MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE for intercepted requests - certificate not before date is too close to real time

[JJ-Author]

Describe the bug
the on the fly https interception certificate "not before" date seems too close too real time and just a little delay in the client time of 2s triggers a "MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE" in firefox

To Reproduce
start proxy.py in interception mode and set the client time some minutes behind real time and make an https request with tls-interception to a domain you never requested before

Expected behavior
the on-the-fly https interception certificates should have a significant time buffer and not be too close to real time (if needed maybe configurable via cmd argument)
I see no reason why the "not before" date would not be at least one day in the past by default.

Version information

• OS: [ubuntu 20.04]
• Browser [firefox]
• Device: [amd64]
• proxy.py Version [2.4.4]

[abhinavsingh]

@JJ-Author Can you try to add -startdate param within pki.py methods and see if it helps you?

[JJ-Author]

I am on it but since I am a newbie to poetry (or python dependency management in general) I was struggling to import a patched version of proxypy running with our minimal (not)working example. So beginning of next week I will try to resolve this and see whether it works.

[abhinavsingh]

@JJ-Author Thank you JJ. No worries (I have never used poetry myself till date). I am curious if this -startdate change is all that we need. If it does, please let me know and we'll ship it with the next release.

[JJ-Author]

-startdate does not do what one would think it would do for the x509 command (it is only for printing information)
but I got it running and it works with "-not_before" flag see JJ-Author@140fec4
however this flag requires openssl 3.4.x. while it seems possible to make sure that in the docker container this is installed.
at the moment there seems no openssl version detection for "Non-docker-deployments" in proxypy.
note there is one workaround to go via the ca command but this is quite complex with a serial and revocation database and other functionality so I refrained from changing from x509 to ca command.

to move forward to a PR maybe it is easiest to have a command line flag where one can set the notBefore difference in seconds and by default this is 0/None, so the current behaviour without -not_before flag. But in the description of this flag we say that it requires at least openssl version 3.4.0. WDYT?

[JJ-Author]

shall I try to prep the PR with a new commandline flag as I proposed?
or will you derive it on your own from my branch?