HTTPS Decryption (Man-in-the-Middle Attack, MitM)

Chute may decrypt HTTPS traffic by MitM. Please see Wikipedia article for more information.

The certificate generator can help you generate a new CA certificate for debugging and make the certificate trusted by the system. It's available in Chute Mac and Chute iOS Chute Editor. This certificate is generated locally and only saved in your profile file and the system Keychain. The key of the new certificate is generated randomly using OpenSSL.

You can also use an existed CA certificate. Export the certificate to PKCS#12 format (.p12) with passphrase. Please note that the passphrase cannot be empty due to system limitation. Use "base64" command to encode in base64 string and append these settings below to your config file.

[MITM]
enable = true
ca-p12 = MIIJtQ.........
ca-passphrase = password
hostname = *google.com

Chute only decrypts traffic to hosts declared here.

Wildcard characters * and ? are supported.

  • Use prefix - to exclude a hostname.
  • By default, only the requests to port 443 be decrypted.
    • Use suffix :port to allow other ports.
    • Use suffix :0 to allow all ports.

Example:

  • -*.apple.com: Excludes all requests sent to *.apple.com on port 443.
  • www.google.com: Allows MitM for www.google.com on port 443.
  • www.google.com:8080: Allows MitM for www.google.com on port 8080.
  • www.google.com:0: Allows MitM for www.google.com on all ports.
  • *: Allows MitM for all hostnames on port 443. (Not Recommanded)
  • *:0: Allows MitM for all hostnames on all ports. (Not Recommanded)

A general configuration may be like:

hostname = -*.apple.com, -*.icloud.com, *

Chute will apply URL Rewrite Rule & Header Rewrite Rule to all MitM requests.

Some applications has strict security policy to use pinned certificates or CA. Enabling decryption to these hosts may casue problems.

Options

skip-server-cert-verify

skip-server-cert-verify = true

Do not verify the certificate of the remote host while performing MITM. When enabled, Chute will accept any certificate presented by the upstream server, including self-signed or invalid certificates. This is useful for development environments but reduces security.

[MITM]
enable = true
ca-p12 = MIIJtQ.........
ca-passphrase = password
skip-server-cert-verify = true
hostname = *google.com

Security Note: Enabling skip-server-cert-verify makes MITM connections vulnerable to man-in-the-middle attacks between Chute and the upstream server. Only enable this for trusted networks or development purposes.

S. Smart Rabbit LLC © All Rights Reserved            updated 2026-06-28 02:09:17

results matching ""

    No results matching ""