Merge pull request #2469 from Kriechi/nuke-old-openssl

nuke old openssl
2024-11-23 00:01:36 +00:00 · 2017-07-25 21:57:54 +02:00 · 2017-07-25 21:57:54 +02:00 · d409a6c09a
commit d409a6c09a
parent 3262b6e705 4855659eeb
15 changed files with 109 additions and 244 deletions
--- a/mitmproxy/addons/init.py
+++ b/mitmproxy/addons/init.py
@ -1,7 +1,6 @@
 from mitmproxy.addons import allowremote
 from mitmproxy.addons import anticache
 from mitmproxy.addons import anticomp
 from mitmproxy.addons import check_alpn
 from mitmproxy.addons import check_ca
 from mitmproxy.addons import clientplayback
 from mitmproxy.addons import core_option_validation
@ -29,7 +28,6 @@ def default_addons():
        allowremote.AllowRemote(),
        anticache.AntiCache(),
        anticomp.AntiComp(),
        check_alpn.CheckALPN(),
        check_ca.CheckCA(),
        clientplayback.ClientPlayback(),
        cut.Cut(),
--- a/mitmproxy/addons/check_alpn.py
+++ b/mitmproxy/addons/check_alpn.py
@ -1,17 +0,0 @@
 import mitmproxy
 from mitmproxy.net import tcp
 from mitmproxy import ctx
 class CheckALPN:
    def __init__(self):
        self.failed = False
    def configure(self, updated):
        self.failed = mitmproxy.ctx.master.options.http2 and not tcp.HAS_ALPN
        if self.failed:
            ctx.log.warn(
                "HTTP/2 is disabled because ALPN support missing!\n"
                "OpenSSL 1.0.2+ required to support HTTP/2 connections.\n"
                "Use --no-http2 to silence this warning."
            )
--- a/mitmproxy/net/tcp.py
+++ b/mitmproxy/net/tcp.py
@ -14,18 +14,12 @@ from typing import Optional  # noqa
 from mitmproxy.utils import strutils
 import certifi
 import OpenSSL
 from OpenSSL import SSL
 from mitmproxy import certs
 from mitmproxy.utils import version_check
 from mitmproxy import exceptions
 from mitmproxy.types import basethread
 # This is a rather hackish way to make sure that
 # the latest version of pyOpenSSL is actually installed.
 version_check.check_pyopenssl_version()
 socket_fileobject = socket.SocketIO
 # workaround for https://bugs.python.org/issue29515
@ -33,7 +27,6 @@ socket_fileobject = socket.SocketIO
 IPPROTO_IPV6 = getattr(socket, "IPPROTO_IPV6", 41)
 EINTR = 4
 HAS_ALPN = SSL._lib.Cryptography_HAS_ALPN
 # To enable all SSL methods use: SSLv23
 # then add options to disable certain methods
@ -503,7 +496,6 @@ class _Connection:
        if cipher_list:
            try:
                context.set_cipher_list(cipher_list.encode())
                context.set_tmp_ecdh(OpenSSL.crypto.get_elliptic_curve('prime256v1'))
            except SSL.Error as v:
                raise exceptions.TlsException("SSL cipher specification error: %s" % str(v))
@ -511,24 +503,23 @@ class _Connection:
        if log_ssl_key:
            context.set_info_callback(log_ssl_key)
-        if HAS_ALPN:  # pragma: openssl-old no cover
+        if alpn_protos is not None:
-            if alpn_protos is not None:
+            # advertise application layer protocols
-                # advertise application layer protocols
+            context.set_alpn_protos(alpn_protos)
-                context.set_alpn_protos(alpn_protos)
+        elif alpn_select is not None and alpn_select_callback is None:
-            elif alpn_select is not None and alpn_select_callback is None:
+            # select application layer protocol
-                # select application layer protocol
+            def alpn_select_callback(conn_, options):
-                def alpn_select_callback(conn_, options):
+                if alpn_select in options:
-                    if alpn_select in options:
+                    return bytes(alpn_select)
-                        return bytes(alpn_select)
+                else:  # pragma: no cover
-                    else:  # pragma: no cover
+                    return options[0]
-                        return options[0]
+            context.set_alpn_select_callback(alpn_select_callback)
-                context.set_alpn_select_callback(alpn_select_callback)
+        elif alpn_select_callback is not None and alpn_select is None:
-            elif alpn_select_callback is not None and alpn_select is None:
+            if not callable(alpn_select_callback):
-                if not callable(alpn_select_callback):
+                raise exceptions.TlsException("ALPN error: alpn_select_callback must be a function.")
