Make upstream-cert the default. There's now a --no-upstream-cert option to turn it off.

libmproxy/cmdline.py

@@ -212,9 +212,9 @@ def common_options(parser):
         help="Wait for specified number of seconds after a new cert is generated. This can smooth over small discrepancies between the client and server times."
     )
     parser.add_option(
-        "--upstream-cert", default=False,
-        action="store_true", dest="upstream_cert",
-        help="Connect to upstream server to look up certificate details."
+        "--no-upstream-cert", default=False,
+        action="store_true", dest="no_upstream_cert",
+        help="Don't connect to upstream server to look up certificate details."
     )
 
     group = optparse.OptionGroup(parser, "Client Replay")

libmproxy/console/__init__.py

@@ -175,8 +175,8 @@ class StatusBar(common.WWrap):
             opts.append("norefresh")
         if self.master.killextra:
             opts.append("killextra")
-        if self.master.server.config.upstream_cert:
-            opts.append("upstream-cert")
+        if self.master.server.config.no_upstream_cert:
+            opts.append("no-upstream-cert")
 
         if opts:
             r.append("[%s]"%(":".join(opts)))
@@ -859,7 +859,7 @@ class ConsoleMaster(flow.FlowMaster):
                                             ("anticomp", "c"),
                                             ("killextra", "k"),
                                             ("norefresh", "n"),
-                                            ("upstream-certs", "u"),
+                                            ("no-upstream-certs", "u"),
                                         ),
                                         self._change_options
                                 )
@@ -901,7 +901,7 @@ class ConsoleMaster(flow.FlowMaster):
         elif a == "n":
             self.refresh_server_playback = not self.refresh_server_playback
         elif a == "u":
-            self.server.config.upstream_cert = not self.server.config.upstream_cert
+            self.server.config.no_upstream_cert = not self.server.config.no_upstream_cert
 
     def shutdown(self):
         self.state.killall(self)

libmproxy/proxy.py

@@ -36,14 +36,14 @@ class Log(controller.Msg):
 
 
 class ProxyConfig:
-    def __init__(self, certfile = None, cacert = None, clientcerts = None, cert_wait_time=0, upstream_cert=False, body_size_limit = None, reverse_proxy=None, transparent_proxy=None):
+    def __init__(self, certfile = None, cacert = None, clientcerts = None, cert_wait_time=0, no_upstream_cert=False, body_size_limit = None, reverse_proxy=None, transparent_proxy=None):
         assert not (reverse_proxy and transparent_proxy)
         self.certfile = certfile
         self.cacert = cacert
         self.clientcerts = clientcerts
         self.certdir = None
         self.cert_wait_time = cert_wait_time
-        self.upstream_cert = upstream_cert
+        self.no_upstream_cert = no_upstream_cert
         self.body_size_limit = body_size_limit
         self.reverse_proxy = reverse_proxy
         self.transparent_proxy = transparent_proxy
@@ -235,7 +235,7 @@ class ProxyHandler(tcp.BaseHandler):
             return self.config.certfile
         else:
             sans = []
-            if self.config.upstream_cert:
+            if not self.config.no_upstream_cert:
                 cert = certutils.get_remote_cert(host, port, sni)
                 sans = cert.altnames
                 host = cert.cn.decode("utf8").encode("idna")
@@ -503,7 +503,7 @@ def process_proxy_options(parser, options):
         clientcerts = options.clientcerts,
         cert_wait_time = options.cert_wait_time,
         body_size_limit = body_size_limit,
-        upstream_cert = options.upstream_cert,
+        no_upstream_cert = options.no_upstream_cert,
         reverse_proxy = rp,
         transparent_proxy = trans
     )