Grasscutters/mitmproxy
3
0
Fork 0
mirror of https://github.com/Grasscutters/mitmproxy.git synced 2024-11-23 00:01:36 +00:00
Code Issues Projects Releases Wiki Activity

Cleaning up upstream server verification. Adding storage of cerificate

Browse Source 
verification errors on TCPClient object to enable warnings in downstream
projects.
This commit is contained in:
Kyle Morton 2015-06-20 13:07:23 -07:00
parent 7afe44ba4e
commit d1452424be
13 changed files with 266 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
netlib/tcp.py
View File

@ -401,14 +401,13 @@ class _Connection(object):
if options is not None:
context.set_options(options)
# Verify Options (NONE/PEER/PEER|FAIL_IF_... and trusted CAs)
if verify_options is not None and verify_options is not SSL.VERIFY_NONE:
def verify_cert(conn_, cert_, errno, err_depth, is_cert_verified):
if is_cert_verified:
return True
raise NetLibError(
"Upstream certificate validation failed at depth: %s with error number: %s" %
(err_depth, errno))
# Verify Options (NONE/PEER and trusted CAs)
if verify_options is not None:
def verify_cert(conn, x509, errno, err_depth, is_cert_verified):
if not is_cert_verified:
self.ssl_verification_error = dict(errno=errno,
depth=err_depth)
return is_cert_verified
context.set_verify(verify_options, verify_cert)
context.load_verify_locations(ca_pemfile, ca_path)
@ -469,6 +468,7 @@ class TCPClient(_Connection):
self.connection, self.rfile, self.wfile = None, None, None
self.cert = None
self.ssl_established = False
self.ssl_verification_error = None
self.sni = None
def create_ssl_context(self, cert=None, alpn_protos=None, **sslctx_kwargs):

15
test/data/not-server.crt
View File

@ -1,15 +0,0 @@
-----BEGIN CERTIFICATE-----
MIICRTCCAa4CCQD/j4qq1h3iCjANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCQ0ExETAPBgNVBAcTCFNvbWVDaXR5MRcwFQYDVQQKEw5Ob3RU
aGVSaWdodE9yZzELMAkGA1UECxMCTkExEjAQBgNVBAMTCU5vdFNlcnZlcjAeFw0x
NTA2MTMwMTE2MDZaFw0yNTA2MTAwMTE2MDZaMGcxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJDQTERMA8GA1UEBxMIU29tZUNpdHkxFzAVBgNVBAoTDk5vdFRoZVJpZ2h0
T3JnMQswCQYDVQQLEwJOQTESMBAGA1UEAxMJTm90U2VydmVyMIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQDPkJlXAOCMKF0R7aDn5QJ7HtrJgOUDk/LpbhKhRZZR
dRGnJ4/HQxYYHh9k/4yZamYcvQPUxvFJt7UJUocf+84LUcIusUk7GvJMgsMVtFMq
7UKNXBN5tl3oOtoFDWGMZ8ksaIxS6oW3V/9v2WgU23PfvwE0EZqy+QhMLZZP5GOH
RwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJI6UtMKdCS2ghjqhAek2W1rt9u+Wuvx
776WYm5VyrJEtBDc/axLh0OteXzy/A31JrYe15fnVWIeFbDF0Ief9/Ezv6Jn+Pk8
DErw5IHk2B399O4K3L3Eig06piu7uf3vE4l8ZanY02ZEnw7DyL6kmG9lX98VGenF
uXPfu3yxKbR4
-----END CERTIFICATE-----