-                    raise exceptions.TlsException("ALPN error: alpn_select_callback must be a function.")
+            context.set_alpn_select_callback(alpn_select_callback)
-                context.set_alpn_select_callback(alpn_select_callback)
+        elif alpn_select_callback is not None and alpn_select is not None:
-            elif alpn_select_callback is not None and alpn_select is not None:
+            raise exceptions.TlsException("ALPN error: only define alpn_select (string) OR alpn_select_callback (function).")
                raise exceptions.TlsException("ALPN error: only define alpn_select (string) OR alpn_select_callback (function).")
        return context
@ -720,7 +711,7 @@ class TCPClient(_Connection):
        return self.connection.gettimeout()
    def get_alpn_proto_negotiated(self):
-        if HAS_ALPN and self.ssl_established:  # pragma: openssl-old no cover
+        if self.ssl_established:
            return self.connection.get_alpn_proto_negotiated()
        else:
            return b""
@ -827,7 +818,7 @@ class BaseHandler(_Connection):
        self.connection.settimeout(n)
    def get_alpn_proto_negotiated(self):
-        if HAS_ALPN and self.ssl_established:  # pragma: openssl-old no cover
+        if self.ssl_established:
            return self.connection.get_alpn_proto_negotiated()
        else:
            return b""
--- a/mitmproxy/tools/main.py
+++ b/mitmproxy/tools/main.py
@ -16,7 +16,6 @@ from mitmproxy import exceptions  # noqa
 from mitmproxy import options  # noqa
 from mitmproxy import optmanager  # noqa
 from mitmproxy import proxy  # noqa
 from mitmproxy.utils import version_check  # noqa
 from mitmproxy.utils import debug  # noqa
@ -58,7 +57,6 @@ def run(MasterKlass, args, extra=None):  # pragma: no cover
        extra: Extra argument processing callable which returns a dict of
        options.
    """
    version_check.check_pyopenssl_version()
    debug.register_info_dumpers()
    opts = options.Options()
--- a/mitmproxy/utils/version_check.py
+++ b/mitmproxy/utils/version_check.py
@ -1,42 +0,0 @@
 """
 Having installed a wrong version of pyOpenSSL is unfortunately a very common
 source of error. Check before every start that both versions are somewhat okay.
 """
 import sys
 import inspect
 import os.path
 import OpenSSL
 PYOPENSSL_MIN_VERSION = (16, 0)
 def check_pyopenssl_version(min_version=PYOPENSSL_MIN_VERSION, fp=sys.stderr):
    min_version_str = ".".join(str(x) for x in min_version)
    try:
        v = tuple(int(x) for x in OpenSSL.__version__.split(".")[:2])
    except ValueError:
        print(
            "Cannot parse pyOpenSSL version: {}"
            "mitmproxy requires pyOpenSSL {} or greater.".format(
                OpenSSL.__version__, min_version_str
            ),
            file=fp
        )
        return
    if v < min_version:
        print(
            "You are using an outdated version of pyOpenSSL: "
            "mitmproxy requires pyOpenSSL {} or greater.".format(min_version_str),
            file=fp
        )
