diff options
author | Aldo Cortesi <aldo@nullcube.com> | 2013-01-02 21:57:39 +1300 |
---|---|---|
committer | Aldo Cortesi <aldo@nullcube.com> | 2013-01-02 21:57:39 +1300 |
commit | 8e6fabd69a124cc5b5ae763b58587ee6ee6ab3da (patch) | |
tree | 03fc66d5d94e5c82ddedd535c430cf9d71fd853a /doc-src/upstreamcerts.html | |
parent | 09f664cdeafae1d9923fe5ce2c4ab3acc7757a61 (diff) | |
download | mitmproxy-8e6fabd69a124cc5b5ae763b58587ee6ee6ab3da.tar.gz mitmproxy-8e6fabd69a124cc5b5ae763b58587ee6ee6ab3da.tar.bz2 mitmproxy-8e6fabd69a124cc5b5ae763b58587ee6ee6ab3da.zip |
Docs - features.
Diffstat (limited to 'doc-src/upstreamcerts.html')
-rw-r--r-- | doc-src/upstreamcerts.html | 32 |
1 files changed, 19 insertions, 13 deletions
diff --git a/doc-src/upstreamcerts.html b/doc-src/upstreamcerts.html index 32a13a9a..8de75ee3 100644 --- a/doc-src/upstreamcerts.html +++ b/doc-src/upstreamcerts.html @@ -1,15 +1,21 @@ -- command-line: _--upstream-cert_ -- mitmproxy shortcut: _o_, then _u_ +When mitmproxy receives a connection destined for an SSL-protected service, it +freezes the connection before reading its request data, and makes a connection +to the upstream server to "sniff" the contents of its SSL certificate. The +information gained - the __Common Name__ and __Subject Alternative Names__ - is +then used to generate the interception certificate, which is sent to the client +so the connection can continue. -Normally, mitmproxy uses the target domain specified in a client's proxy -request to generate an interception certificate. When __upstream-cert__ mode is -activated a different procedure is followed: a connection is made to the -specified remote server to retrieve its __Common Name__ and __Subject -Alternative Names__. This feature is especially useful when the client -specifies an IP address rather than a host name in the proxy request. If this -is the case, we can only generate a certificate if we can establish the __CN__ -and __SANs__ from the upstream server. +This rather intricate little dance lets us seamlessly generate correct +certificates even if the client has specifed only an IP address rather than the +hostname. It also means that we don't need to sniff additional data to generate +certs in transparent mode. -Note that __upstream-cert__ mode does not work when the remote server relies on -[Server Name Indication](http://en.wikipedia.org/wiki/Server_Name_Indication). -Luckily, SNI is still not very widely used. +Upstream cert sniffing is on by default, and can optionally be turned off. + +<table class="table"> + <tbody> + <tr> + <th width="20%">command-line</th> <td>--no-upstream-cert</td> + </tr> + </tbody> +</table> |