mitmproxy icon indicating copy to clipboard operation
mitmproxy copied to clipboard

Published 20 hours ago verified publisher icon mitmproxy

Make the CA details and filename configurable

Open Prinzhorn opened this issue 2 years ago • 4 comments

Problem Description

I'm wrapping mitmproxy and I want to avoid confusion by not calling my root certs mitmproxy-ca.pem etc. And also by not having my root cert be issued by mitmproxy. So that if you're also using mitmproxy it's clear which is which.

Proposal

CONF_BASENAME looks like it's almost meant to be an option here:

https://github.com/mitmproxy/mitmproxy/blob/8f23a26e355c472725206839125be9d51f548b10/mitmproxy/options.py#L7

and the organization and cn arguments are already there, but unused in our codebase:

https://github.com/mitmproxy/mitmproxy/blob/8f23a26e355c472725206839125be9d51f548b10/mitmproxy/certs.py#L393

I think having these three things be configurable would already be amazing.

Would we want something like ca_basename, ca_organization and ca_cn in core?

Alternatives

I'm aware of https://docs.mitmproxy.org/stable/concepts-certificates/#using-a-custom-certificate-authority but I'd rather have mitmproxy manage the cert for me. It would also still look for the same filename.

Prinzhorn avatar May 30 '22 15:05 Prinzhorn

Not providing these options has been an intentional strategic decision, we don't want to make it overly easy to hide that mitmproxy is intercepting a connection. It lowers the bar for not-so-skilled attackers, while providing no tangible benefit to our own users.

mhils avatar Jun 02 '22 11:06 mhils

I never looked at it this way, makes sense. I don't think this applies to basename though?

make it overly easy to hide that mitmproxy is intercepting a connection

I don't want to hide it, I want to avoid confusion and improve the experience. If anything I want to make it more clear what is intercepting the connection. I'd be totally fine with if you set ca_organization to Custom that the cert will have Custom (mitmproxy) or mitmproxy (Custom) as the actual organization.

Prinzhorn avatar Jun 03 '22 08:06 Prinzhorn

I never looked at it this way, makes sense. I don't think this applies to basename though?

Agreed, basename is fine.

I'd be totally fine with if you set ca_organization to Custom that the cert will have Custom (mitmproxy) or mitmproxy (Custom) as the actual organization.

This is something I'd definitely be happy to support. Contributions welcome. :)

mhils avatar Jun 03 '22 08:06 mhils

Great, I'll reopen this and will look into it within the next weeks or years :smile: . Apart from the hardcoded mitmproxy basename in mitmweb HTML this should be somewhat trivial.

Prinzhorn avatar Jun 03 '22 08:06 Prinzhorn