Add a hideous kludge to fix not-yet-valid certificates.

- The OpenSSL x509 has no way to explicitly set the notBefore value on
certificates.

- If two systems have the same configured time, it's possible to return a
certificate before the validity start time has arrived.

- We "solve" this by waiting for one second when a certificate is first
generated before returning the cert. The alternative is to rewrite pretty much
all of our certificate generation, a thought too horrible to contemplate.

libmproxy/utils.py

@@ -14,6 +14,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import re, os, subprocess, datetime, textwrap, errno, sys, time, functools
 
+CERT_SLEEP_TIME = 1
 
 def timestamp():
     """
@@ -485,6 +486,7 @@ def dummy_cert(certdir, ca, commonname):
             stdin=subprocess.PIPE
         )
         if ret: return None
+    time.sleep(CERT_SLEEP_TIME)
     return certpath
 
 

test/test_utils.py

@@ -2,6 +2,8 @@ import textwrap, cStringIO, os, time, re
 import libpry
 from libmproxy import utils
 
+utils.CERT_SLEEP_TIME = 0
+
 
 class uformat_timestamp(libpry.AutoTree):
     def test_simple(self):