Validity of certificates generated by mitmproxy depends on integration between mitmproxy and upstream server? #6769
jvanheesch
started this conversation in
General
Replies: 1 comment 6 replies
-
Not exactly sure what the issue is, but this is how we generate certificates: https://github.com/mitmproxy/mitmproxy/blob/10.2.4/mitmproxy/addons/tlsconfig.py#L487 Does it happen with a mitmproxy-generated CA, or only with your own CA? |
Beta Was this translation helpful? Give feedback.
6 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
While using mitmproxy, I noticed some behavior that surprised me.
Short explanation:
The validity of the certificates generated by mitmproxy, when serving as reverse proxy, depends on the integration
between mitmproxy and upstream server. I would expect the client <-> mitm integration to not depend on the
mitm <-> upstream integration.
Detailed explanation:
My setup:
nameConstraints = critical, permitted;DNS:.test, permitted;DNS:.dev
Problem:
as
mitmdump -v --mode reverse:https://example.dev:443@443 --ssl-insecure --set keep_host_header
, all is fineas
mitmdump -v --mode reverse:https://example.test:443@443 --ssl-insecure --set keep_host_header
, all is fineas
mitmdump -v --mode reverse:https://nginx:443@443 --ssl-insecure --set keep_host_header
, ssl certificatesgenerated by mitmproxy are invalid
nameConstraints
Reproducer can be found here, though it's a bit cumbersome to run.
Can anyone shed some light onto this? Is this expected behavior?
Beta Was this translation helpful? Give feedback.
All reactions