tweak SSL detection heuristics

2024-11-23 00:01:36 +00:00 · 2014-10-21 15:08:39 +02:00 · 2014-10-21 15:08:39 +02:00 · 6cef6fbfec
commit 6cef6fbfec
parent 37cc6ae0bb
2 changed files with 17 additions and 2 deletions
--- a/libmproxy/protocol/http.py
+++ b/libmproxy/protocol/http.py
@ -1269,7 +1269,15 @@ class HTTPHandler(ProtocolHandler):
            self.expected_form_out = "relative"
            self.skip_authentication = True

-            if address.port in self.c.config.ssl_ports:
+            # In practice, nobody issues a CONNECT request to send unencrypted HTTP requests afterwards.
+            # If we don't delegate to TCP mode, we should always negotiate a SSL connection.
+            should_establish_ssl = (
+                address.port in self.c.config.ssl_ports
+                or
+                not self.c.config.check_tcp(address)
+            )
+
+            if should_establish_ssl:
                self.c.log("Received CONNECT request to SSL port. Upgrading to SSL...", "debug")
                self.c.establish_ssl(server=True, client=True)
                self.c.log("Upgrade to SSL completed.", "debug")
--- a/libmproxy/proxy/config.py
+++ b/libmproxy/proxy/config.py
@ -127,6 +127,12 @@ def process_proxy_options(parser, options):
            parser.error("Certificate file does not exist: %s" % parts[1])
        certs.append(parts)

+    ssl_ports = options.ssl_ports
+    if options.ssl_ports != TRANSPARENT_SSL_PORTS:
+        # arparse appends to default value by default, strip that off.
+        # see http://bugs.python.org/issue16399
+        ssl_ports = ssl_ports[len(TRANSPARENT_SSL_PORTS):]
+
    return ProxyConfig(
        host=options.addr,
        port=options.port,
@ -144,6 +150,7 @@ def process_proxy_options(parser, options):
        ciphers=options.ciphers,
        certs=certs,
        certforward=options.certforward,
+        ssl_ports=ssl_ports
    )


@ -180,7 +187,7 @@ def ssl_option_group(parser):
        help="Don't connect to upstream server to look up certificate details."
    )
    group.add_argument(
-        "--ssl-port", action="append", type=int, dest="ssl_ports", default=TRANSPARENT_SSL_PORTS,
+        "--ssl-port", action="append", type=int, dest="ssl_ports", default=list(TRANSPARENT_SSL_PORTS),
        metavar="PORT",
        help="Can be passed multiple times. Specify destination ports which are assumed to be SSL. "
             "Defaults to %s." % str(TRANSPARENT_SSL_PORTS)