Hi all,
I’m having trouble understanding how to run mitmproxy to look at https calls, even after reading over http://docs.mitmproxy.org/en/stable/certinstall.html#using-a-custom-certificate. We have our own certificate authorities on our intranet and I’m using a cert/key issued by that CA, hitting websites that have server certs also issued by those CA’s.
I have Mitmproxy version 2.0.0, Python 3.5.1, ssl OpenSSL 1.0.1e-fips 11 Feb 2013 and Linux Distro centos 6.8 Final. I’m just running “mitmproxy”, no other command line options.
From a Jupyter notebook, I’ve got something like this –
import requests
proxies = {'http' : 'http://localhost:8080',
'https' : 'http://localhost:8080'}
url_1 = 'http://corporate.intranet.site'
url_2 = 'https://secure.intranet.site'
For the plain old http request, the mitmproxy is working as expected. In the mitmproxy terminal, I see the GET and the 200 response, and in Jupyter I see the 200 response.
requests.get(url_1, proxies=proxies)
>>> <Response [200]>
For the https site, I’m getting an error saying “certificate verification error, self signed certificate in certificate chain (errno: 19, depth: 2)” In Jupyter, I get a 502 response back. If I don’t go through the proxies, I can get the site alright.
# boilerplate code here to create an SSLContext and load it into a requests Session
session = create_session(cert='mycert.crt', key='mycert.key', verify='custom_ca_bundle.pem')
session.get(url_2)
>>> <Response [200]>
session.get(url_2, proxies=proxies, verify=False)
>>> <Response [502]>
My first question is what I need to do when running mitmproxy to get around the certificate verification error. I’m happy to post more debug.
My second related but less important question is just a bit of clarification on these docs. I see the files created in ~/.mitmproxy. If I’m reading that right, I need to append one of those files to my custom_ca_bundle.crt and then I won’t need to use verify=False in the requests calls. Which file do I use there for python requests on a linux box (.pem?), and does it need to be at the top of the ca bundle file or the bottom or does it not matter?
Thanks.