How to avoid the 'tlsv1 alert unknown ca' error in libmproxy?
Currently using libmproxy, which in turn uses telnetlib, to make requests to HTTPS Web pages. However, the following error is raised:
Error: [('SSL routines', 'SSL3_READ_BYTES', 'tlsv1 alert unknown ca')]
I believe this is related to the inability to verify the identity of the CA that vouches for the certificate the page uses. I would think there should be a setting that I can turn on (or off) that enables bypass of verification - I'm not interested in verifying the identity of the digital signer.
I think that a possible, kind of ugly, solution could be to patch the code to catch the exception and ignore it, but I would rather have a cleaner and more-supported way to do it.
What is a good way to avoid/solve this problem?
Thanks very much!
Answer
Seems that you can use the certutil if you have Windows clients.
http://support.microsoft.com/kb/555252
For Linux clients you can use:
sudo mkdir /etc/share/certificates/extra && cp cacert.crt /user/share/certficates/extra/cacert.crt
sudo dpkg-reconfigure ca-certificates
For Mac clients:
sudo security add-trusted-cert -d -r trustRoot -k \
"/Library/Keychains/System.keychain" \
"/private/tmp/certs/certname.cer"
(got this answer from https://apple.stackexchange.com/questions/80623/import-certificates-into-system-keychain-via-the-command-line)
Also, reading libmproxy's webpage it seems that it is able to load up custom certificates. If you already have an internal cert authority that your clients already trust you may want to simply generate certs from there.