Handling encrypted request depending on cert trust state using mitmproxy

Question

I've read a lot of related topics in the net, but I still don't have an answer to my question.

Is it possible to implement flow described below?

Proxy receive request.

• If request is encrypted and proxy cert is trusted then intercept.
• If request is not encrypted, then intercept.
• If request is encrypted and proxy cert is NOT trusted then pass it through without interception.

This behaviour should be default for all traffic going through the proxy.

It'd be also really nice to be able to get all possible info for passing encrypted requests (src and dst ip addresses etc.). Basically the same info which I can get with fiddler.

Answer 1

Not really. The main problem is that mitmproxy can not know if proxy cert is trusted by the client or not.

In the SSL/TLS protocol client starts with the CLIENT_HELLO and in response the server (in this case motmproxy) sends back the SERVER_HELLO message containing the generated server certificate.

The client now checks if the received server certificate is trusted. If not the connection is terminated. As far as I know the SSL/TLS spec does not define how to do so. Sems clients end back an SSL_ALERT message, other simply drop the connection, and a third group continues the SSL/TLS handshake but have certain internal values set in a way that always let the handshake fail.

There is a mitmproxy script that tries to identify connections that were not successful and then if the client asks for the same domain a second time bypasses interception. Of course this requires that the client resends requests which is not always the case. https://github.com/sociam/x-ray/blob/master/mitmproxy/examples/tls_passthrough.py