1
test/data/verificationcerts/9d45e6a9.0 Symbolic link
View File

@ -0,0 +1 @@
trusted.pem

16
test/data/verificationcerts/interm.key Normal file
View File

@ -0,0 +1,16 @@
# Key used to sign trusted-interm.crt and untrusted-interm.crt
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQC1E80qCHhZ1gaZTYB7pN/Yxt3ehpEj+5hCbpop5iTWLuDjULS9
WjA1wP+p02kZQ2dqL8pqT1qcc5jKmk2jvMeB/cQ7zNDg1NCmQMqx0KptRByMZ+GN
Zcqc7D4jl6vhGP4zAzV/lxvBvxtgeJI+ZdrHN0vT9I1cYADKz9SzCDCRTwIDAQAB
AoGAfKHocKnrzEmXuSSy7meI+vfF9kfA1ndxUSg3S+dwK0uQ1mTSQhI1ZIo2bnlo
uU6/e0Lxm0KLJ2wZGjoifjSNTC8pcxIfAQY4kM9fqoUcXVSBVSS2kByTunhNSVZQ
yQyc+UTq9g1zBnJsZAltn7/PaihU4heWgP/++lposuShqmECQQDaG+7l0qul1xak
9kuZgc88BSTfn9iMK2zIQRcVKuidK4dT3QEp0wmWR5Ue8jq8lvTmVTGNGZbHcheh
KhoZfLgLAkEA1IjwAw/8z02yV3lbc2QUjIl9m9lvjHBoE2sGuSfq/cZskLKrGat+
CVj3spqVAg22tpQwVBuHiipBziWVnEtiTQJAB9FKfchQSLBt6lm9mfHyKJeSm8VR
8Kw5yO+0URjpn4CI6DOasBIVXOKR8LsD6fCLNJpHHWSWZ+2p9SfaKaGzwwJBAM31
Scld89qca4fzNZkT0goCrvOZeUy6HVE79Q72zPVSFSD/02kT1BaQ3bB5to5/5aD2
6AKJjwZoPs7bgykrsD0CQBzU8U/8x2dNQnG0QeqaKQu5kKhZSZ9bsawvrCkxSl6b
WAjl/Jehi5bbQ07zQo3cge6qeR38FCWVCHQ/5wNbc54=
-----END RSA PRIVATE KEY-----

35
test/data/verificationcerts/trusted-chain.crt Normal file
View File

@ -0,0 +1,35 @@
# untrusted.crt, signed by trusted-interm.crt
-----BEGIN CERTIFICATE-----
MIICYzCCAcwCAhAIMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNVBAYTAkFVMRMwEQYD
VQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBM
dGQxFDASBgNVBAsTC0lOVEVSTSBVTklUMSEwHwYDVQQDExhPUkcgV0lUSCBJTlRF
Uk1FRElBVEUgQ0EwIBcNMTUwNjIwMDEyMDI1WhgPMjExNTA1MjcwMTIwMjVaMHMx
CzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRl
cm5ldCBXaWRnaXRzIFB0eSBMdGQxEjAQBgNVBAsTCUxFQUYgVU5JVDEYMBYGA1UE
AxMPTk9UIFRSVVNURUQgT1JHMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDf
NZx/tugICrWGcpP8sa+EBX9WhazCsYIm8YgQrQO9B19dK7cHsWB+vIdFuDKHxfS2
JBIeVSaZ6H4onWGnZRAMpi5xnitVhBQKCZP1yOewtrg2umZIbcTz8A+BwAcvmmQN
7RZMfpxN9PMccWDfgtAXsjZ2E47o9EfhpGvxfcFc0wIDAQABMA0GCSqGSIb3DQEB
BQUAA4GBABtmc8zn5efVi3iVIgODadKkTv43elIwNZBqEJ6IaoVXvi5Mp1m4VxML
LQGPTNG1lpuVDz2z/Ml78942316ailCTOx48oDnb/yy4jI6hsp+N8p6T28/Wvkbm
cCgohk6/Cwat5gf+HwoIe5Z3B3HRJaIcB0OteluuLsHAvverBjc4
-----END CERTIFICATE-----
# trusted-interm.crt, signed by trusted.pem
-----BEGIN CERTIFICATE-----
MIIC8jCCAlugAwIBAgICEAcwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQVUx
EzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMg
UHR5IEx0ZDEQMA4GA1UEAxMHVFJVU1RFRDAgFw0xNTA2MjAwMTE4MjdaGA8yMTE1
MDUyNzAxMTgyN1owfjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIGA1UECxMLSU5U
RVJNIFVOSVQxITAfBgNVBAMTGE9SRyBXSVRIIElOVEVSTUVESUFURSBDQTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtRPNKgh4WdYGmU2Ae6Tf2Mbd3oaRI/uY
Qm6aKeYk1i7g41C0vVowNcD/qdNpGUNnai/Kak9anHOYyppNo7zHgf3EO8zQ4NTQ
pkDKsdCqbUQcjGfhjWXKnOw+I5er4Rj+MwM1f5cbwb8bYHiSPmXaxzdL0/SNXGAA
ys/UswgwkU8CAwEAAaOBozCBoDAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTPkPQW
DAPOIy8mipuEsZcP1694EDBxBgNVHSMEajBooVukWTBXMQswCQYDVQQGEwJBVTET
MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
dHkgTHRkMRAwDgYDVQQDEwdUUlVTVEVEggkAqNQXaKXXTf0wDQYJKoZIhvcNAQEF
BQADgYEApaPbwonY8l+zSxlY2Fw4WNKfl5nwcTW4fuv/0tZLzvsS6P4hTXxbYJNa
k3hQ1qlrr8DiWJewF85hYvEI2F/7eqS5dhhPTEUFPpsjhbgiqnASvW+WKQIgoY2r
aHgOXi7RNFtTcCgk0UZISWOY7ORLy8Xu6vKrLRjDhyfIbGlqnAs=
-----END CERTIFICATE-----

