aboutsummaryrefslogtreecommitdiffstats
path: root/mitmproxy/docs/features/upstreamcerts.rst
diff options
context:
space:
mode:
Diffstat (limited to 'mitmproxy/docs/features/upstreamcerts.rst')
-rw-r--r--mitmproxy/docs/features/upstreamcerts.rst23
1 files changed, 23 insertions, 0 deletions
diff --git a/mitmproxy/docs/features/upstreamcerts.rst b/mitmproxy/docs/features/upstreamcerts.rst
new file mode 100644
index 00000000..af2e2226
--- /dev/null
+++ b/mitmproxy/docs/features/upstreamcerts.rst
@@ -0,0 +1,23 @@
+.. _upstreamcerts:
+
+Upstream Certificates
+=====================
+
+When mitmproxy receives a connection destined for an SSL-protected service, it
+freezes the connection before reading its request data, and makes a connection
+to the upstream server to "sniff" the contents of its SSL certificate. The
+information gained - the **Common Name** and **Subject Alternative Names** - is
+then used to generate the interception certificate, which is sent to the client
+so the connection can continue.
+
+This rather intricate little dance lets us seamlessly generate correct
+certificates even if the client has specified only an IP address rather than the
+hostname. It also means that we don't need to sniff additional data to generate
+certs in transparent mode.
+
+Upstream cert sniffing is on by default, and can optionally be turned off.
+
+================== =============================
+command-line :option:`--no-upstream-cert`
+mitmproxy shortcut :kbd:`o` then :kbd:`U`
+================== =============================
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-18 11:38:50 +0000