From f47d89ff4e710f6d2df755fe526e91a5cf236cfa Mon Sep 17 00:00:00 2001
From: Aldo Cortesi <aldo@nullcube.com>
Date: Mon, 27 Jan 2014 14:16:23 +1300
Subject: Revert "Move the doc tree out into its own repo."

This reverts commit 8f88fcedd601c0033b4469b66626a83011879baf.
---
 doc-src/features/upstreamcerts.html | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 doc-src/features/upstreamcerts.html

(limited to 'doc-src/features/upstreamcerts.html')

diff --git a/doc-src/features/upstreamcerts.html b/doc-src/features/upstreamcerts.html
new file mode 100644
index 00000000..8de75ee3
--- /dev/null
+++ b/doc-src/features/upstreamcerts.html
@@ -0,0 +1,21 @@
+When mitmproxy receives a connection destined for an SSL-protected service, it
+freezes the connection before reading its request data, and makes a connection
+to the upstream server to "sniff" the contents of its SSL certificate. The
+information gained - the __Common Name__ and __Subject Alternative Names__ - is
+then used to generate the interception certificate, which is sent to the client
+so the connection can continue.
+
+This rather intricate little dance lets us seamlessly generate correct
+certificates even if the client has specifed only an IP address rather than the
+hostname. It also means that we don't need to sniff additional data to generate
+certs in transparent mode.
+
+Upstream cert sniffing is on by default, and can optionally be turned off.
+
+<table class="table">
+    <tbody>
+        <tr>
+            <th width="20%">command-line</th> <td>--no-upstream-cert</td>
+        </tr>
+    </tbody>
+</table>
-- 
cgit v1.2.3