19
test/data/verificationcerts/trusted-interm.crt Normal file
View File

@ -0,0 +1,19 @@
# trusted-interm.crt, signed by trusted.pem
-----BEGIN CERTIFICATE-----
MIIC8jCCAlugAwIBAgICEAcwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQVUx
EzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMg
UHR5IEx0ZDEQMA4GA1UEAxMHVFJVU1RFRDAgFw0xNTA2MjAwMTE4MjdaGA8yMTE1
MDUyNzAxMTgyN1owfjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIGA1UECxMLSU5U
RVJNIFVOSVQxITAfBgNVBAMTGE9SRyBXSVRIIElOVEVSTUVESUFURSBDQTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtRPNKgh4WdYGmU2Ae6Tf2Mbd3oaRI/uY
Qm6aKeYk1i7g41C0vVowNcD/qdNpGUNnai/Kak9anHOYyppNo7zHgf3EO8zQ4NTQ
pkDKsdCqbUQcjGfhjWXKnOw+I5er4Rj+MwM1f5cbwb8bYHiSPmXaxzdL0/SNXGAA
ys/UswgwkU8CAwEAAaOBozCBoDAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTPkPQW
DAPOIy8mipuEsZcP1694EDBxBgNVHSMEajBooVukWTBXMQswCQYDVQQGEwJBVTET
MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
dHkgTHRkMRAwDgYDVQQDEwdUUlVTVEVEggkAqNQXaKXXTf0wDQYJKoZIhvcNAQEF
BQADgYEApaPbwonY8l+zSxlY2Fw4WNKfl5nwcTW4fuv/0tZLzvsS6P4hTXxbYJNa
k3hQ1qlrr8DiWJewF85hYvEI2F/7eqS5dhhPTEUFPpsjhbgiqnASvW+WKQIgoY2r
aHgOXi7RNFtTcCgk0UZISWOY7ORLy8Xu6vKrLRjDhyfIbGlqnAs=
-----END CERTIFICATE-----

