ProxyConfig: various SSL options to Options

2025-02-07 02:28:50 +00:00 · 2016-07-19 11:41:04 +12:00 · 2016-07-19 11:41:04 +12:00 · 0a3839375d
commit 0a3839375d
parent f81c53f9bb
6 changed files with 33 additions and 28 deletions
--- a/mitmproxy/cmdline.py
+++ b/mitmproxy/cmdline.py
@ -249,6 +249,12 @@ def get_common_options(args):
        mode = mode,
        upstream_server = upstream_server,
        upstream_auth = args.upstream_auth,
+        ssl_version_client = args.ssl_version_client,
+        ssl_version_server = args.ssl_version_server,
+        ssl_verify_upstream_cert = args.ssl_verify_upstream_cert,
+        ssl_verify_upstream_trusted_cadir = args.ssl_verify_upstream_trusted_cadir,
+        ssl_verify_upstream_trusted_ca = args.ssl_verify_upstream_trusted_ca,
+        add_upstream_certs_to_client_chain = args.add_upstream_certs_to_client_chain,
    )


--- a/mitmproxy/flow/options.py
+++ b/mitmproxy/flow/options.py
@ -48,6 +48,12 @@ class Options(options.Options):
            mode = "regular",  # type: str
            upstream_server = "",  # type: str
            upstream_auth = "",  # type: str
+            ssl_version_client="secure",  # type: str
+            ssl_version_server="secure",  # type: str
+            ssl_verify_upstream_cert=False,  # type: bool
+            ssl_verify_upstream_trusted_cadir=None,  # type: str
+            ssl_verify_upstream_trusted_ca=None,  # type: str
+            add_upstream_certs_to_client_chain=False,  # type: bool
    ):
        # We could replace all assignments with clever metaprogramming,
        # but type hints are a much more valueable asset.
@ -89,5 +95,10 @@ class Options(options.Options):
        self.mode = mode
        self.upstream_server = upstream_server
        self.upstream_auth = upstream_auth
-
+        self.ssl_version_client = ssl_version_client
+        self.ssl_version_server = ssl_version_server
+        self.ssl_verify_upstream_cert = ssl_verify_upstream_cert
+        self.ssl_verify_upstream_trusted_cadir = ssl_verify_upstream_trusted_cadir
+        self.ssl_verify_upstream_trusted_ca = ssl_verify_upstream_trusted_ca
+        self.add_upstream_certs_to_client_chain = add_upstream_certs_to_client_chain
        super(Options, self).__init__()
--- a/mitmproxy/options.py
+++ b/mitmproxy/options.py
@ -52,7 +52,7 @@ class Options(object):
        if attr in self._opts:
            return self._opts[attr]
        else:
-            raise AttributeError()
+            raise AttributeError("No such option: %s" % attr)

    def __setattr__(self, attr, value):
        if not self._initialized:
--- a/mitmproxy/protocol/tls.py
+++ b/mitmproxy/protocol/tls.py
@ -368,7 +368,7 @@ class TlsLayer(base.Layer):
            self._server_tls and
            not self.config.no_upstream_cert and
            (
-                self.config.add_upstream_certs_to_client_chain or
+                self.config.options.add_upstream_certs_to_client_chain or
                self._client_hello.alpn_protocols or
                not self._client_hello.sni
            )
@ -473,7 +473,7 @@ class TlsLayer(base.Layer):
        self.log("Establish TLS with client", "debug")
        cert, key, chain_file = self._find_cert()

-        if self.config.add_upstream_certs_to_client_chain:
+        if self.config.options.add_upstream_certs_to_client_chain:
            extra_certs = self.server_conn.server_certs
        else:
            extra_certs = None
--- a/mitmproxy/proxy/config.py
+++ b/mitmproxy/proxy/config.py
@ -86,8 +86,6 @@ class ProxyConfig:
            self,
            options,
            no_upstream_cert=False,
-            upstream_server=None,
-            upstream_auth=None,
            authenticator=None,
            ignore_hosts=tuple(),
            tcp_hosts=tuple(),
@ -96,12 +94,6 @@ class ProxyConfig:
            ciphers_client=DEFAULT_CLIENT_CIPHERS,
            ciphers_server=None,
            certs=tuple(),
-            ssl_version_client="secure",
-            ssl_version_server="secure",
-            ssl_verify_upstream_cert=False,
-            ssl_verify_upstream_trusted_cadir=None,
-            ssl_verify_upstream_trusted_ca=None,
-            add_upstream_certs_to_client_chain=False,
    ):
        self.options = options
        self.ciphers_client = ciphers_client
@ -115,17 +107,14 @@ class ProxyConfig:
        self.authenticator = authenticator

