Handling CONNECT requests that are blocked (because of pinning?)

SteinLabs · August 23, 2018, 10:03am

Mitmproxy: 4.0.4
Python: 3.6.1
OpenSSL: OpenSSL 1.1.0i 14 Aug 2018
Platform: Linux-2.6.32-754.3.5.el6.x86_64-x86_64-with-centos-6.10-Final

Running in normal mode.
mitmdump -s script.py --listen-port 10080 --confdir --set block_global=false

For some HTTPS connections I see this error:

IP:60501: CONNECT something.com:443
<< Cannot establish TLS with client (sni: something.com): TlsException("(-1, ‘Unexpected EOF’)",)

On fiddler its possible to tag these connections to not be decrypted, and therefore pass straight through.

https://www.fiddlerbook.com/fiddler/help/httpsdecryption.asp#byhost
Once tagged, the connect request and response is logged, just without any decryption for the response body.

At the moment, these CONNECT requests appear to be totally discarded after they fail.

Is it possible to do something like this for mitmproxy?

Thanks

Valeriy · December 27, 2018, 12:08pm

Hi

I have same problem on same version of mitmproxy.
As I understand connections fail because mitmproxy change SSL certificates and try to decrypt traffic.
Is it possible to configure mitmproxy to skip CONNECT method requests and even not decrypt them?

mhils · January 6, 2019, 1:26pm

Hi,

Take a look at https://github.com/mitmproxy/mitmproxy/blob/master/examples/complex/tls_passthrough.py!

Topic		Replies	Views
Mitmproxy https connection failure help	3	1541	April 24, 2017
Newbie alert: Running into sslv3 alert unexpected message	2	3437	June 25, 2017
TLSv1.0 only enabled help	7	1568	May 17, 2018
[INVALID] Invalid signatures for the generated certificates help	2	1232	April 18, 2017
Can't get mitmproxy to work with badly configured site help	6	4095	January 11, 2017

Handling CONNECT requests that are blocked (because of pinning?)

Related Topics