15
test/data/verificationcerts/trusted.key Normal file
View File

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQC00Jf3KrBAmLQWl+Dz8Qrig8ActB94kv0/Lu03P/2DwOR8kH2h
3w4OC3b3CFKX31h7hm/H1PPHq7cIX6IRfwrYCtBE77UbxklSlrwn06j6YSotz0/d
wLEQEFDXWITJq7AyntaiafDHazbbXESNm/+I/YEl2wKemEHE//qWbeM9kwIDAQAB
AoGAVs2FBs1hi8FDQ01qWvGuzgt94MnACfxWw0xd6RY5OFUT25DqHxmb/7YVSIag
T/SS38osQ3zCA2s2FTkD7u5UX5AzJyqYJwmJhe6ZmaVly6IpebMxkX5w/hy15/N4
uy+kzdtEBUUTNLL3DM7THkDYUxmeDzCBrHsMvYUqFgsBLOECQQDeNc1pDC++ovg5
d9sKqMnEykBfvuvR6ra/343tYxy9zNFBvYjU3BA83MITIbEa/KtlSkIppz/K/jk5
IRwSrwsJAkEA0E9aZfjDZbC9Z4oL7T8gtj2ftSh2g37KE5AWW2OxMJwrzoJ/6wjB
nG26ATlHEFP9bRzL2O1iovFLalqEjQo+uwJAMjtZXvjZRjATCvK0Onmjeu/5k2tW
ZdK4UzGXJOW11pYZa9ILv4qrxQZmfOqt3Zrmp/QcdswPGLVVfDum2/Zj+QJABJO5
yMPOh0162+uMl4nrjhWMjM52zCzdA9EGrLtkCU1lKQR1CxUGLAm9LIm1pgYya1NW
p02P/USQA6Y5g1/WQQJBAIwl42Bebgaxl7dUbQX/vF+TryoCkM3B3eSM+P4XKB4f
kKSkNxvp59uq+b40gkoqEowhdq97y+pmrCxJHK43NJM=
-----END RSA PRIVATE KEY-----

15
test/data/verificationcerts/trusted.pem Normal file
View File

@ -0,0 +1,15 @@
# Self signed
-----BEGIN CERTIFICATE-----
MIICJzCCAZACCQCo1BdopddN/TANBgkqhkiG9w0BAQUFADBXMQswCQYDVQQGEwJB
VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
cyBQdHkgTHRkMRAwDgYDVQQDEwdUUlVTVEVEMCAXDTE1MDYxOTE4MDEzMVoYDzIx
MTUwNTI2MTgwMTMxWjBXMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0
ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRAwDgYDVQQDEwdU
UlVTVEVEMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC00Jf3KrBAmLQWl+Dz
8Qrig8ActB94kv0/Lu03P/2DwOR8kH2h3w4OC3b3CFKX31h7hm/H1PPHq7cIX6IR
fwrYCtBE77UbxklSlrwn06j6YSotz0/dwLEQEFDXWITJq7AyntaiafDHazbbXESN
m/+I/YEl2wKemEHE//qWbeM9kwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAF0NREP3
X+fTebzJGttzrFkDhGVFKRNyLXblXRVanlGOYF+q8grgZY2ufC/55gqf+ub6FRT5
gKPhL4V2rqL8UAvCE7jq8ujpVfTB8kRAKC675W2DBZk2EJX9mjlr89t7qXGsI5nF
onpfJ1UtiJshNoV7h/NFHeoag91kx628807n
-----END CERTIFICATE-----

