2012-04-03 23:24:58 +00:00
|
|
|
- command-line: _--upstream-cert_
|
|
|
|
- mitmproxy shortcut: _o_, then _u_
|
|
|
|
|
2012-04-04 02:17:26 +00:00
|
|
|
Normally, mitmproxy uses the target domain specified in a client's proxy
|
|
|
|
request to generate an interception certificate. When __upstream-cert__ mode is
|
|
|
|
activated a different procedure is followed: a connection is made to the
|
|
|
|
specified remote server to retrieve its __Common Name__ and __Subject
|
|
|
|
Alternative Names__. This feature is especially useful when the client
|
|
|
|
specifies an IP address rather than a host name in the proxy request. If this
|
|
|
|
is the case, we can only generate a certificate if we can establish the __CN__
|
|
|
|
and __SANs__ from the upstream server.
|
2012-04-03 23:24:58 +00:00
|
|
|
|
|
|
|
Note that __upstream-cert__ mode does not work when the remote server relies on
|
|
|
|
[Server Name Indication](http://en.wikipedia.org/wiki/Server_Name_Indication).
|
|
|
|
Luckily, SNI is still not very widely used.
|