Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Java "internal_error" with MITM on some sites #207

Closed
jekh opened this issue May 17, 2015 · 3 comments
Closed

Java "internal_error" with MITM on some sites #207

jekh opened this issue May 17, 2015 · 3 comments

Comments

@jekh
Copy link
Collaborator

jekh commented May 17, 2015

A BrowserMob Proxy user reported an issue where sites using the CloudFlare Flexible SSL service, such as https://kitematic.com/, experience this error:

Caused by: javax.net.ssl.SSLException: Received fatal alert: internal_error

I traced this problem back to LittleProxy, but I'm at a loss to understand what "internal_error" could possibly mean. Does anybody with more experience with Java SSL have any ideas what might be causing this?

Full LP log output:

0      2015-05-16 21:12:03,879 INFO  [main] proxy.Launcher (?:?).?() - Running LittleProxy with args: []
About to start server on port: 8080
91     2015-05-16 21:12:03,970 INFO  [main] proxy.Launcher (?:?).?() - Running as Man in the Middle
92     2015-05-16 21:12:03,971 INFO  [main] extras.SelfSignedSslEngineSource (?:?).?() - Not deleting keystore
About to start...
212    2015-05-16 21:12:04,091 INFO  [main] impl.DefaultHttpProxyServer (?:?).?() - Starting proxy at address: 0.0.0.0/0.0.0.0:8080
233    2015-05-16 21:12:04,112 INFO  [main] impl.DefaultHttpProxyServer (?:?).?() - Proxy listening with TCP transport
305    2015-05-16 21:12:04,184 INFO  [main] impl.DefaultHttpProxyServer (?:?).?() - Proxy started at address: /0:0:0:0:0:0:0:0:8080
18878  2015-05-16 21:12:22,757 WARN  [LittleProxy-ProxyToServerWorker-0] impl.ProxyToServerConnection (?:?).?() - (HANDSHAKING) [id: 0x5d8ce589, 0.0.0.0/0.0.0.0:46433 :> kitematic.com/104.28.2.49:443]: Caught exception on proxy -> web connection
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: Received fatal alert: internal_error
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:280)
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:149)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:333)
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:319)
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:787)
    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:130)
    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:511)
    at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:468)
    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:382)
    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:354)
    at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:116)
    at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLException: Received fatal alert: internal_error
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1650)
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1618)
    at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1787)
    at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1071)
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:893)
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:767)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:982)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:908)
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:854)
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:249)
    ... 11 more
18880  2015-05-16 21:12:22,759 WARN  [LittleProxy-ProxyToServerWorker-0] impl.ProxyToServerConnection (?:?).?() - (HANDSHAKING) [id: 0x5d8ce589, 0.0.0.0/0.0.0.0:46433 :> kitematic.com/104.28.2.49:443]: Disconnecting open connection
@jekh jekh mentioned this issue May 17, 2015
Closed
@ganskef
Copy link
Collaborator

ganskef commented May 17, 2015

Hi Jason, I've reproduced it with https://kitematic.com/ (with my implementation and Netty 4.1.0-Beta5), too. I've ececuted my tests with -Djavax.net.debug=all and compare a direct with a proxied connection. I've found this difference in the output:

Working handshake with URLConnection
*** ClientHello, TLSv1
...
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Extension server_name, server_name: [host_name: kitematic.com]

Failing handshake with LittleProxy
*** ClientHello, TLSv1
...
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]

Stay tuned...

@ganskef ganskef mentioned this issue May 17, 2015
Closed
ganskef added a commit to ganskef/LittleProxy that referenced this issue May 21, 2015
@ganskef
This closes adamfisk#207 and closes netty/netty#3801
9601f2e 
Proxy to server connections needs peer informations to connect Server
Name Indication (SNI) enabled sites. The client has to send an extension
server_name: [host_name: developer.chrome.com] for example within the
handshake.
ganskef added a commit to ganskef/LittleProxy-mitm that referenced this issue May 21, 2015
@ganskef
This closes adamfisk/LittleProxy#207 and closes netty/netty#3801
15c7244 
Proxy to server connections needs peer informations to connect Server
Name Indication (SNI) enabled sites. The client has to send an extension
server_name: [host_name: developer.chrome.com] for example within the
handshake.
jekh pushed a commit to jekh/LittleProxy that referenced this issue May 23, 2015
@ganskef @jekh
This closes adamfisk#207 and closes netty/netty#3801
47dd689 
Proxy to server connections needs peer informations to connect Server
Name Indication (SNI) enabled sites. The client has to send an extension
server_name: [host_name: developer.chrome.com] for example within the
handshake.
@jekh jekh mentioned this issue May 23, 2015
Merged
@jekh
Copy link
Collaborator Author

jekh commented May 23, 2015

Thanks for investigating this, @ganskef. I just opened PR #210 with the commit you referenced here. Would you mind taking a look and letting me know if there's anything else that needs to be done before this can be merged?

This is actually a major issue, so thank you so much for investigating & fixing it!

@jekh
Copy link
Collaborator Author

jekh commented May 24, 2015

Since the discussion is taking place in PR #210 now, I'll close this issue.

@jekh jekh closed this as completed May 24, 2015
@ganskef ganskef mentioned this issue Jun 4, 2015
Merged
ganskef added a commit to ganskef/LittleProxy that referenced this issue Jun 4, 2015
@ganskef
Merge remote-tracking branch 'upstream/master' PR adamfisk#207, adamf…
cf27050 
…isk#210

Conflicts:
	src/main/java/org/littleshoot/proxy/MitmManager.java
	src/main/java/org/littleshoot/proxy/SslEngineSource.java
	src/main/java/org/littleshoot/proxy/extras/SelfSignedMitmManager.java
	src/main/java/org/littleshoot/proxy/impl/ProxyToServerConnection.java
@ganskef ganskef mentioned this issue Jul 14, 2015
Closed
expertjavaguy added a commit to expertjavaguy/AdamfiskProxy that referenced this issue May 26, 2022
@expertjavaguy
This closes adamfisk/LittleProxy#207 and closes netty/netty#3801
76d13d4 
Proxy to server connections needs peer informations to connect Server
Name Indication (SNI) enabled sites. The client has to send an extension
server_name: [host_name: developer.chrome.com] for example within the
handshake.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jekh @ganskef