Open JJ-Author opened 2 months ago
@JJ-Author Can you try to add -startdate
param within pki.py
methods and see if it helps you?
I am on it but since I am a newbie to poetry (or python dependency management in general) I was struggling to import a patched version of proxypy running with our minimal (not)working example. So beginning of next week I will try to resolve this and see whether it works.
@JJ-Author Thank you JJ. No worries (I have never used poetry myself till date). I am curious if this -startdate
change is all that we need. If it does, please let me know and we'll ship it with the next release.
-startdate does not do what one would think it would do for the x509 command (it is only for printing information)
but I got it running and it works with "-not_before" flag see https://github.com/JJ-Author/proxy.py/commit/140fec4ad64328e4b861aa67b9c0061b2c066adb
however this flag requires openssl 3.4.x. while it seems possible to make sure that in the docker container this is installed.
at the moment there seems no openssl version detection for "Non-docker-deployments" in proxypy.
note there is one workaround to go via the ca command but this is quite complex with a serial and revocation database and other functionality so I refrained from changing from x509 to ca command.
to move forward to a PR maybe it is easiest to have a command line flag where one can set the notBefore difference in seconds and by default this is 0/None, so the current behaviour without -not_before flag. But in the description of this flag we say that it requires at least openssl version 3.4.0. WDYT?
shall I try to prep the PR with a new commandline flag as I proposed? or will you derive it on your own from my branch?
Describe the bug the on the fly https interception certificate "not before" date seems too close too real time and just a little delay in the client time of 2s triggers a "MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE" in firefox
To Reproduce start proxy.py in interception mode and set the client time some minutes behind real time and make an https request with tls-interception to a domain you never requested before
Expected behavior the on-the-fly https interception certificates should have a significant time buffer and not be too close to real time (if needed maybe configurable via cmd argument) I see no reason why the "not before" date would not be at least one day in the past by default.
Version information