Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow configuring certain CA details, fixes #5386 #5441

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Allow configuring certain CA details, fixes #5386 #5441

wants to merge 4 commits into from

Conversation

Prinzhorn
Copy link
Member

Description

mitmdump --set ca_basename=example --set ca_organization=Example --set ca_common_name=example

Screenshot from 2022-06-29 11-31-41

So how would I test the "via mitmproxy" part?

Two notes:

  1. The onboarding app does not work standalone now, I guess we could do some magic and check for ctx and have it still work but with the default "mitmproxy"?
  2. Is there a reason only these two options trigger a new CA? If I understand correctly you can change the confdir at runtime but not other aspects such as key_size?

mitmproxy/mitmproxy/addons/tlsconfig.py

Lines 301 to 303 in af5be0b

def configure(self, updated):
if "confdir" not in updated and "certs" not in updated:
return

Checklist

  • I have updated tests where applicable.
  • I have added an entry to the CHANGELOG.

Prinzhorn
Prinzhorn commented Jun 29, 2022
View reviewed changes
mitmproxy/addons/onboardingapp/templates/index.html
<li><code>sudo update-ca-certificates</code></li>
</ol>
{% endcall %}
{% call entry('macOS', 'apple') %}
<h5>Manual Installation</h5>
<ol>
<li>Double-click the PEM file to open the <samp>Keychain Access</samp> application.</li>
<li>Locate the new certificate "mitmproxy" in the list and double-click it.</li>
<li>Locate the new certificate "{{ ca_basename }}" in the list and double-click it.</li>
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it actually the basename that is displayed there?

Prinzhorn
Prinzhorn commented Jun 29, 2022
View reviewed changes
mitmproxy/addons/onboardingapp/templates/index.html
@@ -70,14 +70,14 @@ <h5>iOS 13+</h5>
<li>Use Safari to download the certificate. Other browsers may not open the proper installation prompt.</li>
<li>Install the new Profile (<samp>Settings -> General -> VPN & Device Management</samp>).</li>
<li><span class="text-danger"><strong>Important:</strong> Go to <samp>Settings -> General -> About -> Certificate Trust Settings</samp>.
Toggle <samp>mitmproxy</samp> to <samp>ON</samp>.</span></li>
Toggle <samp>{{ ca_basename }}</samp> to <samp>ON</samp>.</span></li>
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it actually the basename that is displayed there?

@Prinzhorn Prinzhorn linked an issue Jun 29, 2022 that may be closed by this pull request
Make the CA details and filename configurable #5386
Open
@Prinzhorn Prinzhorn requested a review from mhils August 3, 2022 17:34
@roniemartinez
Copy link

+1
I need this. Looking forward.

@Prinzhorn
Copy link
Member Author

@roniemartinez I'm curious about your use-case

@roniemartinez
Copy link

@Prinzhorn When distributing an app that uses mitmproxy, users are asking why they are downloading a file of another name. I think using Example (via mitmproxy) makes it more clearer to the users.

@mhils
Copy link
Member

mhils commented Sep 17, 2022

@roniemartinez: Out of curiosity, could you provide some details on your app? :)

@roniemartinez
Copy link

@mhils Sorry but cannot disclose at this moment.

@keeely
Copy link

keeely commented Jan 11, 2023

Instead of these options, would it not be better to document how to create our own CA toward the bottom of the page on certs:
https://docs.mitmproxy.org/stable/concepts-certificates/
There is mention of the X509v3 extensions required but, I think an example openssl cfg + command(s) would go some way towards removing this requirement.
Also, if you do go ahead with this, I'd request that you don't add '(via mitmproxy)' this should surely be a choice for the user?

@Prinzhorn
Copy link
Member Author

Instead of these options, would it not be better to document how to create our own CA toward the bottom of the page on certs:
https://docs.mitmproxy.org/stable/concepts-certificates/
There is mention of the X509v3 extensions required but, I think an example openssl cfg + command(s) would go some way towards removing this requirement.

I would prefer to have this integrated, since generating the cert is only 50% of what needs to be done. E.g. I still want the mitm.it cert download links and instructions to work. mitmproxy already contains all the code necessary to generate the certs it needs with the appropriate configuration. I'm shipping mitmproxy as part of a desktop application and I definitely don't want to replicate this logic using sub-processes (cross OS 😱 ) or additional code.

Also, if you do go ahead with this, I'd request that you don't add '(via mitmproxy)' this should surely be a choice for the user?

No, see #5386 (comment) . We don't want to make it trivial to hide the fact that mitmproxy is intercepting the connection.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mhils mhils Awaiting requested review from mhils

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Make the CA details and filename configurable
4 participants
@Prinzhorn @roniemartinez @mhils @keeely