        # Some users apparently have multiple versions of pyOpenSSL installed.
        # Report which one we got.
        pyopenssl_path = os.path.dirname(inspect.getfile(OpenSSL))
        print(
            "Your pyOpenSSL {} installation is located at {}".format(
                OpenSSL.__version__, pyopenssl_path
            ),
            file=fp
        )
        sys.exit(1)
--- a/pathod/pathoc.py
+++ b/pathod/pathoc.py
@ -223,14 +223,6 @@ class Pathoc(tcp.TCPClient):
        self.ws_framereader = None
        if self.use_http2:
            if not tcp.HAS_ALPN:  # pragma: no cover
                log.write_raw(
                    self.fp,
                    "HTTP/2 requires ALPN support. "
                    "Please use OpenSSL >= 1.0.2. "
                    "Pathoc might not be working as expected without ALPN.",
                    timestamp=False
                )
            self.protocol = http2.HTTP2StateProtocol(self, dump_frames=self.http2_framedump)
        else:
            self.protocol = net_http.http1
--- a/test/conftest.py
+++ b/test/conftest.py
@ -1,15 +1,8 @@
 import os
 import pytest
 import OpenSSL
 import mitmproxy.net.tcp
 pytest_plugins = ('test.full_coverage_plugin',)
 requires_alpn = pytest.mark.skipif(
    not mitmproxy.net.tcp.HAS_ALPN,
    reason='requires OpenSSL with ALPN support')
 skip_windows = pytest.mark.skipif(
    os.name == "nt",
    reason='Skipping due to Windows'
@ -24,9 +17,3 @@ skip_appveyor = pytest.mark.skipif(
    "APPVEYOR" in os.environ,
    reason='Skipping due to Appveyor'
 )
@pytest.fixture()
 def disable_alpn(monkeypatch):
    monkeypatch.setattr(mitmproxy.net.tcp, 'HAS_ALPN', False)
    monkeypatch.setattr(OpenSSL.SSL._lib, 'Cryptography_HAS_ALPN', False)
--- a/test/mitmproxy/addons/test_check_alpn.py
+++ b/test/mitmproxy/addons/test_check_alpn.py
@ -1,23 +0,0 @@
 from mitmproxy.addons import check_alpn
 from mitmproxy.test import taddons
 from ...conftest import requires_alpn
 class TestCheckALPN:
    @requires_alpn
    def test_check_alpn(self):
        msg = 'ALPN support missing'
        with taddons.context() as tctx:
            a = check_alpn.CheckALPN()
            tctx.configure(a)
            assert not tctx.master.has_log(msg)
    def test_check_no_alpn(self, disable_alpn):
        msg = 'ALPN support missing'
        with taddons.context() as tctx:
            a = check_alpn.CheckALPN()
            tctx.configure(a)
            assert tctx.master.has_log(msg)
--- a/test/mitmproxy/data/no_common_name.pem
+++ b/test/mitmproxy/data/no_common_name.pem
@ -1,20 +1,84 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIBOQIBAAJBAKVJ43C+8SjOvN9/pP/8HwzmHGQmRvdK/R6KlWdr7He6iiXDQNfH
+MIIJKgIBAAKCAgEA4Jut+R51opC773ToeUhwJOVGnpxNqzZTDMImO141WPvKMjMs
