> On Apr 24, 2017, at 6:11 PM, Blumenthal, Uri - 0553 - MITLL <uri@xxxxxxxxxx> wrote: > > I went through the capture between the app (local end) and the proxy. It appears that the sequence is: > > ClientHello -> (from app to proxy, with a ton of cipher suites, including 0xc02f) > <- ServerHello (with TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 – present in ClientHello) > <- CertificateServer Key Exchange, Server Hello Done (includes proxy’s cert rather than the remote end’s cert) > > Alert (Level: Fatal, Description: Certificate Unknown) -> > > So it appears that the app expects the remote end’s cert, and is not happy getting the proxy’s cert instead? Please report tshark output, not an approximate rendition. In what direction is the alert sent? It is indeed possible that the application is not configured for and correctly rejects the forged certificate of the MiTM proxy. It would need the Root CA of the proxy as a trusted issuer, but that may not be configurable. In which case you'd need to let the app connect directly to the remote server without an MiTM-proxy. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users