MITMProxy is an excellent tool for performing MITM. In my day to day work I often need to test if SSL/TLS pinning is implemented correctly and the certificate fields are verified correctly, in mobile applications. The checks include:
- Are self-signed accepted
- Hostname is verified correctly
- Certificate start and end dates are checked.
Improper check of SSL/TLS certificate is quite common, as established in this work: https://saschafahl.de/papers/androidssl2012.pdf.
I want to explore, does current MITMProxy code support writing a plugin for above described case, in which variants of a certificate are sent to the client. Currently I change the code manually and then perform these tests. I feel having a simple plugin will be helpful in general.
If such capability already exists, I am not able to find it in my initial limited research with the tool. Any pointers or suggestions will be helpful for me.