Possible to playback HTTP/2 with upstream cert sniffing disabled (upstream_cert=false)

andrewMoz · January 23, 2019, 12:35pm

We’re using mitmproxy to playback recorded sessions.

The live TLS connections to upstream servers were introducing noise into our performance tests so we’re attempting to disable them with the “upstream_cert=false” or “–no-upstream-cert” option (using mitmdump 2.02).

However I noticed that this prevents HTTP/2 playback (http1.1 chosen during alpn).

Is there any way to playback HTTP/2 without connecting to the live upstream servers?

andrewMoz · January 21, 2019, 7:41pm

Reading up on how ALPN is implemented (in the TLS handshake), my question becomes,
“Is there any way that I can record the server’s choice of h2 as the protocol in the mitmdump session recording?”

andrewMoz · February 4, 2019, 4:03pm

Can anyone confirm whether it’s possible to playback HTTP/2 with upstream cert sniffing disabled?

This would be very helpful for us (offline playback).

If it’s not supported I’d be happy to write up feature request use-case.

mhils · April 15, 2019, 9:46am

Hi @andrewMoz,

This is a tricky problem we currently don’t have a good answer for. We currently don’t do HTTP/2 <-> HTTP/1 translation, so when we negotiate HTTP/2 with the client we kind of need to make sure that the server supports it as well (as we can’t determine if a replay will happen at this point).
One viable approach might be to provide some form of ALPN callback to the scripting interface, but we haven’t implemented anything of that sort yet.

If you really really do need HTTP/2, one viable workaround might be to put mitmproxy into upstream/reverse proxy mode and point to some dummy server running on the same machine that advertises h2. This will trick mitmproxy into thinking that upstream does support it.

andrewMoz · April 17, 2019, 1:45pm

Thank you @mhils.

We do really need HTTP/2 (when supported by a given server) because we’re measuring performance and in many cases the difference between HTTP/1 and 2 is significant.

Maybe a dummy server server solution could work for us – thanks for the idea.

Cheers.

tarekziade · April 30, 2019, 2:44pm

@mhils could we just mock calls to get_alpn_proto_negotiated() to force h2 ?

setting up a local server just to give back a valid answer to mitmproxy sounds like more work than just forcing the decision inside mitmproxy. Or is this what you meant by ALPN callback ? happy to work on a patch if you could point me into the right direction.

Thanks!

Tarek

tarekziade · May 6, 2019, 8:19am

I’ve added https://github.com/mitmproxy/mitmproxy/issues/3536 and working on it, if someone has any hints !

Cheers
Tarek