How to avoid the 'tlsv1 alert unknown ca' error in libmproxy?

Question

Currently using libmproxy, which in turn uses telnetlib, to make requests to HTTPS Web pages. However, the following error is raised:

Error: [('SSL routines', 'SSL3_READ_BYTES', 'tlsv1 alert unknown ca')]

I believe this is related to the inability to verify the identity of the CA that vouches for the certificate the page uses. I would think there should be a setting that I can turn on (or off) that enables bypass of verification - I'm not interested in verifying the identity of the digital signer.

I think that a possible, kind of ugly, solution could be to patch the code to catch the exception and ignore it, but I would rather have a cleaner and more-supported way to do it.

What is a good way to avoid/solve this problem?

Thanks very much!

Answer 1

Seems that you can use the certutil if you have Windows clients.

http://support.microsoft.com/kb/555252

For Linux clients you can use:

sudo mkdir /etc/share/certificates/extra && cp cacert.crt /user/share/certficates/extra/cacert.crt
sudo dpkg-reconfigure ca-certificates

For Mac clients:

sudo security add-trusted-cert -d -r trustRoot -k \
"/Library/Keychains/System.keychain" \
"/private/tmp/certs/certname.cer"

(got this answer from https://apple.stackexchange.com/questions/80623/import-certificates-into-system-keychain-via-the-command-line)

Also, reading libmproxy's webpage it seems that it is able to load up custom certificates. If you already have an internal cert authority that your clients already trust you may want to simply generate certs from there.

Answer 2

This happens when the proxySG certificate that is presented to the user isn't signed by a trusted CA.

I had this error too, I fixed it by pushing the CA (the one used for ssl proxy) to the actual browser, through group policy.