2015-09-04 14:17:55 +00:00
|
|
|
.. _upstreamcerts:
|
|
|
|
|
|
|
|
|
|
Upstream Certificates
|
2015-09-06 01:20:58 +00:00
|
|
|
=====================
|
|
|
|
|
|
|
|
|
|
When mitmproxy receives a connection destined for an SSL-protected service, it
|
|
|
|
|
freezes the connection before reading its request data, and makes a connection
|
|
|
|
|
to the upstream server to "sniff" the contents of its SSL certificate. The
|
|
|
|
|
information gained - the **Common Name** and **Subject Alternative Names** - is
|
|
|
|
|
then used to generate the interception certificate, which is sent to the client
|
|
|
|
|
so the connection can continue.
|
|
|
|
|
|
|
|
|
|
This rather intricate little dance lets us seamlessly generate correct
|
2015-12-12 10:18:56 +00:00
|
|
|
certificates even if the client has specified only an IP address rather than the
|
2015-09-06 01:20:58 +00:00
|
|
|
hostname. It also means that we don't need to sniff additional data to generate
|
|
|
|
|
certs in transparent mode.
|
|
|
|
|
|
|
|
|
|
Upstream cert sniffing is on by default, and can optionally be turned off.
|
|
|
|
|
|
2016-06-07 02:08:46 +00:00
|
|
|
================== ======================
|
|
|
|
|
command-line ``--no-upstream-cert``
|
2015-09-06 01:20:58 +00:00
|
|
|
mitmproxy shortcut :kbd:`o` then :kbd:`U`
|
2016-06-07 02:08:46 +00:00
|
|
|
================== ======================
|
