Mitmproxy can decrypt encrypted traffic on the fly, as long as the client trusts its built-in certificate authority. Usually this means that the mitmproxy CA certificates have to be installed on the client device.
By far the easiest way to install the mitmproxy certificates is to use the built-in certificate installation app. To do this, just start mitmproxy and configure your target device with the correct proxy settings. Now start a browser on the device, and visit the magic domain mitm.it. You should see something like this:
Click on the relevant icon, follow the setup instructions for the platform you’re on and you are good to go.
For iOS version 10.3 or up, you need to make sure
mitmproxy is enabled in
Certificate Trust Settings, you can check it by going to
Settings > General > About > Certificate Trust Settings.
Installing the mitmproxy CA certificate manually¶
Sometimes using the quick install app is not an option - Java or the iOS Simulator spring to mind - or you just need to do it manually for some other reason. Below is a list of pointers to manual certificate installation documentation for some common platforms.
The mitmproxy CA cert is located in
~/.mitmproxy after it has been generated at the first
start of mitmproxy.
>>> certutil.exe -importpfx Root mitmproxy-ca-cert.p12
CA and cert files¶
The files created by mitmproxy in the .mitmproxy directory are as follows:
|mitmproxy-ca.pem||The certificate and the private key in PEM format.|
|mitmproxy-ca-cert.pem||The certificate in PEM format. Use this to distribute on most non-Windows platforms.|
|mitmproxy-ca-cert.p12||The certificate in PKCS12 format. For use on Windows.|
|mitmproxy-ca-cert.cer||Same file as .pem, but with an extension expected by some Android devices.|
Using a custom certificate¶
You can use your own (leaf) certificate by passing the
--cert [domain=]path_to_certificate option to
mitmproxy. Mitmproxy then uses the provided certificate for interception of the
specified domain instead of generating a certificate signed by its own CA.
The certificate file is expected to be in the PEM format. You can include intermediary certificates right below your leaf certificate, so that your PEM file roughly looks like this:
-----BEGIN PRIVATE KEY----- <private key> -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- <cert> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <intermediary cert (optional)> -----END CERTIFICATE-----
For example, you can generate a certificate in this format using these instructions:
>>> openssl genrsa -out cert.key 2048 >>> openssl req -new -x509 -key cert.key -out cert.crt (Specify the mitm domain as Common Name, e.g. *.google.com) >>> cat cert.key cert.crt > cert.pem
Now, you can run mitmproxy with the generated certificate:
For all domain names
>>>mitmproxy --cert *=cert.pem
For specific domain names
>>>mitmproxy --cert *.example.com=cert.pem
*.example.com is for all the subdomains. You can also use
www.example.com for a particular subdomain.
Using a client side certificate¶
You can use a client certificate by passing the
option to mitmproxy. Using a directory allows certs to be selected based on
hostname, while using a filename allows a single specific certificate to be used for
all SSL connections. Certificate files must be in the PEM format and should
contain both the unencrypted private key and the certificate.
Multiple certs by Hostname¶
If you’ve specified a directory to
--client-certs, then the following
behavior will be taken:
If you visit example.org, mitmproxy looks for a file named
example.org.pem in the specified
directory and uses this as the client cert.