Proxyman CA cert doesn't have Server Authentication ( 1.3.6.1.5.5.7.3.1 ) OID which is required by macOS 10.15

[TingluoHuang]

Proxyman version? (Ex. Proxyman 1.4.3)

1.13.0

macOS Version? (Ex. mac 10.14)

10.15.2

Steps to reproduce

Check Proxyman CA cert details in keychain

Expected behavior

The CA cert has extended key usage Server Authentication ( 1.3.6.1.5.5.7.3.1 )

According to https://support.apple.com/en-us/HT210176 and http://blog.nashcom.de/nashcomblog.nsf/dx/more-strict-server-certificate-handling-in-ios-13-macos-10.15.htm?opendocument&comments

When use proxyman with dotnet core app, dotnet core can't validate the server ssl cert via native macOS system call when proxyman decrypt SSL traffic.

dotnet/runtime#666

Screenshots (optional)

Other proxy server CA cert has this field (Fiddler)

[NghiaTranUIT]

Hey @TingluoHuang

Proxyman is already updated with new Apple's requirements, but there is a missing of TLS server certificates. I'm on it now 👍

[NghiaTranUIT]

Hey yo @TingluoHuang

Let check this BETA build: https://proxyman.s3.us-east-2.amazonaws.com/beta/Proxyman_1.13.0_Update_macOS_Certificate_Requirement.dmg

Changelogs

• Fixed 825 expired day
• Added missing ExtendedKeyUsage for server auth

Please open Help menu -> Debug -> Reset all Certificate & Data to completely remove the old one. Then you can install the new certificate 👍

Please let me know if it works since I couldn't test your case in my local machine. Thank you in advance 🌮

[TingluoHuang]

@NghiaTranUIT thanks for taking look at this.
I think we are 1 step closer. :)

Server cert generated by proxyman:

[Version]
  V3

[Subject]
  OU=https://proxyman.io, CN=github.com, O="GitHub, Inc.", L=San Francisco, C=US
  Simple Name: github.com
  DNS Name: github.com

[Issuer]
  OU=https://proxyman.io, CN="Proxyman CA (3 Jan 2020, htl-mac.local)", O=Proxyman Ltd, L=Singapore, C=SG
  Simple Name: Proxyman CA (3 Jan 2020, htl-mac.local)
  DNS Name: Proxyman CA (3 Jan 2020, htl-mac.local)

[Serial Number]
  00E0481A26FA5B92AB

[Not Before]
  1/3/2020 10:11:37 AM

[Not After]
  4/7/2022 11:11:37 AM

[Thumbprint]
  CC915C50F9326979B4284A0454C31F57EA271DE1

[Signature Algorithm]
  sha256RSA(1.2.840.113549.1.1.11)

[Public Key]
  Algorithm: RSA
  Length: 2048
  Key Blob: 3082010A0282010100C4C33B2D758CC80014AF8FDAA5AC74E8FD48512E6E8D3341E57CD6529B9FB771D482FF41AA3C69C694660662FDDCAB926E8572AA5622BD9B2DDD6649DF8D24C17513EF2936F77CD610232D687848A8245E1546255A0FBF04A4E3CE88E0790F665751A39728BCE9173A2845A43B60BF381DA4F73790B5565558244B9672EE6C46537B24177D85DD1836FF282DC6E83A5E82EFE461DEF23243DB75DC93D50270A322240110CE6B3FF1EFB350633335F46FDABC12C9BB5B17A5C309B2DD84A8BA2EAECC780CF3E9AB1A1A60A7F543CCBA24C833FE5D185E01FC82AFB040B7B470AB7F3A84DED57089E54E479AEB884DB24D3BD1B5B95E388E1E186F90CFC7C2C4CF0203010001
  Parameters: 0500

[Extensions]
* X509v3 Key Usage(2.5.29.15):
  030204F0
* (2.5.29.17):
  DNS:github.com, DNS:www.github.com

Server cert generated by Fiddler:

[Version]
  V3

[Subject]
  CN=github.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com
  Simple Name: github.com
  DNS Name: github.com

[Issuer]
  CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com
  Simple Name: DO_NOT_TRUST_FiddlerRoot
  DNS Name: DO_NOT_TRUST_FiddlerRoot

[Serial Number]
  63B8AF1E4656F6A84090B66395D2E778

[Not Before]
  4/13/2015 7:36:49 PM

[Not After]
  4/12/2021 7:36:49 PM

[Thumbprint]
  42727BFCD1483323FFCE37F024DE90947A4D5220

[Signature Algorithm]
  sha256RSA(1.2.840.113549.1.1.11)

[Public Key]
  Algorithm: RSA
  Length: 2048
  Key Blob: 3082010A0282010100B4466BDEBDDB68D0007D4F191E7EECBA6647752BD5B2ADD04206EFBAFAFAF488E9E7A29043EA6076917C1903BB668996D1A876736A78E9FC012C4EBF6EFDC9270CEBC52C1B760C0C95072B2CAECEEE370C334384614CCDED1CB47D88EAC8814B2B82073611053BFAABDDD30FA55F5AB088996FD7881DE82BEDD417D48D49939CBE834D04B7C389BF93C700C75C38D12F4D3BDA8325322C101946BDBCED92F7D771B95D55A87369366A4E69C17B61DABBFA0387A3EF2B548EDC07A55C4784169FF82F5540FFA97402B88452675410960EC28DB705422891DA55A99F7F39F1217A00BBFBD4D84ADAA31FFB370B67612ACEE01EC4989E187AB2521B84EAAB9BFEE30203010001
  Parameters: 0500

[Extensions]
* X509v3 Key Usage(2.5.29.15):
  030204B0
* X509v3 Extended Key Usage(2.5.29.37):
  300A06082B06010505070301
* (2.5.29.17):
  DNS:github.com
* (2.5.29.35):
  3016801460582EA061611E9E3FAA24C6E6E5479664B694B2
* X509v3 Subject Key Identifier(2.5.29.14):
  0414A5672AE0F476D5573D582908A6AD1B2F1DD07961

As you can see the Fiddler cert contains:

* X509v3 Extended Key Usage(2.5.29.37):
  300A06082B06010505070301 ->1.3.6.1.5.5.7.3.1

How do you generate server certificate for each https request? I think you might need to do something like:
https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309#gistcomment-3098018

[NghiaTranUIT]

I see, the absent is also from the Certificate, which is generated by Proxyman, not just only the Root Proxyman Certificate. I'm on it now 👍

[NghiaTranUIT]

Here is the updated @TingluoHuang https://proxyman.s3.us-east-2.amazonaws.com/beta/Proxyman_1.13.0_Missing_extension_certificate.dmg

Please "Reset all Certificate & Data" before testing since there are cached certificates.

Let me know if it works then I could release a 1.13.1 build 👍 Thank you in advance 🎉

[TingluoHuang]

@NghiaTranUIT it work, thanks!

[NghiaTranUIT]

Glad to know that. Let update to Proxyman 1.13.1, which officially includes the fix 👍