33
test/data/verificationcerts/untrusted-chain.crt Normal file
View File

@ -0,0 +1,33 @@
# untrusted.crt, signed by trusted-interm.crt
-----BEGIN CERTIFICATE-----
MIICYzCCAcwCAhAIMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNVBAYTAkFVMRMwEQYD
VQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBM
dGQxFDASBgNVBAsTC0lOVEVSTSBVTklUMSEwHwYDVQQDExhPUkcgV0lUSCBJTlRF
Uk1FRElBVEUgQ0EwIBcNMTUwNjIwMDEyMDI1WhgPMjExNTA1MjcwMTIwMjVaMHMx
CzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRl
cm5ldCBXaWRnaXRzIFB0eSBMdGQxEjAQBgNVBAsTCUxFQUYgVU5JVDEYMBYGA1UE
AxMPTk9UIFRSVVNURUQgT1JHMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDf
NZx/tugICrWGcpP8sa+EBX9WhazCsYIm8YgQrQO9B19dK7cHsWB+vIdFuDKHxfS2
JBIeVSaZ6H4onWGnZRAMpi5xnitVhBQKCZP1yOewtrg2umZIbcTz8A+BwAcvmmQN
7RZMfpxN9PMccWDfgtAXsjZ2E47o9EfhpGvxfcFc0wIDAQABMA0GCSqGSIb3DQEB
BQUAA4GBABtmc8zn5efVi3iVIgODadKkTv43elIwNZBqEJ6IaoVXvi5Mp1m4VxML
LQGPTNG1lpuVDz2z/Ml78942316ailCTOx48oDnb/yy4jI6hsp+N8p6T28/Wvkbm
cCgohk6/Cwat5gf+HwoIe5Z3B3HRJaIcB0OteluuLsHAvverBjc4
-----END CERTIFICATE-----
# untrusted-interm.crt, self-signed
-----BEGIN CERTIFICATE-----
MIICdTCCAd4CCQDRSKOnIMbTgDANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJB
VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
cyBQdHkgTHRkMRQwEgYDVQQLEwtJTlRFUk0gVU5JVDEhMB8GA1UEAxMYT1JHIFdJ
VEggSU5URVJNRURJQVRFIENBMCAXDTE1MDYyMDAxMzY0M1oYDzIxMTUwNTI3MDEz
NjQzWjB+MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UE
ChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRQwEgYDVQQLEwtJTlRFUk0gVU5J
VDEhMB8GA1UEAxMYT1JHIFdJVEggSU5URVJNRURJQVRFIENBMIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQC1E80qCHhZ1gaZTYB7pN/Yxt3ehpEj+5hCbpop5iTW
LuDjULS9WjA1wP+p02kZQ2dqL8pqT1qcc5jKmk2jvMeB/cQ7zNDg1NCmQMqx0Kpt
RByMZ+GNZcqc7D4jl6vhGP4zAzV/lxvBvxtgeJI+ZdrHN0vT9I1cYADKz9SzCDCR
TwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAGbObAMEajCz4kj7OP2/DB5SRy2+H/G3
8Qvc43xlMMNQyYxsDuLOFL0UMRzoKgntrrm2nni8jND+tuMt+hv3ZlBcJlYJ6ynR
sC1ITTC/1SwwwO0AFIyduUEIJYr/B3sgcVYPLcEfeDZgmEQc9Tnc01aEu3lx2+l9
0JTSPL2L9LdA
-----END CERTIFICATE-----

17
test/data/verificationcerts/untrusted-interm.crt Normal file
View File

@ -0,0 +1,17 @@
# untrusted-interm.crt, self-signed
-----BEGIN CERTIFICATE-----
MIICdTCCAd4CCQDRSKOnIMbTgDANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJB
VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
cyBQdHkgTHRkMRQwEgYDVQQLEwtJTlRFUk0gVU5JVDEhMB8GA1UEAxMYT1JHIFdJ
VEggSU5URVJNRURJQVRFIENBMCAXDTE1MDYyMDAxMzY0M1oYDzIxMTUwNTI3MDEz
NjQzWjB+MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UE
ChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRQwEgYDVQQLEwtJTlRFUk0gVU5J
VDEhMB8GA1UEAxMYT1JHIFdJVEggSU5URVJNRURJQVRFIENBMIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQC1E80qCHhZ1gaZTYB7pN/Yxt3ehpEj+5hCbpop5iTW
LuDjULS9WjA1wP+p02kZQ2dqL8pqT1qcc5jKmk2jvMeB/cQ7zNDg1NCmQMqx0Kpt
RByMZ+GNZcqc7D4jl6vhGP4zAzV/lxvBvxtgeJI+ZdrHN0vT9I1cYADKz9SzCDCR
TwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAGbObAMEajCz4kj7OP2/DB5SRy2+H/G3
8Qvc43xlMMNQyYxsDuLOFL0UMRzoKgntrrm2nni8jND+tuMt+hv3ZlBcJlYJ6ynR
sC1ITTC/1SwwwO0AFIyduUEIJYr/B3sgcVYPLcEfeDZgmEQc9Tnc01aEu3lx2+l9
0JTSPL2L9LdA
-----END CERTIFICATE-----

