be changed from the Windows? We can fix it. ![CleanShot 2023-11-28 at 11 45 12@2x](https://github.com/ProxymanApp/proxyman-windows-linux/assets/5878421/3ffc497e-bd80-43c7-9b64-3bb57b6b9e28)
kerem commented 2026-03-03 19:49:58 +03:00
Author
Owner
Copy link

@cwirving commented on GitHub (Nov 28, 2023):

I connected to the proxied sites in Firefox on each plaform, exported the certificates from each as PEM files and dumped the contents using openssl. Then did a diff between them. The key difference is the fact that the connection certificate generated on Windows includes the CA:TRUE basic constraint while macOS has CA:FALSE:
Proxyman mac vs wincows certificates

<!-- gh-comment-id:1829715705 --> @cwirving commented on GitHub (Nov 28, 2023): I connected to the proxied sites in Firefox on each plaform, exported the certificates from each as PEM files and dumped the contents using openssl. Then did a diff between them. The key difference is the fact that the connection certificate generated on Windows includes the `CA:TRUE` basic constraint while macOS has `CA:FALSE`: ![Proxyman mac vs wincows certificates](https://github.com/ProxymanApp/proxyman-windows-linux/assets/5027469/45385d11-d066-45d2-b68a-d53294af8a67)
kerem commented 2026-03-03 19:49:58 +03:00
Author
Owner
Copy link

@NghiaTranUIT commented on GitHub (Nov 28, 2023):

Thanks @cwirving. Our team will fix it asap 👍

cc @kics223w1

<!-- gh-comment-id:1829744935 --> @NghiaTranUIT commented on GitHub (Nov 28, 2023): Thanks @cwirving. Our team will fix it asap 👍 cc @kics223w1
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
feat/new-version
3.12.0
3.11.0
3.10.0
3.4.0
3.5.0
3.6.0
3.7.0
3.8.0
3.9.0
3.3.0
2.25.0
2.24.0
3.2.0
3.0.0
3.1.0
2.26.0
2.27.0
2.23.0
2.22.0
2.21.0
2.20.0
2.19.0
2.18.0
2.17.0
2.16.0
2.15.0
2.14.0
2.13.0
2.12.0
2.11.1
2.11.0
2.10.0
2.9.0
2.8.0
2.7.0
2.6.0
2.5.0
2.4.0
2.3.0
1.9.2
2.0.0
1.9.1
1.8.1
1.9.0
1.8.0
1.7.0
1.6.0
1.5.0
1.4.0
1.3.0
1.2.0
1.1.0
1.0.0
0.10.0
0.9.0
0.8.0
0.6.0
0.5.0
0.4.2
0.4.1
0.4.0
0.3.0
0.1.1
0.2.0
0.1.0
Labels
Clear labels   
Linux

   
bug

   
enhancement

   
enhancement

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
Done
No labels
Linux
bug
enhancement
enhancement
pull-request
question
Done
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/proxyman-windows-linux#335
No description provided.