4 files changed, 15 insertions, 13 deletions

diff --git a/examples/flowbasic b/examples/flowbasic
index 21d31efa..b99266c8 100755
--- a/examples/flowbasic
+++ b/examples/flowbasic
@@ -36,7 +36,7 @@ class MyMaster(flow.FlowMaster):
 
 config = proxy.ProxyConfig(
     port=8080,
-    ca_file=os.path.expanduser("~/.mitmproxy/mitmproxy-ca.pem")
+    default_ca=os.path.expanduser("~/.mitmproxy/mitmproxy-ca.pem")
 )
 state = flow.State()
 server = ProxyServer(config)
diff --git a/examples/stickycookies b/examples/stickycookies
index 132e4dc7..94adfcf8 100755
--- a/examples/stickycookies
+++ b/examples/stickycookies
@@ -38,7 +38,7 @@ class StickyMaster(controller.Master):
 
 config = proxy.ProxyConfig(
     port=8080,
-    ca_file=os.path.expanduser("~/.mitmproxy/mitmproxy-ca.pem")
+    default_ca=os.path.expanduser("~/.mitmproxy/mitmproxy-ca.pem")
 )
 server = ProxyServer(config)
 m = StickyMaster(server)
diff --git a/libmproxy/proxy/config.py b/libmproxy/proxy/config.py
index 62104a24..b5974807 100644
--- a/libmproxy/proxy/config.py
+++ b/libmproxy/proxy/config.py
@@ -16,7 +16,7 @@ def parse_host_pattern(patterns):
 
 class ProxyConfig:
     def __init__(self, host='', port=8080, server_version=version.NAMEVERSION,
-                 confdir=CONF_DIR, ca_file=None, clientcerts=None,
+                 confdir=CONF_DIR, default_ca=None, clientcerts=None,
                  no_upstream_cert=False, body_size_limit=None,
                  mode=None, upstream_server=None, http_form_in=None, http_form_out=None,
                  authenticator=None, ignore=[],
@@ -45,7 +45,7 @@ class ProxyConfig:
         self.ignore = parse_host_pattern(ignore)
         self.authenticator = authenticator
         self.confdir = os.path.expanduser(confdir)
-        self.ca_file = ca_file or os.path.join(self.confdir, CONF_BASENAME + "-ca.pem")
+        self.default_ca = default_ca or os.path.join(self.confdir, CONF_BASENAME + "-ca.pem")
         self.certstore = certutils.CertStore.from_store(self.confdir, CONF_BASENAME)
         for spec, cert in certs:
             self.certstore.add_cert_file(spec, cert)
@@ -133,10 +133,12 @@ def ssl_option_group(parser):
     group.add_argument(
         "--cert", dest='certs', default=[], type=str,
         metavar="SPEC", action="append",
-        help='Add an SSL certificate. SPEC is of the form "[domain=]path". ' \
-             'The domain may include a wildcard, and is equal to "*" if not specified. ' \
-             'The file at path is a certificate in PEM format. If a private key is included in the PEM, ' \
-             'it is used, else the default key in the conf dir is used. Can be passed multiple times.'
+        help='Add an SSL certificate. SPEC is of the form "[domain=]path". '
+             'The domain may include a wildcard, and is equal to "*" if not specified. '
+             'The file at path is a certificate in PEM format. If a private key is included in the PEM, '
+             'it is used, else the default key in the conf dir is used. '
+             'The PEM file should contain the full certificate chain, with the leaf certificate as the first entry. '
+             'Can be passed multiple times.'
     )
     group.add_argument(
         "--client-certs", action="store",
diff --git a/libmproxy/proxy/server.py b/libmproxy/proxy/server.py
index 307a4bcd..0152f539 100644
--- a/libmproxy/proxy/server.py
+++ b/libmproxy/proxy/server.py
@@ -190,14 +190,14 @@ class ConnectionHandler:
         if client:
             if self.client_conn.ssl_established:
                 raise ProxyError(502, "SSL to Client already established.")
-            cert, key = self.find_cert()
+            cert, key, chain_file = self.find_cert()
             try:
                 self.client_conn.convert_to_ssl(
                     cert, key,
                     handle_sni=self.handle_sni,
                     cipher_list=self.config.ciphers,
                     dhparams=self.config.certstore.dhparams,
-                    ca_file=self.config.ca_file
+                    chain_file=chain_file
                 )
             except tcp.NetLibError as v:
                 raise ProxyError(400, repr(v))
@@ -264,17 +264,17 @@ class ConnectionHandler:
                 self.log("SNI received: %s" % self.sni, "debug")
                 self.server_reconnect()  # reconnect to upstream server with SNI
                 # Now, change client context to reflect changed certificate:
-                cert, key = self.find_cert()
+                cert, key, chain_file = self.find_cert()
                 new_context = self.client_conn._create_ssl_context(
                     cert, key,
                     method=SSL.TLSv1_METHOD,
                     cipher_list=self.config.ciphers,
                     dhparams=self.config.certstore.dhparams,
-                    ca_file=self.config.ca_file
+                    chain_file=chain_file
                 )
                 connection.set_context(new_context)
         # An unhandled exception in this method will core dump PyOpenSSL, so
         # make dang sure it doesn't happen.
-        except Exception:  # pragma: no cover
+        except:  # pragma: no cover
             import traceback
             self.log("Error in handle_sni:\r\n" + traceback.format_exc(), "error")
\ No newline at end of file