MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE for intercepted requests - certificate not before date is too close to real time #1438
Comments
|
@JJ-Author Can you try to add |
|
I am on it but since I am a newbie to poetry (or python dependency management in general) I was struggling to import a patched version of proxypy running with our minimal (not)working example. So beginning of next week I will try to resolve this and see whether it works. |
|
@JJ-Author Thank you JJ. No worries (I have never used poetry myself till date). I am curious if this |
abhinavsingh
added
the
Awaiting Response
|
-startdate does not do what one would think it would do for the x509 command (it is only for printing information) to move forward to a PR maybe it is easiest to have a command line flag where one can set the notBefore difference in seconds and by default this is 0/None, so the current behaviour without -not_before flag. But in the description of this flag we say that it requires at least openssl version 3.4.0. WDYT? |
|
shall I try to prep the PR with a new commandline flag as I proposed? |
Describe the bug
the on the fly https interception certificate "not before" date seems too close too real time and just a little delay in the client time of 2s triggers a "MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE" in firefox
To Reproduce
start proxy.py in interception mode and set the client time some minutes behind real time and make an https request with tls-interception to a domain you never requested before
Expected behavior
the on-the-fly https interception certificates should have a significant time buffer and not be too close to real time (if needed maybe configurable via cmd argument)
I see no reason why the "not before" date would not be at least one day in the past by default.
Version information
The text was updated successfully, but these errors were encountered: