From b075b7fc15252a6c62ef6d0ec0936542554d8d67 Mon Sep 17 00:00:00 2001
From: Maximilian Hils <git@maximilianhils.com>
Date: Sun, 24 Nov 2019 00:28:16 +0100
Subject: [PATCH] [sans-io] tls: handle invalid clienthellos

---
 mitmproxy/proxy2/layers/tls.py           | 10 ++++++++--
 test/mitmproxy/proxy2/layers/test_tls.py | 14 ++++++++++++++
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/mitmproxy/proxy2/layers/tls.py b/mitmproxy/proxy2/layers/tls.py
index 58bdc1077..44ef84199 100644
--- a/mitmproxy/proxy2/layers/tls.py
+++ b/mitmproxy/proxy2/layers/tls.py
@@ -327,7 +327,9 @@ class ClientTLSLayer(_TLSLayer):
             try:
                 client_hello = parse_client_hello(self.recv_buffer)
             except ValueError as e:
-                raise NotImplementedError from e  # TODO
+                yield commands.Log(f"Cannot parse ClientHello: {self.recv_buffer.hex()}")
+                yield commands.CloseConnection(client)
+                return
 
             if client_hello:
                 client.sni = client_hello.sni
@@ -378,9 +380,13 @@ class ClientTLSLayer(_TLSLayer):
                 dest = self.context.client.sni.decode("idna")
             else:
                 dest = human.format_address(self.context.server.address)
+            if "Unknown CA" in err:
+                keyword = "does not"
+            else:
+                keyword = "may not"
             yield commands.Log(
                 f"Client TLS Handshake failed. "
-                f"The client may not trust the proxy's certificate for {dest} ({err}).",
+                f"The client {keyword} trust the proxy's certificate for {dest} ({err}).",
                 level="warn"
             )
             yield commands.CloseConnection(self.context.client)
diff --git a/test/mitmproxy/proxy2/layers/test_tls.py b/test/mitmproxy/proxy2/layers/test_tls.py
index 11138620d..914856bcc 100644
--- a/test/mitmproxy/proxy2/layers/test_tls.py
+++ b/test/mitmproxy/proxy2/layers/test_tls.py
@@ -428,3 +428,17 @@ class TestClientTLS:
         assert tctx.server.alpn == b"quux"
         _test_echo(playbook, tssl_server, tctx.server)
         _test_echo(playbook, tssl_client, tctx.client)
+
+    def test_cannot_parse_clienthello(self, tctx: context.Context):
+        """We have a client layer, but we only receive garbage."""
+        playbook, client_layer = _make_client_tls_layer(tctx)
+
+        invalid = b"\x16\x03\x01\x00\x00"
+
+        assert (
+                playbook
+                >> events.DataReceived(tctx.client, invalid)
+                << commands.Log(f"Cannot parse ClientHello: {invalid.hex()}")
+                << commands.CloseConnection(tctx.client)
+        )
+        assert not tctx.client.tls_established