Why some iphone apps won't finish ssl handshake with Charles Proxy?

ios iphone ssl proxy reverse-engineering
27,595

Solution 1

There are applications which don't simply expect the certificate signed one of the trusted CA's on the system, but which expect a single specific certificate or a certificate containing a specific public key. This is called certificate/public key pinning. For this application it will not work if you configure the CA of Charles Proxy as trusted on the system because they will not use this CA.

Any explanation of this/way to fix it?

If the application is built to only trust a single certificate/public key and never trust something just because it is signed by a locally trusted CA, then you would need the original certificate and its private key to do the SSL interception. Since you don't have these there is no way to do the SSL interception.

Solution 2

Yes, SSL pinning is a possibility. Although as of iOS 10.3, you must take an additional step to trust the Charles Root Certificate that is not currently documented on their website edit: this info is now under iOS Devices here: https://www.charlesproxy.com/documentation/using-charles/ssl-certificates/

Settings > General > About > Certificate Trust Testings

Source: https://www.neglectedpotential.com/2017/04/trusting-custom-root-certificates-on-ios-10-3/

Share:
27,595
Grant Brown
Author by

Grant Brown

Updated on July 09, 2022

Comments

  • Grant Brown
    Grant Brown almost 2 years

    I am using Charles Proxy to see all of the traffic that is coming out of my iphone. I have the ssl certificate/profile installed on my iphone and I can see a lot of the traffic that is ssl encrypted. However, some applications seem to not finish the ssl handshake.

    The error is: "SSLHandshake: Remote host closed connection during handshake" and then Charles Proxy suggests to configure the application to trust the Charles Root Certificate. I thought I did when I installed the profile onto my iphone?

    Any explanation of this/way to fix it?

  • Aero Wang
    Aero Wang over 7 years
    What a shame. I think I am having the same problem here while I tried to reverse engineer an iOS app.
  • harmeet07
    harmeet07 almost 7 years
    I downloaded the SSL certificate and installed it. Once I trusted it it worked great.
  • Fidan Hakaj
    Fidan Hakaj over 6 years
    Thanks! It did the job
  • Scott Zhu
    Scott Zhu over 6 years
    they should add this to the documentation
  • Wingzero
    Wingzero about 6 years
    This is an answer you wish never skipped
  • Besi
    Besi almost 6 years
    This is now documented on the Charles website: charlesproxy.com/documentation/using-charles/ssl-certificate‌​s
  • charmingToad
    charmingToad over 5 years
    I find there are still some websites that won't accept this... particularly apple-related, such as opening the app store on an iPad (probably pinning, like you said).
  • Talk is Cheap Show me Code
    Talk is Cheap Show me Code almost 5 years
    I agree with that some apps dont accept this, also the same issue with fiddler. they simply through the error that the client certififcate can not be trusted and ask to switch to another network. May be pinning is the issue.
  • Talk is Cheap Show me Code
    Talk is Cheap Show me Code almost 5 years
    I am still wondering is there really a way to bypass the certifiacte validiton checking?
  • Ray Luxembourg
    Ray Luxembourg over 4 years
    What to do if some connections are still not working?
  • Peter Schorn
    Peter Schorn over 3 years
    This does not always resolve the issue, especially if you are trying to intercept the traffic of a third-party app that uses certificate pinning.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

iOS Enterprise Deployement: Clicking on itms-services link results in "Cannot connect to [domain]" error
How to route all traffic via a local SSH SOCKS proxy on iOS?
stream_socket_client(): unable to connect to ssl://gateway.sandbox.push.apple.com:2195 (Connection refused)
How to pin the Public key of a certificate on iOS
How do I accept a self-signed SSL certificate using iOS 7's NSURLSession and its family of delegate methods for development purposes?
Using SSL in an iPhone App - Export Compliance
How to prevent taking screen shoot in flutter IOS
Segmentation fault: 11 (in target 'DKImagePickerController' from project 'Pods')
Strange Error: flutter firebase facebook login results empty email and registering _ in firebase console. What to do now?
iOS - Broken iMessage Link Sharing