Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Need Automatic TLS Fail-Open / Smart Passthrough for Cloud Real Device Network Logging #8083

New issue
New issue
Open
Open
Need Automatic TLS Fail-Open / Smart Passthrough for Cloud Real Device Network Logging#8083
Labels
kind/featureNew features / enhancements
@pinkal26022005

Description

@pinkal26022005
pinkal26022005
opened on Feb 13, 2026

Hi team,

I am building a cloud-based real device automation platform.

Architecture Overview

A central mitmproxy server runs in our infrastructure
~20 real mobile devices (iOS & Android) connect to that proxy
A user connects to one device through our platform
When the user clicks “Live Network Log”, we stream mitmproxy logs in real time via a custom addon (WebSocket-based)
Previously, we used Charles Proxy. Logs were only available after the session ended.
Now we are implementing live network logging using mitmproxy, which works well for many apps and websites.

The Problem -

Users can install any application on the device.
Multiple users may work on the same device for different purposes.

Many modern apps use:
Certificate pinning
Custom TLS validation
Network security configurations

When mitmproxy attempts to intercept TLS:
The client rejects the generated certificate
TLS handshake fails
The application does not open or gets stuck
This breaks the user’s testing session

This is a critical issue for us because:

If an app does not open, the automation/testing session becomes unusable.
Desired Behavior (Charles-like)

What we want is:
For normal apps/websites:
Intercept normally
Show full request/response logs
For pinned or non-interceptable apps:
Do NOT break the connection
Automatically fall back to encrypted passthrough

Show connection-level logs:
CONNECT request
Hostname (SNI)
Port
Timing
Bytes transferred

This is similar to how Charles behaves when SSL Proxying is not possible — traffic is tunneled and the app continues working.

Key Requirement -

We cannot maintain a static ignore-hosts list because:
Devices are shared
Users install arbitrary apps
Domains are unpredictable
The system must scale automatically
We need a dynamic, automatic fail-open strategy.

Questions

  1. Is there a supported way to automatically downgrade to TLS passthrough if interception fails?
  2. Can this be reliably implemented using an addon?
  3. Would a built-in option such as tls_fail_open=true be feasible?

What is the recommended architecture for large-scale mobile device cloud environments?

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/featureNew features / enhancements

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions