fix: include CA cert in TLS chain and use explicit trust policies on macOS (#13)

tito · claude · web-flow · commit d23c18748c20 · 2026-03-18T16:27:33.000-06:00
The MITM TLS handshake was only sending the leaf certificate, causing
"unable to get local issuer certificate" errors. Now sends the full chain
(leaf + CA) so clients can verify the issuer.

Also switches macOS cert install from `-r trustRoot` to `-p ssl -p basic`
which sets explicit per-policy trust settings in the Keychain, matching
the approach used by mitmproxy. This ensures LibreSSL/curl honor the
Keychain trust when verifying certificates through CONNECT tunnels.

Co-authored-by: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/cmd/greyproxy/cert.go b/cmd/greyproxy/cert.go
@@ -196,7 +196,7 @@ func handleCertInstall(force bool) {
 
 		fmt.Println("Installing CA certificate into system trust store (requires sudo)...")
 		cmd := exec.Command("sudo", "security", "add-trusted-cert",
-			"-d", "-r", "trustRoot",
+			"-d", "-p", "ssl", "-p", "basic",
 			"-k", "/Library/Keychains/System.keychain",
 			certFile,
 		)
@@ -205,7 +205,7 @@ func handleCertInstall(force bool) {
 		cmd.Stdin = os.Stdin
 		if err := cmd.Run(); err != nil {
 			fmt.Fprintf(os.Stderr, "\nAutomatic install failed. Please run manually:\n\n")
-			fmt.Fprintf(os.Stderr, "  sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain \"%s\"\n\n", certFile)
+			fmt.Fprintf(os.Stderr, "  sudo security add-trusted-cert -d -p ssl -p basic -k /Library/Keychains/System.keychain \"%s\"\n\n", certFile)
 			os.Exit(1)
 		}
 		fmt.Printf("CA certificate installed and trusted in %s\n", certInstallLocation())
diff --git a/internal/gostx/internal/util/sniffing/sniffer.go b/internal/gostx/internal/util/sniffing/sniffer.go
@@ -928,7 +928,7 @@ func (h *Sniffer) terminateTLS(ctx context.Context, network string, conn, cc net
 			}
 
 			return &tls.Certificate{
-				Certificate: [][]byte{cert.Raw},
+				Certificate: [][]byte{cert.Raw, h.Certificate.Raw},
 				PrivateKey:  h.PrivateKey,
 			}, nil
 		},
@@ -1025,7 +1025,7 @@ func (h *Sniffer) terminateTLSDeferred(ctx context.Context, network string, conn
 				return nil, err
 			}
 			return &tls.Certificate{
-				Certificate: [][]byte{cert.Raw},
+				Certificate: [][]byte{cert.Raw, h.Certificate.Raw},
 				PrivateKey:  h.PrivateKey,
 			}, nil
 		},
diff --git a/internal/greyproxy/api/cert.go b/internal/greyproxy/api/cert.go
@@ -70,7 +70,7 @@ func buildInstallCommands(certPath string) map[string]string {
 	cmds := make(map[string]string)
 	switch runtime.GOOS {
 	case "darwin":
-		cmds["macos"] = fmt.Sprintf("sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain \"%s\"", certPath)
+		cmds["macos"] = fmt.Sprintf("sudo security add-trusted-cert -d -p ssl -p basic -k /Library/Keychains/System.keychain \"%s\"", certPath)
 	case "linux":
 		destPath, updateCmd := linuxCertInstallInfo()
 		cmds["linux"] = fmt.Sprintf("sudo cp \"%s\" %s && sudo %s", certPath, destPath, updateCmd)
