From 1e40d34e942382bbb11234e0e9232794b3bf6acf Mon Sep 17 00:00:00 2001 From: Thomas Kriechbaumer Date: Sat, 15 Aug 2015 17:43:46 +0200 Subject: [PATCH] add ALPN to proxy connections --- libmproxy/protocol2/http_proxy.py | 3 ++- libmproxy/protocol2/layer.py | 2 +- libmproxy/protocol2/tls.py | 33 +++++++++++++++++++++++++++++-- libmproxy/proxy/connection.py | 14 ++----------- 4 files changed, 36 insertions(+), 16 deletions(-) diff --git a/libmproxy/protocol2/http_proxy.py b/libmproxy/protocol2/http_proxy.py index 8ac7ea8e8..b4c506cbd 100644 --- a/libmproxy/protocol2/http_proxy.py +++ b/libmproxy/protocol2/http_proxy.py @@ -1,7 +1,6 @@ from __future__ import (absolute_import, print_function, division) from .layer import Layer, ServerConnectionMixin -from .http import HttpLayer class HttpProxy(Layer, ServerConnectionMixin): @@ -22,3 +21,5 @@ class HttpUpstreamProxy(Layer, ServerConnectionMixin): for message in layer(): if not self._handle_server_message(message): yield message + +from .http import HttpLayer diff --git a/libmproxy/protocol2/layer.py b/libmproxy/protocol2/layer.py index 8e985d4dd..de519baad 100644 --- a/libmproxy/protocol2/layer.py +++ b/libmproxy/protocol2/layer.py @@ -208,4 +208,4 @@ def yield_from_callback(fun): self.yield_from_callback = None - return wrapper \ No newline at end of file + return wrapper diff --git a/libmproxy/protocol2/tls.py b/libmproxy/protocol2/tls.py index 55cc97941..fcc12f18c 100644 --- a/libmproxy/protocol2/tls.py +++ b/libmproxy/protocol2/tls.py @@ -1,7 +1,9 @@ from __future__ import (absolute_import, print_function, division) import traceback + from netlib import tcp +import netlib.http.http2 from ..exceptions import ProtocolException from .layer import Layer, yield_from_callback @@ -15,6 +17,9 @@ class TlsLayer(Layer): self._server_tls = server_tls self.client_sni = None self._sni_from_server_change = None + self.client_alpn_protos = None + + # foo alpn protos = [netlib.http.http1.HTTP1Protocol.ALPN_PROTO_HTTP1, netlib.http.http2.HTTP2Protocol.ALPN_PROTO_H2], # TODO: read this from client_conn first def __call__(self): """ @@ -131,7 +136,8 @@ class TlsLayer(Layer): options=self.config.openssl_options_client, cipher_list=self.config.ciphers_client, dhparams=self.config.certstore.dhparams, - chain_file=chain_file + chain_file=chain_file, + alpn_select_callback=self.__handle_alpn_select, ) connection.set_context(new_context) # An unhandled exception in this method will core dump PyOpenSSL, so @@ -139,10 +145,30 @@ class TlsLayer(Layer): except: # pragma: no cover self.log("Error in handle_sni:\r\n" + traceback.format_exc(), "error") + def __handle_alpn_select(self, conn_, options): + # TODO: change to something meaningful? + alpn_preference = netlib.http.http1.HTTP1Protocol.ALPN_PROTO_HTTP1 + alpn_preference = netlib.http.http2.HTTP2Protocol.ALPN_PROTO_H2 + ### + + if self.client_alpn_protos != options: + # Perform reconnect + if self._server_tls: + self.yield_from_callback(Reconnect()) + + self.client_alpn_protos = options + print("foo: %s" % options) + + if alpn_preference in options: + return bytes(alpn_preference) + else: # pragma no cover + return options[0] + @yield_from_callback def _establish_tls_with_client(self): self.log("Establish TLS with client", "debug") cert, key, chain_file = self._find_cert() + try: self.client_conn.convert_to_ssl( cert, key, @@ -151,9 +177,11 @@ class TlsLayer(Layer): handle_sni=self.__handle_sni, cipher_list=self.config.ciphers_client, dhparams=self.config.certstore.dhparams, - chain_file=chain_file + chain_file=chain_file, + alpn_select_callback=self.__handle_alpn_select, ) except tcp.NetLibError as e: + print("alpn: %s" % self.client_alpn_protos) raise ProtocolException(repr(e), e) def _establish_tls_with_server(self): @@ -168,6 +196,7 @@ class TlsLayer(Layer): ca_path=self.config.openssl_trusted_cadir_server, ca_pemfile=self.config.openssl_trusted_ca_server, cipher_list=self.config.ciphers_server, + alpn_protos=self.client_alpn_protos, ) tls_cert_err = self.server_conn.ssl_verification_error if tls_cert_err is not None: diff --git a/libmproxy/proxy/connection.py b/libmproxy/proxy/connection.py index 49210e474..f33e84cdf 100644 --- a/libmproxy/proxy/connection.py +++ b/libmproxy/proxy/connection.py @@ -1,6 +1,8 @@ from __future__ import absolute_import + import copy import os + from netlib import tcp, certutils from .. import stateobject, utils @@ -75,15 +77,6 @@ class ClientConnection(tcp.BaseHandler, stateobject.StateObject): return f def convert_to_ssl(self, *args, **kwargs): - # TODO: read ALPN from server and select same proto for client conn - # alpn_select = 'h2' - # def alpn_select_callback(conn_, options): - # if alpn_select in options: - # return bytes(alpn_select) - # else: # pragma no cover - # return options[0] - # tcp.BaseHandler.convert_to_ssl(self, alpn_select=alpn_select_callback, *args, **kwargs) - tcp.BaseHandler.convert_to_ssl(self, *args, **kwargs) self.timestamp_ssl_setup = utils.timestamp() @@ -184,9 +177,6 @@ class ServerConnection(tcp.TCPClient, stateobject.StateObject): if os.path.exists(path): clientcert = path - # TODO: read ALPN from client and use same list for server conn - # self.convert_to_ssl(cert=clientcert, sni=sni, alpn_protos=[netlib.http.http2.HTTP2Protocol.ALPN_PROTO_H2], **kwargs) - self.convert_to_ssl(cert=clientcert, sni=sni, **kwargs) self.sni = sni self.timestamp_ssl_setup = utils.timestamp()