<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta content="text/html; charset=utf-8" http-equiv="Content-Type"/>
<link href="../01-bootstrap.min.css" type="text/css" rel="StyleSheet"/>
<link href="../02-docstyle.css" type="text/css" rel="StyleSheet"/>
<link href="../syntax.css" type="text/css" rel="StyleSheet"/>
<title>mitmproxy 0.9 - Upstream Certs</title></head><body><div class="navbar navbar-fixed-top">
<div class="navbar-inner">
<div class="container">
<a class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</a>
<a class="brand" href="../index.html">mitmproxy 0.9 docs</a>
</div><!--/.nav-collapse -->
</div>
</div>
</div>
<div class="container">
<div class="row">
<div class="span3">
<div class="well sidebar-nav">
<ul class="nav nav-list">
<li><a href="../index.html">Introduction</a></li>
<li><a href="../install.html">Installation</a></li>
<li><a href="../howmitmproxy.html">How mitmproxy works</a></li>
<li class="nav-header">Tools</li>
<li><a href="../mitmproxy.html">mitmproxy</a></li>
<li><a href="../mitmdump.html">mitmdump</a></li>
<li class="nav-header">Features</li>
<li><a href="anticache.html">Anticache</a></li>
<li><a href="clientreplay.html">Client-side replay</a></li>
<li><a href="filters.html">Filter expressions</a></li>
<li><a href="proxyauth.html">Proxy Authentication</a></li>
<li><a href="replacements.html">Replacements</a></li>
<li><a href="serverreplay.html">Server-side replay</a></li>
<li><a href="setheaders.html">Set Headers</a></li>
<li><a href="sticky.html">Sticky cookies and auth</a></li>
<li><a href="reverseproxy.html">Reverse proxy mode</a></li>
<li class="active"><a href="upstreamcerts.html">Upstream Certs</a></li>
<li class="nav-header">Installing Certificates</li>
<li><a href="../ssl.html">Overview</a></li>
<li><a href="../certinstall/firefox.html">Firefox</a></li>
<li><a href="../certinstall/osx.html">OSX</a></li>
<li><a href="../certinstall/windows7.html">Windows 7</a></li>
<li><a href="../certinstall/ios.html">IOS</a></li>
<li><a href="../certinstall/ios-simulator.html">IOS Simulator</a></li>
<li><a href="../certinstall/android.html">Android</a></li>
<li class="nav-header">Transparent Proxying</li>
<li><a href="../transparent.html">Overview</a></li>
<li><a href="../transparent/linux.html">Linux</a></li>
<li><a href="../transparent/osx.html">OSX</a></li>
<li class="nav-header">Tutorials</li>
<li><a href="../tutorials/30second.html">Client playback: a 30 second example</a></li>
<li><a href="../tutorials/gamecenter.html">Setting highscores on Apple's GameCenter</a></li>
<li class="nav-header">Scripting mitmproxy</li>
<li><a href="../scripting/inlinescripts.html">Inline Scripts</a></li>
<li><a href="../scripting/libmproxy.html">libmproxy</a></li>
<li class="nav-header">Hacking</li>
<li><a href="../dev/testing.html">Testing</a></li>
</ul>
</div>
</div>
<div class="span9">
<div class="page-header">
<h1>Upstream Certs</h1>
</div>
<p>When mitmproxy receives a connection destined for an SSL-protected service, it
freezes the connection before reading its request data, and makes a connection
to the upstream server to "sniff" the contents of its SSL certificate. The
information gained - the <strong>Common Name</strong> and <strong>Subject Alternative Names</strong> - is
then used to generate the interception certificate, which is sent to the client
so the connection can continue.</p>
<p>This rather intricate little dance lets us seamlessly generate correct
certificates even if the client has specifed only an IP address rather than the
hostname. It also means that we don't need to sniff additional data to generate
certs in transparent mode.</p>
<p>Upstream cert sniffing is on by default, and can optionally be turned off.</p>
<table class="table">
<tbody>
<tr>
<th width="20%">command-line</th> <td>--no-upstream-cert</td>
</tr>
</tbody>
</table>
</div>
</div>
<hr>
<footer>
<p>© mitmproxy project, 2013</p>
</footer>
</div>
</body></html>
