Issues with SSL interception about g3 HOT 8 CLOSED

It looks like like the certificate generation has some issues. The certificates it is generating are using the same fingerprints/public keys for multiple websites. For example google and githubs certificates are the same. I am attaching the certificates that are output from the proxy. This issue is causing Firefox to fail on all sites with "SEC_ERROR_REUSED_ISSUER _AND_SERIAL". I have tested with base build and boringssl.

www.google.com.pem.txt
github.com.pem.txt

from g3.

yes, currently g3fcgen use a single private key for all cert generation.
I will fix this after back to work.
For production usage you may want to use a custom cert generator, as long as it follows the protocol described here https://github.com/bytedance/g3/blob/master/g3proxy/doc/protocol/helper/cert_generator.rst.

from g3.

I have updated g3fcgen to use different serial for each cert generation.
Firefox now can work with http1. I have to spend more time to investigate why h2 streams get timed out.

from g3.

I have removed the h2 server push feature and firefox can work now with h2 enabled.

Also note that the replacement feature - 103 Early Hints, is currently not supported by the h2 crate (ignored silently).

from g3.

Thanks! Being able to use g3fcgen would be ideal as for the long term use of the project (in production). If we compare to something like squid etc they all have the functionality built in. Being able to leverage the same code/libraries is very useful to make sure there is no conflicts on functionality/support of encryption methods etc.

Is there a different cert generator that you have been using?

from g3.

Being able to use g3fcgen would be ideal as for the long term use of the project (in production). If we compare to something like squid etc they all have the functionality built in. Being able to leverage the same code/libraries is very useful to make sure there is no conflicts on functionality/support of encryption methods etc.

The current way is just the same as squid's helper program by providing a default implementation while still make it possible to use another one if you want cert cache, or hardware acceleration or any other features.

Is there a different cert generator that you have been using?

Yes we use another one in the initial test which bind more tightly to our infrastructure.

from g3.

That makes sense. I wasnt sure if there was a a better one I should be using. The fixes you made though have been working great! Thanks!

from g3.

Following up on this. The changes made have been working perfectly. This can be closed.

Thank you again my friend.

from g3.