mitmproxy fails with GOST ciphers — "no shared cipher" #7900

stmeup544-a11y · 2025-10-05T14:14:40Z

stmeup544-a11y
Oct 5, 2025

I'm trying to intercept traffic from an application that uses both standard and non-standard TLS algorithms. In some cases the ClientHello includes the following cipher suites:

These are Russian GOST algorithms. I added the GOST engine implementation to OpenSSL and performed the following tests.

First, I generated a key, CSR and self-signed certificate and started an OpenSSL s_server:

export OPENSSL_CONF=/etc/ssl/openssl.cnf

OPENSSL_CONF=$OPENSSL_CONF openssl genpkey \
  -engine gost \
  -algorithm gost2012_256 \
  -pkeyopt paramset:TCA \
  -out gost256-TCA.key

ls -l gost256-TCA.key

OPENSSL_CONF=$OPENSSL_CONF openssl pkey \
  -in gost256-TCA.key \
  -engine gost \
  -text -noout

OPENSSL_CONF=$OPENSSL_CONF openssl req -new \
  -engine gost \
  -key gost256-TCA.key \
  -out gost.csr \
  -subj "/CN=test-gost"

OPENSSL_CONF=$OPENSSL_CONF openssl x509 -req \
  -engine gost \
  -in gost.csr \
  -signkey gost256-TCA.key \
  -out gost.crt \
  -days 365

OPENSSL_CONF=$OPENSSL_CONF openssl x509 -in gost.crt -text -noout | egrep -i "Public Key|Signature Algorithm|Subject"

OPENSSL_CONF=$OPENSSL_CONF openssl s_server \
  -accept 8443 \
  -cert gost.crt \
  -engine gost \
  -key gost256-TCA.key \
  -cipher 'GOST2012-MAGMA-MAGMAOMAC' \
  -tls1_2 -msg

In a second terminal I connected with openssl s_client:

export OPENSSL_CONF=/etc/ssl/openssl.cnf
OPENSSL_CONF=$OPENSSL_CONF openssl s_client \
  -connect 127.0.0.1:8443 \
  -cipher 'GOST2012-MAGMA-MAGMAOMAC' \
  -tls1_2 -msg

This works: I can generate keys/certs, run the server and connect to it using OpenSSL.

Also I checked available ciphers:

openssl ciphers -V | grep GOST
          0xC1,0x01 - GOST2012-MAGMA-MAGMAOMAC       TLSv1.2 Kx=GOST18   Au=unknown Enc=MAGMA                  Mac=unknown
          0xC1,0x00 - GOST2012-KUZNYECHIK-KUZNYECHIKOMAC TLSv1.2 Kx=GOST18   Au=unknown Enc=KUZNYECHIK             Mac=unknown
          0xFF,0x85 - LEGACY-GOST2012-GOST8912-GOST8912 TLSv1   Kx=GOST     Au=GOST12 Enc=GOST89(256)            Mac=GOST89
          0xC1,0x02 - IANA-GOST2012-GOST8912-GOST8912 TLSv1   Kx=GOST     Au=GOST12 Enc=GOST89(256)            Mac=GOST89
          0x00,0x81 - GOST2001-GOST89-GOST89         TLSv1   Kx=GOST     Au=GOST01 Enc=GOST89(256)            Mac=GOST89

Then I installed mitmproxy and rebuilt the Python cryptography package pointing it to my OpenSSL:

export PKG_CONFIG_PATH=/usr/lib/x86_64-linux-gnu/pkgconfig:$PKG_CONFIG_PATH
export CFLAGS="-I/usr/include"
export LDFLAGS="-L/usr/lib/x86_64-linux-gnu"

pip install --upgrade pip setuptools wheel setuptools-rust maturin cffi
pip install mitmproxy==12.1.2
pip uninstall -y cryptography
pip install --no-binary :all: cryptography==45.0.7 --no-build-isolation -v

However, when I try to intercept the application's traffic, mitmproxy reports:

Client TLS handshake failed. The client may not trust the proxy's certificate for <no address> (OpenSSL Error([('SSL routines', '', 'no shared cipher')]))

I also tried to connect to mitmproxy with openssl s_client:

OPENSSL_CONF=$OPENSSL_CONF openssl s_client \
  -connect 127.0.0.1:8080 \
  -cipher 'GOST2012-MAGMA-MAGMAOMAC' \
  -tls1_2 -msg

That fails with the same error. Mitmproxy does not send a ServerHello, it just closes the connection.

Do I understand correctly that mitmproxy is unable to generate and present a valid certificate for this request (using GOST algorithms), and therefore closes the connection? Is there any way to make mitmproxy work with these algorithms?

Mitmproxy version: 12.1.2
OpenSSL version: 3.0.13
cryptography package version: 45.0.7
OS: Ubuntu DISTRIB_RELEASE=24.04

sh1baaaaa · 2025-10-06T08:27:24Z

sh1baaaaa
Oct 6, 2025

active

0 replies

mhils · 2025-10-09T16:29:05Z

mhils
Oct 9, 2025
Maintainer

You may need to adjust https://docs.mitmproxy.org/stable/concepts/options/#ciphers_client.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

mitmproxy fails with GOST ciphers — "no shared cipher" #7900

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

mitmproxy fails with GOST ciphers — "no shared cipher" #7900

Uh oh!

stmeup544-a11y Oct 5, 2025

Replies: 2 comments

Uh oh!

sh1baaaaa Oct 6, 2025

Uh oh!

mhils Oct 9, 2025 Maintainer

stmeup544-a11y
Oct 5, 2025

sh1baaaaa
Oct 6, 2025

mhils
Oct 9, 2025
Maintainer