0

I'm trying to proxy a service that has multiple upstream ips used in a round robin fashion. On first connection mitmproxy will generate a certificate for the first IP but the client rejects subsequent requests as another ip is returned that is not in the cert and is not trusted.

I could generate my own cert for this but creating the CA for it and having the target machines trust it is prohibitive. I'm wondering if it's possible to have mitmproxy lookup the generate a cert with all the ips or possibly use the full subject from the upstream certificate instead of the ip as it's a much simpler matter to have the targets trust it's ca?

sgargan
  • 12,208
  • 9
  • 32
  • 38

1 Answers1

0

mitmproxy usually generates certificates for domains, not IPs. Are you absolutely sure that you have a certificate for a specific IP address?

mitmproxy also mirrors large parts of the upstream certificate (https://github.com/mitmproxy/mitmproxy/blob/c16b4887875bcdecdf18355f28347a48ba4297fd/mitmproxy/proxy/protocol/tls.py#L470-L473), so more details would be helpful to know where this fails.

Maximilian Hils
  • 6,309
  • 3
  • 27
  • 46