I use mitmproxy to gather intel from outbound AS2 (HTTP) requests leaving our network. The schema goes like this:
Mendelson AS2 ➡ mitmproxy ➡ partner AS2 server
↘
redis
Where possible, I need to verify all SSL certs to make sure the business connection is safe. Some partners use less known CAs which I then add to a truststore used by the ssl_verify_upstream_trusted_ca option.
Some partners though don't really care about security and I need to trust their certificates no matter what. How do I do that in mitmproxy? Disabling the verification entirely isn't an option.
Thank you.
It's been a while since I've tried to solve this using a custom addon and it seems to work fine so I'll share it here:
https://gist.github.com/jsmucr/24cf0859dd7c9bba8eb2817d7b0bf4b6
This approach has a bit of disadvantage and that's the fact that it doesn't check if the peer certificate changes.