Closed vvyushmanov closed 5 months ago
I've followed mitmproxy documentation, tried the following options
--ignore-hosts .*:5061
- didn't work, for some reason, the port is not taken into consideration, although the docs state it should be--tcp .*
--tcpraw
Basically, one of 2 options would resolve this: 1) A way to intercept/decode HTTPS (port 443) traffic ONLY 2) A way to give custom certificate for mitmproxy (which is possible, but it's unclear how to give a path to it within PCAPDroid)
I've also tried setting up external mitmproxy, and it seems to respect the --ignore-hosts=.*:5061
parameter.
So, it looks like this (respecting the port, and not the host only) is something they've added relatively recently.
Is it possible to update the mitmproxy addon to respect the host:port
parameters for allow/ignore host options?
What about --ignore-hosts :5061
? I would avoid adding a whitelist for this, working with an ip or domain decryption rule does not work for your use case?
Thanks for the reply!
Yeah, this is the exact option I was trying to use in the "mitmproxy additional options". It is working on the latest mitmproxy for Linux, but does not work on the version embedded with the addon.
I did some digging and found this issue on mitmproxy Github https://github.com/mitmproxy/mitmproxy/issues/6325 https://github.com/mitmproxy/mitmproxy/pull/6594 https://github.com/mitmproxy/mitmproxy/pull/6614
Turns out, this was fixed just recently. Can you please apply these fixes or update to the latest mitmproxy version?
I saw other fixes done in 10.2.2 so I will update the addon to use the latest version. I will share a beta version here, officially this will be available in PCAPdroid 1.7.0
The issue you had with the --ignore-hosts
option was probably related to my patches to remove the aioquic_mitmproxy
and mitmproxy_rs
native module from mitmproxy. This is fixed in https://github.com/emanuele-f/mitmproxy/commit/88cc641c01b1893aeb4038205620fa6b5b7bcfdd .
For the mitmproxy 10.2.2 update, since the rework done in https://github.com/mitmproxy/mitmproxy/commit/6e38a56f4c399551c3fe3d399bddfa8083ccd0f1 introduces non-trivial conflicts with my patches, I've just backported the --ignore-hosts
/--allow-hosts
fixes to 10.1.6.
All the fixes are now available in v1.1 release of PCAPdroid-mitm. You can test it with the following beta apk: PCAPdroid_1.6.9-1bab9e0.apk. Let me know how it works for you
Hi!
I've tested both --ignore-hosts/--allow-hosts
(--ignore-hosts .*:5061
and --allow-hosts .*:443
) and the fix works! thx
It successfully bypasses the packets on the remote 5061 port and does what I needed it to do :)
Great! I've added this info to https://emanuele-f.github.io/PCAPdroid/tls_decryption#331-exclude-specific-hostsports . For now this is enough to address this task, if there are other needs in the future we can evaluate them
Hi!
I haven't found anything on this here, so here's my question. I know this is more in regards to mitmproxy, but maybe you'll be able to point me in right direction.
Our app uses HTTPS over TLS1.3 (port 443) and SIP TLS over TLS1.2 (port 5061). So, whenever I enable decryption, HTTPS packets are successfully decrypted, but TLS handshakes for SIP TLS on port 5061 fail.
Is there any way to passthrough a particular port and/or protocol?![image](https://github.com/emanuele-f/PCAPdroid/assets/111231219/c5d45471-cadc-46b8-841a-8a32158fa402)