16
test/data/verificationcerts/untrusted.crt Normal file
View File

@ -0,0 +1,16 @@
# untrusted.crt, signed by trusted-interm.crt
-----BEGIN CERTIFICATE-----
MIICYzCCAcwCAhAIMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNVBAYTAkFVMRMwEQYD
VQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBM
dGQxFDASBgNVBAsTC0lOVEVSTSBVTklUMSEwHwYDVQQDExhPUkcgV0lUSCBJTlRF
Uk1FRElBVEUgQ0EwIBcNMTUwNjIwMDEyMDI1WhgPMjExNTA1MjcwMTIwMjVaMHMx
CzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRl
cm5ldCBXaWRnaXRzIFB0eSBMdGQxEjAQBgNVBAsTCUxFQUYgVU5JVDEYMBYGA1UE
AxMPTk9UIFRSVVNURUQgT1JHMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDf
NZx/tugICrWGcpP8sa+EBX9WhazCsYIm8YgQrQO9B19dK7cHsWB+vIdFuDKHxfS2
JBIeVSaZ6H4onWGnZRAMpi5xnitVhBQKCZP1yOewtrg2umZIbcTz8A+BwAcvmmQN
7RZMfpxN9PMccWDfgtAXsjZ2E47o9EfhpGvxfcFc0wIDAQABMA0GCSqGSIb3DQEB
BQUAA4GBABtmc8zn5efVi3iVIgODadKkTv43elIwNZBqEJ6IaoVXvi5Mp1m4VxML
LQGPTNG1lpuVDz2z/Ml78942316ailCTOx48oDnb/yy4jI6hsp+N8p6T28/Wvkbm
cCgohk6/Cwat5gf+HwoIe5Z3B3HRJaIcB0OteluuLsHAvverBjc4
-----END CERTIFICATE-----

16
test/data/verificationcerts/verification-server.key Normal file
View File

@ -0,0 +1,16 @@
# Key used for untrusted.crt, untrusted-chain.crt and trusted-chain.crt
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDfNZx/tugICrWGcpP8sa+EBX9WhazCsYIm8YgQrQO9B19dK7cH
sWB+vIdFuDKHxfS2JBIeVSaZ6H4onWGnZRAMpi5xnitVhBQKCZP1yOewtrg2umZI
bcTz8A+BwAcvmmQN7RZMfpxN9PMccWDfgtAXsjZ2E47o9EfhpGvxfcFc0wIDAQAB
AoGAE4B9ofL7Jui4n3yXTXbA3QoV7BtV0tTriDeGKd7T+soQHPXa0gM/aRNTxlWn
pJE5JkjUhG3wJ3ZWv3mwtI1x718y0yL9uEgQJYsrNN+VJQwbGxXPio5SaG39gs+y
/8xklytMIgvuCXxmcfljemW9+PGT8otYlHeIU3wvHQennDECQQD2vWAEU9k02R9w
EkCM7mZEaW+WwrzyAD1NqatsVWErbNeXFPcHwU6y+DiDg2s5iEk89+xN2rX5mW2S
PF/2RpaNAkEA55YpZN5nN4P8yCYNz5mWN0kuSPytSgJ3fQY3BY2GkdIft/KcAuDV
1pf6jxubwP4vlamnZpqLfylbGdlRBoMY3wJBALQVE3cVG3qO3XsWVzaE6O8VZPRL
vUuDETsVkp/G0Ny428DQ9FscoyvMLrMNv7yF065D5JwN/LLnYClTF1bPviECQQCo
1BavO1eh6C3DN8K/wmb5PPdqLBKkrrGvSnWYLbmZ2sZW0p4blw8tVzRJWcYtZuEH
yVuJeEcT1/FbIcto5O+fAkASbZXZka3nm41wWNYg479Sl8I+qvtScfJgpyByYhCx
QaUAtZ791U+WNNHLqfZhSzP9lFZNRI0WNBSAy3SBR2Ur
-----END RSA PRIVATE KEY-----

