support to intercept mTLS protected traffics. #6430
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Currently we have
options.client_certs
as a per-site config to enable mTLS. However, when mitmproxy is working as a reverse proxy for a single server, there is no way for us to generate client certificates for each client.This is a very common scenario in kubernetes clusters. The kube-apiserver is a REST server wtih RBAC enabled, where mTLS is used to indicate the user/client.
Currently mitmproxy have
addons/tlsconfig.py
, which is a good start point. But some configs are hard coded, other addons cannot override then. This commit also add a hook fortls_start_server
&tls_start_client
to override any config of the ssl context.Last but not least, to generate a valid client certificate, we must add
CLIENT_AUTH
to ExtendedKeyUsage.Checklist