Merge branch 'master' of github.com:mitmproxy/mitmproxy

libmproxy/proxy/config.py

@@ -13,7 +13,7 @@ class ProxyConfig:
     def __init__(self, confdir=CONF_DIR, clientcerts=None,
                        no_upstream_cert=False, body_size_limit=None, get_upstream_server=None,
                        http_form_in="absolute", http_form_out="relative", authenticator=None,
-                       ciphers=None, certs=None
+                       ciphers=None, certs=None, certforward = False
                 ):
         self.ciphers = ciphers
         self.clientcerts = clientcerts
@@ -25,6 +25,7 @@ class ProxyConfig:
         self.authenticator = authenticator
         self.confdir = os.path.expanduser(confdir)
         self.certstore = certutils.CertStore.from_store(self.confdir, CONF_BASENAME)
+        self.certforward = certforward
 
 
 def process_proxy_options(parser, options):
@@ -93,15 +94,17 @@ def process_proxy_options(parser, options):
         certs.append(parts)
 
     return ProxyConfig(
-        clientcerts=options.clientcerts,
-        body_size_limit=body_size_limit,
-        no_upstream_cert=options.no_upstream_cert,
-        get_upstream_server=get_upstream_server,
-        http_form_in=http_form_in,
-        http_form_out=http_form_out,
-        authenticator=authenticator,
-        ciphers=options.ciphers,
+        clientcerts = options.clientcerts,
+        body_size_limit = body_size_limit,
+        no_upstream_cert = options.no_upstream_cert,
+        get_upstream_server = get_upstream_server,
+        confdir = options.confdir,
+        http_form_in = http_form_in,
+        http_form_out = http_form_out,
+        authenticator = authenticator,
+        ciphers = options.ciphers,
         certs = certs,
+        certforward = options.certforward,
     )
 
 
@@ -125,3 +128,8 @@ def ssl_option_group(parser):
         type=str, dest="ciphers", default=None,
         help="SSL cipher specification."
     )
+    group.add_argument(
+        "--cert-forward", action="store_true",
+        dest="certforward", default=False,
+        help="Simply forward SSL certificates from upstream."
+    )

libmproxy/proxy/server.py

@@ -190,7 +190,8 @@ class ConnectionHandler:
             self.client_conn.convert_to_ssl(
                 cert, key,
                 handle_sni = self.handle_sni,
-                cipher_list = self.config.ciphers
+                cipher_list = self.config.ciphers,
+                dhparams = self.config.certstore.dhparams
             )
 
     def server_reconnect(self, no_ssl=False):
@@ -219,6 +220,9 @@ class ConnectionHandler:
         self.channel.tell("log", Log(msg))
 
     def find_cert(self):
+        if self.config.certforward and self.server_conn.ssl_established:
+            return self.server_conn.cert, self.config.certstore.gen_pkey(self.server_conn.cert)
+        else:
             host = self.server_conn.address.host
             sans = []
             if not self.config.no_upstream_cert or not self.server_conn.ssl_established:

test/test_server.py

@@ -446,3 +446,10 @@ class TestIncompleteResponse(tservers.HTTPProxTest):
     def test_incomplete(self):
         assert self.pathod("200").status_code == 502
 
+
+class TestCertForward(tservers.HTTPProxTest):
+    certforward = True
+    ssl = True
+    def test_app_err(self):
+        tutils.raises("handshake error", self.pathod, "200:b@100")
+

test/tservers.py

@@ -81,6 +81,7 @@ class ProxTestBase(object):
     authenticator = None
     masterclass = TestMaster
     externalapp = False
+    certforward = False
     @classmethod
     def setupAll(cls):
         cls.server = libpathod.test.Daemon(ssl=cls.ssl, ssloptions=cls.ssloptions)
@@ -91,6 +92,7 @@ class ProxTestBase(object):
             no_upstream_cert = cls.no_upstream_cert,
             confdir = cls.confdir,
             authenticator = cls.authenticator,
+            certforward = cls.certforward,
             **pconf
         )
         tmaster = cls.masterclass(config)