        self.openssl_method_client, self.openssl_options_client = \
-            tcp.sslversion_choices[ssl_version_client]
+            tcp.sslversion_choices[options.ssl_version_client]
        self.openssl_method_server, self.openssl_options_server = \
-            tcp.sslversion_choices[ssl_version_server]
+            tcp.sslversion_choices[options.ssl_version_server]

-        if ssl_verify_upstream_cert:
+        if options.ssl_verify_upstream_cert:
            self.openssl_verification_mode_server = SSL.VERIFY_PEER
        else:
            self.openssl_verification_mode_server = SSL.VERIFY_NONE
-        self.openssl_trusted_cadir_server = ssl_verify_upstream_trusted_cadir
-        self.openssl_trusted_ca_server = ssl_verify_upstream_trusted_ca
-        self.add_upstream_certs_to_client_chain = add_upstream_certs_to_client_chain

        self.certstore = None
        self.clientcerts = None
@ -172,6 +161,8 @@ class ProxyConfig:
            self.upstream_server = parse_server_spec(options.upstream_server)
        if options.upstream_auth:
            self.upstream_auth = parse_upstream_auth(options.upstream_auth)
+        self.openssl_trusted_cadir_server = options.ssl_verify_upstream_trusted_cadir
+        self.openssl_trusted_ca_server = options.ssl_verify_upstream_trusted_ca


 def process_proxy_options(parser, options, args):
@ -183,7 +174,6 @@ def process_proxy_options(parser, options, args):
            "to the client chain."
        )
    if args.auth_nonanonymous or args.auth_singleuser or args.auth_htpasswd:
-
        if args.transparent_proxy:
            return parser.error("Proxy Authentication not supported in transparent mode.")

@ -205,7 +195,8 @@ def process_proxy_options(parser, options, args):
        elif args.auth_htpasswd:
            try:
                password_manager = authentication.PassManHtpasswd(
-                    args.auth_htpasswd)
+                    args.auth_htpasswd
+                )
            except ValueError as v:
                return parser.error(v)
        authenticator = authentication.BasicProxyAuth(password_manager, "mitmproxy")
@ -222,10 +213,4 @@ def process_proxy_options(parser, options, args):
        authenticator=authenticator,
        ciphers_client=args.ciphers_client,
        ciphers_server=args.ciphers_server,
-        ssl_version_client=args.ssl_version_client,
-        ssl_version_server=args.ssl_version_server,
-        ssl_verify_upstream_cert=args.ssl_verify_upstream_cert,
-        ssl_verify_upstream_trusted_cadir=args.ssl_verify_upstream_trusted_cadir,
-        ssl_verify_upstream_trusted_ca=args.ssl_verify_upstream_trusted_ca,
-        add_upstream_certs_to_client_chain=args.add_upstream_certs_to_client_chain,
    )
--- a/test/mitmproxy/tservers.py
+++ b/test/mitmproxy/tservers.py
@ -123,9 +123,12 @@ class ProxyTestBase(object):
        cnf = dict(
            no_upstream_cert = cls.no_upstream_cert,
            authenticator = cls.authenticator,
-            add_upstream_certs_to_client_chain = cls.add_upstream_certs_to_client_chain,
        )
-        return cnf, options.Options(listen_port=0, cadir=cls.cadir)
+        return cnf, options.Options(
+            listen_port=0,
+            cadir=cls.cadir,
+            add_upstream_certs_to_client_chain=cls.add_upstream_certs_to_client_chain
+        )


 class HTTPProxyTest(ProxyTestBase):