diff options
Diffstat (limited to 'doc-src/features/upstreamcerts.html')
| -rw-r--r-- | doc-src/features/upstreamcerts.html | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/doc-src/features/upstreamcerts.html b/doc-src/features/upstreamcerts.html new file mode 100644 index 00000000..8de75ee3 --- /dev/null +++ b/doc-src/features/upstreamcerts.html @@ -0,0 +1,21 @@ +When mitmproxy receives a connection destined for an SSL-protected service, it +freezes the connection before reading its request data, and makes a connection +to the upstream server to "sniff" the contents of its SSL certificate. The +information gained - the __Common Name__ and __Subject Alternative Names__ - is +then used to generate the interception certificate, which is sent to the client +so the connection can continue. + +This rather intricate little dance lets us seamlessly generate correct +certificates even if the client has specifed only an IP address rather than the +hostname. It also means that we don't need to sniff additional data to generate +certs in transparent mode. + +Upstream cert sniffing is on by default, and can optionally be turned off. + +<table class="table"> + <tbody> + <tr> + <th width="20%">command-line</th> <td>--no-upstream-cert</td> + </tr> + </tbody> +</table> |