diff options
| author | Maximilian Hils <git@maximilianhils.com> | 2015-08-27 00:07:44 +0200 |
|---|---|---|
| committer | Maximilian Hils <git@maximilianhils.com> | 2015-08-27 00:07:44 +0200 |
| commit | f6dadc2b0de712869d9b8aa928915dbb990bb6af (patch) | |
| tree | 9777868d2feee2a95873192a59244a71e4f257c7 /doc-src | |
| parent | 9c6b3eb58a22817daa576063c3626d7a239e7093 (diff) | |
| download | mitmproxy-f6dadc2b0de712869d9b8aa928915dbb990bb6af.tar.gz mitmproxy-f6dadc2b0de712869d9b8aa928915dbb990bb6af.tar.bz2 mitmproxy-f6dadc2b0de712869d9b8aa928915dbb990bb6af.zip | |
no more sni double-connects!
Diffstat (limited to 'doc-src')
| -rw-r--r-- | doc-src/howmitmproxy.html | 9 |
1 files changed, 0 insertions, 9 deletions
diff --git a/doc-src/howmitmproxy.html b/doc-src/howmitmproxy.html index fabd393a..16b5f722 100644 --- a/doc-src/howmitmproxy.html +++ b/doc-src/howmitmproxy.html @@ -145,15 +145,6 @@ passed to us. Now we can pause the conversation, and initiate an upstream connection using the correct SNI value, which then serves us the correct upstream certificate, from which we can extract the expected CN and SANs. -There's another wrinkle here. Due to a limitation of the SSL library mitmproxy -uses, we can't detect that a connection _hasn't_ sent an SNI request until it's -too late for upstream certificate sniffing. In practice, we therefore make a -vanilla SSL connection upstream to sniff non-SNI certificates, and then discard -the connection if the client sends an SNI notification. If you're watching your -traffic with a packet sniffer, you'll see two connections to the server when an -SNI request is made, the first of which is immediately closed after the SSL -handshake. Luckily, this is almost never an issue in practice. - ## Putting it all together Lets put all of this together into the complete explicitly proxied HTTPS flow. |