mitm: consider insecure by default #854
Description
With default settings when using mitm Forwarder refuses insecure upstream connections.
michal@SL-2094:~$ curl -s -k -x localhost:3128 https://localhost:8443/status/200 -v
* Host localhost:3128 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
* Trying [::1]:3128...
* connect to ::1 port 3128 from ::1 port 52585 failed: Connection refused
* Trying 127.0.0.1:3128...
* Connected to localhost (127.0.0.1) port 3128
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Establish HTTP proxy tunnel to localhost:8443
> CONNECT localhost:8443 HTTP/1.1
> Host: localhost:8443
> User-Agent: curl/8.6.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
< Connection: close
<
* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted http/1.1
* Server certificate:
* subject: O=Forwarder Proxy MITM; CN=localhost
* start date: Jul 4 12:47:56 2024 GMT
* expire date: Jul 6 12:47:56 2024 GMT
* issuer: C=US; O=Sauce Labs Inc.
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* using HTTP/1.x
> GET /status/200 HTTP/1.1
> Host: localhost:8443
> User-Agent: curl/8.6.0
> Accept: */*
>
< HTTP/1.1 502 Bad Gateway
< Content-Length: 138
< Content-Type: text/plain; charset=utf-8
< X-Forwarder-Error: forwarder tls: failed to verify certificate: x509: certificate signed by unknown authority
<
Consider changing insecure to strict and accepting self-signed upstream certificates.
This is a common behavior for proxies.