86
test/test_tcp.py
View File

@ -183,52 +183,115 @@ class TestSSLv3Only(tservers.ServerTestBase):
tutils.raises(tcp.NetLibError, c.convert_to_ssl, sni="foo.com")
class TestSSLUpstreamCertVerification(tservers.ServerTestBase):
class TestSSLUpstreamCertVerificationWBadServerCert(tservers.ServerTestBase):
handler = EchoHandler
ssl = dict(
cert=tutils.test_data.path("data/server.crt")
)
cert=tutils.test_data.path("data/verificationcerts/untrusted.crt"),
key=tutils.test_data.path("data/verificationcerts/verification-server.key"))
def test_mode_default(self):
def test_mode_default_should_pass(self):
c = tcp.TCPClient(("127.0.0.1", self.port))
c.connect()
c.convert_to_ssl()
# Verification errors should be saved even if connection isn't aborted
# aborted
assert c.ssl_verification_error is not None
testval = "echo!\n"
c.wfile.write(testval)
c.wfile.flush()
assert c.rfile.readline() == testval
def test_mode_none(self):
def test_mode_none_should_pass(self):
c = tcp.TCPClient(("127.0.0.1", self.port))
c.connect()
c.convert_to_ssl(verify_options=SSL.VERIFY_NONE)
# Verification errors should be saved even if connection isn't aborted
assert c.ssl_verification_error is not None
testval = "echo!\n"
c.wfile.write(testval)
c.wfile.flush()
assert c.rfile.readline() == testval
def test_mode_strict_w_bad_cert(self):
def test_mode_strict_should_fail(self):
c = tcp.TCPClient(("127.0.0.1", self.port))
c.connect()
tutils.raises(
tcp.NetLibError,
c.convert_to_ssl,
verify_options=SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT,
ca_pemfile=tutils.test_data.path("data/not-server.crt"))
verify_options=SSL.VERIFY_PEER,
ca_pemfile=tutils.test_data.path("data/verificationcerts/trusted.pem"))
def test_mode_strict_w_cert(self):
assert c.ssl_verification_error is not None
# Unknown issuing certificate authority for first certificate
assert c.ssl_verification_error['errno'] == 20
assert c.ssl_verification_error['depth'] == 0
class TestSSLUpstreamCertVerificationWBadCertChain(tservers.ServerTestBase):
handler = EchoHandler
ssl = dict(
cert=tutils.test_data.path("data/verificationcerts/untrusted-chain.crt"),
key=tutils.test_data.path("data/verificationcerts/verification-server.key"))
def test_mode_strict_should_fail(self):
c = tcp.TCPClient(("127.0.0.1", self.port))
c.connect()
tutils.raises(
"certificate verify failed",
c.convert_to_ssl,
verify_options=SSL.VERIFY_PEER,
ca_pemfile=tutils.test_data.path("data/verificationcerts/trusted.pem"))
assert c.ssl_verification_error is not None
# Untrusted self-signed certificate at second position in certificate
# chain
assert c.ssl_verification_error['errno'] == 19
assert c.ssl_verification_error['depth'] == 1
class TestSSLUpstreamCertVerificationWValidCertChain(tservers.ServerTestBase):
handler = EchoHandler
ssl = dict(
cert=tutils.test_data.path("data/verificationcerts/trusted-chain.crt"),
key=tutils.test_data.path("data/verificationcerts/verification-server.key"))
def test_mode_strict_w_pemfile_should_pass(self):
c = tcp.TCPClient(("127.0.0.1", self.port))
c.connect()
c.convert_to_ssl(
verify_options=SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT,
ca_pemfile=tutils.test_data.path("data/server.crt"))
verify_options=SSL.VERIFY_PEER,
ca_pemfile=tutils.test_data.path("data/verificationcerts/trusted.pem"))
assert c.ssl_verification_error is None
testval = "echo!\n"
c.wfile.write(testval)
c.wfile.flush()
assert c.rfile.readline() == testval
def test_mode_strict_w_cadir_should_pass(self):
c = tcp.TCPClient(("127.0.0.1", self.port))
c.connect()
c.convert_to_ssl(
verify_options=SSL.VERIFY_PEER,
ca_path=tutils.test_data.path("data/verificationcerts/"))
assert c.ssl_verification_error is None
testval = "echo!\n"
c.wfile.write(testval)
@ -457,6 +520,7 @@ class TestALPNClient(tservers.ServerTestBase):
assert c.get_alpn_proto_negotiated() == ""
assert c.rfile.readline() == "NONE"
class TestNoSSLNoALPNClient(tservers.ServerTestBase):
handler = ALPNHandler