Mitmproxy in reverse proxy mode with self signed upstream cert

Question

I have several machines which don't support TLS 1.1 & 1.2 and the server they're supposed to be connecting to is dropping support for older protocols. They're all tunneling through central server anyway.

The idea is to run mitmdump as reverse proxy on central server; clients send plain http requests to reverse proxy instead of https to remote server, and then it communicates with remote server via TLS 1.2 (please advise if you think there are better/simpler solutions).

I'm testing this locally, so the client sends http to localhost where mitmdump is running.

This is how I run mitmdump:

mitmdump -R https://remotehost:port --port 8844 --upstream-trusted-ca "C:\fullpath\root_ca_pem.cer"

And this is what I get:

127.0.0.1:54547: clientconnect
127.0.0.1:54547: POST https://remotehost:someport/ 
<< Certificate Verification Error for remotehost: unable to get issuer certificate (errno: 2, depth: 1)
127.0.0.1:54547: clientdisconnect

The remote server uses CA cert and sub cert which are not in trusted root certificate store by default, though I did add them there (is it used by mitmdump on windows?). So I used "--upstream-trusted-ca" but unfortunately that did not solve the problem.

Any ideas what I'm doing wrong? Maybe I should include all certificates in chain; how would I do that?

Answer 1

The remote server uses CA cert and sub cert which are not in trusted root certificate store by default, though I did add them there (is it used by mitmdump on windows?).

We'd like to use the OS store, but that's not easily possible with OpenSSL. Mitmproxy uses certifi right now. As you mentioned, --upstream-trusted-ca is the right way to fix this. If you have intermediate CAs which are not sent by the server, you may need to structure your PEM file like this:

-----BEGIN CERTIFICATE-----
<cert>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediary cert (optional)>
-----END CERTIFICATE-----