Why some iphone apps won't finish ssl handshake with Charles Proxy?

Question

I am using Charles Proxy to see all of the traffic that is coming out of my iphone. I have the ssl certificate/profile installed on my iphone and I can see a lot of the traffic that is ssl encrypted. However, some applications seem to not finish the ssl handshake.

The error is: "SSLHandshake: Remote host closed connection during handshake" and then Charles Proxy suggests to configure the application to trust the Charles Root Certificate. I thought I did when I installed the profile onto my iphone?

Any explanation of this/way to fix it?

If you are using iOS 9, you may have to also disable the App Transport Layer in addition to installing installing the SSL certificate for those applications. See charlesproxy.com/documentation/faqs/ssl-proxying-with-ios-9 — Vee

Steffen Ullrich Steffen Ullrich · Accepted Answer · 2015-07-26T04:34:49

There are applications which don't simply expect the certificate signed one of the trusted CA's on the system, but which expect a single specific certificate or a certificate containing a specific public key. This is called certificate/public key pinning. For this application it will not work if you configure the CA of Charles Proxy as trusted on the system because they will not use this CA.

Any explanation of this/way to fix it?

If the application is built to only trust a single certificate/public key and never trust something just because it is signed by a locally trusted CA, then you would need the original certificate and its private key to do the SSL interception. Since you don't have these there is no way to do the SSL interception.

Why some iphone apps won't finish ssl handshake with Charles Proxy?

2 Answers