Add TLS debugging and certificate generation improvements

ammario · claude · ammario · commit 602b25322c08 · 2025-09-04T11:42:07.000-05:00
- Added comprehensive TLS environment debug script for CI - Added explicit serial number and validity dates to generated certificates to avoid potential OpenSSL 3.0.x compatibility issues - Added logging for certificate generation The Linux CI failures appear to be environment-specific since the same code passes on macOS CI. The error 'OpenSSL/3.0.13: error:06880006:asn1 encoding routines::EVP lib' suggests OpenSSL 3.0.x may have issues with certain ECDSA certificate configurations. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/scripts/debug_tls_handshake.sh b/scripts/debug_tls_handshake.sh
@@ -0,0 +1,79 @@
+#!/bin/bash
+# Debug script to test TLS handshake with httpjail proxy
+
+echo "=== TLS Handshake Debug ==="
+echo ""
+
+# Find httpjail binary
+HTTPJAIL=""
+for bin in target/debug/httpjail target/release/httpjail; do
+    if [ -f "$bin" ]; then
+        HTTPJAIL="$bin"
+        echo "Using httpjail: $HTTPJAIL"
+        break
+    fi
+done
+
+if [ -z "$HTTPJAIL" ]; then
+    echo "Error: httpjail binary not found"
+    exit 1
+fi
+
+# Find CA cert
+CA_CERT=""
+for dir in /home/runner/.config/httpjail /root/.config/httpjail $HOME/.config/httpjail; do
+    if [ -f "$dir/ca-cert.pem" ]; then
+        CA_CERT="$dir/ca-cert.pem"
+        echo "Using CA cert: $CA_CERT"
+        break
+    fi
+done
+
+if [ -z "$CA_CERT" ]; then
+    echo "Warning: No CA cert found, will generate one"
+fi
+
+echo ""
+echo "1. Starting httpjail in background (weak mode for testing)..."
+# Start httpjail in weak mode to test proxy directly
+$HTTPJAIL -r "allow: .*" --weak -- sleep 30 &
+HTTPJAIL_PID=$!
+sleep 2
+
+# Get proxy ports from environment
+HTTP_PROXY_PORT=$(ps aux | grep -E "httpjail.*--weak" | grep -v grep | sed -n 's/.*HTTP_PROXY=.*:\([0-9]*\).*/\1/p' | head -1)
+HTTPS_PROXY_PORT=$(ps aux | grep -E "httpjail.*--weak" | grep -v grep | sed -n 's/.*HTTPS_PROXY=.*:\([0-9]*\).*/\1/p' | head -1)
+
+if [ -z "$HTTP_PROXY_PORT" ]; then
+    HTTP_PROXY_PORT=3128
+fi
+if [ -z "$HTTPS_PROXY_PORT" ]; then  
+    HTTPS_PROXY_PORT=3129
+fi
+
+echo "Proxy ports: HTTP=$HTTP_PROXY_PORT, HTTPS=$HTTPS_PROXY_PORT"
+echo ""
+
+echo "2. Testing direct HTTPS connection to proxy..."
+# Use openssl s_client to test the TLS handshake directly
+echo "CONNECT example.com:443 HTTP/1.1" | openssl s_client -connect 127.0.0.1:$HTTPS_PROXY_PORT -servername example.com -CAfile "$CA_CERT" -showcerts 2>&1 | head -50
+
+echo ""
+echo "3. Testing with curl through proxy..."
+if [ -n "$CA_CERT" ]; then
+    curl -v --proxy https://127.0.0.1:$HTTPS_PROXY_PORT --cacert "$CA_CERT" -I https://example.com 2>&1 | head -30
+else
+    curl -v --proxy https://127.0.0.1:$HTTPS_PROXY_PORT -I https://example.com 2>&1 | head -30
+fi
+
+echo ""
+echo "4. Extracting certificate details from proxy..."
+# Connect and get the certificate the proxy is sending
+echo | openssl s_client -connect 127.0.0.1:$HTTPS_PROXY_PORT -servername example.com 2>/dev/null | openssl x509 -text -noout 2>&1 | grep -E "Subject:|Issuer:|Signature Algorithm:|Public Key Algorithm:|Not Before:|Not After:" | head -20
+
+# Kill httpjail
+kill $HTTPJAIL_PID 2>/dev/null
+wait $HTTPJAIL_PID 2>/dev/null
+
+echo ""
+echo "=== End TLS Handshake Debug ==="
diff --git a/src/tls.rs b/src/tls.rs
@@ -178,6 +178,10 @@ impl CertificateManager {
 
         // Generate new certificate
         debug!("Generating certificate for {}", hostname);
+        info!(
+            "Certificate generation: hostname={}, key_type=ECDSA-P256",
+            hostname
+        );
 
         let mut params = CertificateParams::new(vec![hostname.to_string()])
             .context("Failed to create certificate params")?;
@@ -195,6 +199,17 @@ impl CertificateManager {
 
         params.extended_key_usages = vec![rcgen::ExtendedKeyUsagePurpose::ServerAuth];
 
+        // Set serial number explicitly to avoid potential issues with OpenSSL 3.0.x
+        params.serial_number = Some(rcgen::SerialNumber::from(vec![1, 2, 3, 4]));
+
+        // Set validity period - 1 year from now
+        use chrono::{Datelike, Utc};
+        let now = Utc::now();
+        let not_before = rcgen::date_time_ymd(now.year(), now.month() as u8, now.day() as u8);
+        let not_after = rcgen::date_time_ymd(now.year() + 1, now.month() as u8, now.day() as u8);
+        params.not_before = not_before;
+        params.not_after = not_after;
+
         // Sign certificate with CA using the shared key pair
         let cert = params.signed_by(&self.server_key_pair, &self.ca_cert, &self.ca_key_pair)?;
         let cert_der = cert.der().clone();
