Grasscutters/mitmproxy
3
0
Fork 0
mirror of https://github.com/Grasscutters/mitmproxy.git synced 2024-11-27 02:24:18 +00:00
Code Issues Projects Releases Wiki Activity

improve server tls handshake behaviour

Browse Source
This commit is contained in:
Maximilian Hils 2016-05-02 18:53:08 -07:00
parent 67537ee614
commit a91d8d9d26
2 changed files with 23 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
mitmproxy/protocol/http.py
View File

@ -144,7 +144,7 @@ class HttpLayer(Layer):
def __call__(self): def __call__(self):
if self.mode == "transparent": if self.mode == "transparent":
self.__initial_server_tls = self._server_tls self.__initial_server_tls = self.server_tls
self.__initial_server_conn = self.server_conn self.__initial_server_conn = self.server_conn
while True: while True:
try: try:

32
mitmproxy/protocol/tls.py
View File

@ -347,27 +347,39 @@ class TlsLayer(Layer):
except TlsProtocolException as e: except TlsProtocolException as e:
self.log("Cannot parse Client Hello: %s" % repr(e), "error") self.log("Cannot parse Client Hello: %s" % repr(e), "error")
# Do we need the server certificate to establish TLS with the client? # Do we need to do a server handshake now?
# First, this requires that we have TLS on both the client and the server connection. # There are two reasons why we would want to establish TLS with the server now:
# Second, this must be disabled if the user specified --no-upstream-cert # 1. If we already have an existing server connection and server_tls is True,
# Third, we need to connect if add_upstream_certs_to_client_chain is on. # we need to establish TLS now because .connect() will not be called anymore.
# Fourth, we need to connect if the client wants to negotiate an alternate protocol using ALPN. # 2. We may need information from the server connection for the client handshake.
# Fifth, we need to connect if the client did not send a SNI value. #
# A couple of factors influence (2):
# 2.1 There actually is (or will be) a TLS-enabled upstream connection
# 2.2 An upstream connection is not wanted by the user if --no-upstream-cert is passed.
# 2.3 An upstream connection is implied by add_upstream_certs_to_client_chain
# 2.4 The client wants to negotiate an alternative protocol in its handshake, we need to find out
# what is supported by the server
# 2.5 The client did not sent a SNI value, we don't know the certificate subject.
client_tls_requires_server_connection = ( client_tls_requires_server_connection = (
self._client_tls and self._server_tls self._server_tls
and not self.config.no_upstream_cert and not self.config.no_upstream_cert
and and (
(
self.config.add_upstream_certs_to_client_chain self.config.add_upstream_certs_to_client_chain
or self._client_hello.alpn_protocols or self._client_hello.alpn_protocols
or not self._client_hello.sni or not self._client_hello.sni
) )
) )
establish_server_tls_now = (
(self.server_conn and self._server_tls)
or client_tls_requires_server_connection
)
if client_tls_requires_server_connection: if self._client_tls and establish_server_tls_now:
self._establish_tls_with_client_and_server() self._establish_tls_with_client_and_server()
elif self._client_tls: elif self._client_tls:
self._establish_tls_with_client() self._establish_tls_with_client()
elif establish_server_tls_now:
self._establish_tls_with_server()
layer = self.ctx.next_layer(self) layer = self.ctx.next_layer(self)
layer() layer()