[INVALID] Invalid signatures for the generated certificates

I’m not sure if this a bug, or I am doing something wrong.

My goal: use mitmproxy as a transparent proxy (or as a reverse proxy) to debug the TLS traffic to specific host(s)

Problem: not a single client can verify the provided certificate. Tried it with openssl, gnutls, openjdk, firefox. The curl+openssl error is:

  • SSLv3, TLS alert, Client hello (1):
    curl: (35) error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01

Release used: the docker image:

Mitmproxy version: 2.0.1 (release version)
Python version: 3.5.2
Platform: Linux-3.16.0-4-amd64-x86_64-with
SSL version: OpenSSL 1.0.2k 26 Jan 2017

Workaround: setting my own self-signed certificate for a domain by using “–cert example.com=…” works fine.

Thanks for the report - not sure what causes this. I just tried the following:

λ docker run --rm -it mitmproxy/mitmproxy ash
/ # apk update; apk add curl
/ # mitmdump &
Proxy server listening at
/ # curl -x localhost:8080 --insecure --silent https://example.com/ > /dev/null clientconnect GET https://example.com/
              << 200 OK 1.24k clientdisconnect

Does that work for you?

It’s all fine. The problem with the signature does not appear after the host was restarted. I don’t know what the problem was. I am very sorry for the inconvenience!