[ERROR] Securing client connection failed: handshake error: EOF

[CNKCQ]

Describe the bug
The CA was set up as the doc，then still get the error
[ERROR] Securing client connection failed: handshake error: EOF

Expected behavior
https support

Screenshots

Desktop (please complete the following information):

Smartphone (please complete the following information):

• Device: [e.g. iPad 7]
• OS: [e.g. iOS13.5.1]
• Browser [e.g. stock browser, safari]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

[dstotijn]

Does this happen for all proxied HTTPS connections? Or only to a specific server? E.g. if you proxy traffic for https://www.example.com do you also get this error?

If the error is logged for once specific server: If it’s a public URL you’re accessing and you don’t mind sharing, it would help troubleshooting.

[ghost]

Hi mate! I can also confirm the issue on my mac.

Device: macbook pro 2019
CPU: Intel
OS: Big Sur 11.6.4
Browser: Firefox 98.0 64-bit
Hetty version: 0.6.0

To reproduce the problem:

1. hetty cert install --firefox
2. Open keychain access
3. Search hetty and make it "Always trust"
4. hetty --addr localhost:8081
5. Set foxyproxy to intercept traffic to localhost:8081
6. Access https://example.com or https://facebook.com. Firefox will say, "Software is preventing Firefox From Safely Connecting to This Site"
7. Looking at the hetty terminal, it has a similar error "Securing client connection failed. {"error": "handshake error: remote error: tls: bad certificate", "remoteAddr": "127.0.0.1:"

Note: this issue only happens when i install the certificate into the keychain. Importing the hetty_cert.pem file directly into firefox browser has no problem at all.

[dstotijn]

Hi @CNKCQ and @tomat0paste, I’m not sure if you’re both encountering the same issue (based on @CNKCQ’s screenshot I cannot really tell what’s the cause there).

But @tomat0paste, I think there’s a two things at play based on your comment and some research/testing:

1. It seems like hetty cert install --firefox doesn't install Hetty’s CA into Firefox’s own trust store, at least on macOS 12.1 with Firefox 98. I’ll attempt to fix this and follow up soon. That should solve the issue for you.
2. When a rogue CA isn’t in Firefox’s own trust store, but it it trusted in the system’s root cert store (e.g. Keychain), it seems that Firefox by default doesn’t allow it (see screenshot below). You could manually disable this behavior via about:config and setting security.enterprise_roots.enabled to true, but use at your own risk.

[dstotijn]

Following up on the Firefox cert install issue: For macOS, you’ll need to install NSS before running hetty cert install --firefox (ref). With Homebrew installed you can do this via:

brew install nss

Then run this:

hetty cert install --firefox

Note: You’ll have to restart Firefox afterwards for the root CA to be loaded.

I’m leaving this issue open for now; I’ll update the README/docs site and then will close it.

[ghost]

brew install nss

Then run this:

hetty cert install --firefox

I can confirm this method works on MacOS 11.6.4 also. What "hetty cert install --firefox" command does on a macos machine is it will install the hetty cert on mac's keystore and at the same time installs the hetty cert on firefox app's keystore.

This is another issue but I also noticed that hetty won't work when i turn ON my corporate vpn and proxify my web traffic on localhost:8081 (hetty proxy).