From f6dadc2b0de712869d9b8aa928915dbb990bb6af Mon Sep 17 00:00:00 2001 From: Maximilian Hils Date: Thu, 27 Aug 2015 00:07:44 +0200 Subject: [PATCH] no more sni double-connects! --- doc-src/howmitmproxy.html | 9 --------- libmproxy/contrib/README | 2 +- 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/doc-src/howmitmproxy.html b/doc-src/howmitmproxy.html index fabd393ac..16b5f7224 100644 --- a/doc-src/howmitmproxy.html +++ b/doc-src/howmitmproxy.html @@ -145,15 +145,6 @@ passed to us. Now we can pause the conversation, and initiate an upstream connection using the correct SNI value, which then serves us the correct upstream certificate, from which we can extract the expected CN and SANs. -There's another wrinkle here. Due to a limitation of the SSL library mitmproxy -uses, we can't detect that a connection _hasn't_ sent an SNI request until it's -too late for upstream certificate sniffing. In practice, we therefore make a -vanilla SSL connection upstream to sniff non-SNI certificates, and then discard -the connection if the client sends an SNI notification. If you're watching your -traffic with a packet sniffer, you'll see two connections to the server when an -SNI request is made, the first of which is immediately closed after the SSL -handshake. Luckily, this is almost never an issue in practice. - ## Putting it all together Lets put all of this together into the complete explicitly proxied HTTPS flow. diff --git a/libmproxy/contrib/README b/libmproxy/contrib/README index e339310a0..e5ce11daf 100644 --- a/libmproxy/contrib/README +++ b/libmproxy/contrib/README @@ -10,5 +10,5 @@ wbxml - https://github.com/davidpshaw/PyWBXMLDecoder tls, BSD license - - https://github.com/mhils/tls/tree/extension-parsing + - https://github.com/mhils/tls/tree/mitmproxy - limited to required files. \ No newline at end of file