On some sites I see a lot of "Connection from.." entries that never complete.

This is probably because the page requests resources from SSL-protected domains. These requests are intercepted by mitmproxy, but because we're using a bogus certificate, the browser-side of the connection hangs. The browser doesn't prompt you to add a certificate trust exception for remote page components, only for the primary domain being visited.

To solve this, use something like FireBug to find out which page components are hanging. Visit the relevant domains using your browser, and add a certificate trust exception for each one.

I'm pentesting an non-browser app that checks SSL certificate validity. How do I make it trust the MITMProxy certificate?

Here's a quick and easy procedure you can use for Windows 7, as long as the app in question uses the global Windows certificate repository.

• First copy the file libmproxy/resources/bogus_template from the MITMProxy source, and edit it to include your target domain in the CN parameter. The result should look like this:

  [ req ]
  prompt = no
  distinguished_name = req_distinguished_name
  
  [ req_distinguished_name ]
  C               = NZ
  ST              = none
  L               = none
  O               = none
  OU              = none
  CN              = target.domain.com
  emailAddress    = none

• Next, use your bogus template to generate a certificate, and install it for MITMPRoxy to use:

  openssl req -config ./my_bogus_template -x509 -nodes -days 9999 -newkey rsa:1024 -keyout mycert -out mycert
  
  cp mycert ~/.mitmproxy/cert.pem

• Fire up MITMProxy, and configure Firefox on the Windows box to use it. Browse to the target domain, and you should see a big warning about an untrusted certificate. Use Firefox to export the certificate ("Add Exception", "Get Certificate", then "View", tab to "Details" and click "Export").
• From the command console, fire up certmgr. Select "Trusted Root Certification Authorities", then on the top menu, "Action", "All Tasks", and "Import". When prompted, select the certificate file you've just saved from Firefox.
• And that's it - your certificate should now be trusted for that domain. Happy pentesting.