-RAp+gqX0hBRT80eRjGhSmTTBLCWiXVny4UUCAwEAAQJAUQ8nZ0d85VJd9g2XUaLH
+i15f0U3OKqK8YERDfDzaAbgqz6MNgqc8QbNJ0e9VxtMUzTkCwSlbDHMFgZNyXVRX
-Z4ACNGtBKk2wTKYSFyIqWZxsF5qhh7HGshJIAP6tYiX8ZW+mMSfme+zsJzWe8ChL
+OQEBJ/fTMlU+LimOH38QY0orifdAHH+kPUYIiqTBzgJvCy8w1o4hGSlzf2HW400d
-gQIhAM8QpAgUHnNteZvkv0XqceX1GILEWifMt+hO9yTp4dY5AiEAzFnKr77CKCri
+mlRSJEVgBj6nXQENbVxmxf6f9H19eWpnLuP5aJIwP4LEsGdqLP0ESnWfZVPIAiEs
-/DPig4R/5q4KMpMx9EqJufHdGNmIA20CICMARxnufK86RCIr6oEg/hvG8Fu6YRr1
+LuYkhbRXqiuJfnc1am8LexzLi4VQMCw0K4Tm1lTbapcnOUakO6orQvX7MOEKYBU+
-Kekk3/XnavtRAiBVLVQ7vwKE5aNpRmMzOKZrS736aLpYvjz8IaFr+zgjXQIgdad5
+ogGGby0MyOTaCkuUFi0YdTtU4DEdWJ9HfogRO/uG1325/8/T+tq8RgOkp9cUvjU3
-QZoTD49NTyMEgyZp70gTXcXQLrX2PgQKL4uNmoU=
+ONqpLZC6zs0YR8OzlTbXClmV+Mr6d1qEb3jk6zWlLykLVozOS3z5vdVxpbJqM/Ct
 HporAA0cSer2EGtN68OB3Hy3Bh7MPjqpSFSJ1uTQ755jS3qOzwggoQFCz2dBmfyi
 7nOGHFW4h/5NaF1mnIlJJVnJIZajSNl9e6klGeXmJv4ZtiqJd/CG0jTUnGWOTimu
 kSmxVNcWs2vFjwQhuRJwawzGo7O1gZPkq3/0/F+yLp5karmRJs8sQ/JDvGL4rW5Y
 qW7u1WuYQeHYHscfPwf0be8teKWcURIqBoHPxdJV3s9zf8Y/AN9OFFdPqwcCAwEA
 AQKCAgEAtdHQV2Ws3FhFimYc+nEFNxjSvfrRdNOZDy7rPAvbK5lH6LM8T+WpswlE
 54as71DTQHMSF2o6XbMkcKtoP9ce3u7bhQPCRw7rh+ouZjmGL4pofdyUbvS9NtmL
 Aae3mi7RefWmEnosHJcmMuuwzFkw+Oq+aEHYGjmtU0Hi0TeY43kUNxRp7lBr3ii6
 vtNhMAx2Dh1KpOSmH4imVe8ob/DkKR6OKBt3lUVh0eFP4+arjZ7wvaiU17I9xm5i
 uMJdnx5pAyu5I4P/0YWtkBF4efIv2zj+FZ8ehWMF97adJqtxF/RULcuE1Chf5weU
 3dtEFilwSzNeJShOYN3hX6gwe+Ex8NQ7EIcbkJBaxzteEbcCJJf2rUq5oHwt3MFR
 H1m1iZ/H3erNHOIqr+LW5+ZXI9Lyyn9z1YTodP2KIfB6Rg8ldsaEnkuCD/S+iikO
 xNo/OwJf3rHtbeRtpAfSqkSMhT57hadRTvPlBMAoFEsX3hdw1XuRLOp9YAhsjdhU
 GBzD+U/kB8FlYRhPjvjT97lJ7uE2AosGgIZBwpyv/UqPU75u/3SgubLmIHoXYWBn
 jPig0H3zqpT+1D+88umMP5Ka+V/KsofUvObSjipdw3U1ZekI+08SLlGQqLvA7tk/
 3WvT7QN3k0OUx261pJNHmVhPZysJT0DNpJX9x/4jFiLVBxYyomECggEBAPNtLge0
 YJGvKTTpQoKlIb/a47wncBizyeVRhjcYNRQn6JcSzPPao8x1/ARoKPGeTXqDWiHt
 o8RllF1aEKbO0gTXtBM7jjwf1ueco1F4IQYc7EnA1TwNyQ0JeA5RFcpOzLOx4SK5
 67jMaAI/gQ2Q4H3uISWF+hPlckRySpwouz+xS3QP6PZ8S6lZwHF5S9LMrxTlwbPj
 yAjgIllFIvs91J6mDljll1ZG601CU8piaY5zPoJVQIesA/YRK+rlHBPICOGXJBm7
 G8kbYT9EFibxklWjiz9C9G70WPulPCZpAqaqIp70nOFR+Kp5g8VuPaMKFx8p3qc/
 AQJGlO06lFVaL0UCggEBAOw1qkzBFTdBmZW9VSBHBQdTJuuuWjoLCp1tfPUYluqG
 VrzIKN0dlnB2Qy5uOHd0fVTq88+EadnXwt2hOkp4uGeWOIZfE0welWmNZ1ym9vkg
 PSLgPYBDSL1rDntLeAgEUYl4gnFL8zyD0uKw/+oMoMaW2jNEqmGJH9y5uG2lkFGC
 A6MbEw32sfJKoWB2GvnlIPGAMfZy9Varxq/r24OeFi7J6ja89DBL9OEWsB49/CP0
 92dkS2+7KekTN9go3cFaqnseDHNUuRhHsIJBpaWSaxlUwpVP6QQtn5NMEW44YpnE
 PDk/EsxwOVAGRVaS5+pBJSUbLplXRHlzVZW4lEc+f9sCggEAe0ZuSh6RzRVck9wQ
 /6JqzgMm03FRdmEOPKCljJ8oujVft6ogutmdm/ygDQdGvN3DNOjyKz5ychJTKVdk
 GWWhvCwUmKzPYilpps+PccGZT8Qz8UHDeu8sQvrpnq53j4WKavIJJpHrCyIRBhps
 25bj6UI/7QXFWHAZBwquOBj0gtPhdzxbaQAXPQMjzxNzT6Syga29A8G12rDPFFBL
 39o3I8TKfUB//IRbwzt0vYhLFoXMQSq1TD/Tnbiieglex7HEtaHZ+WHlN1ozTFvJ
 sB0kU1RIP1hD+zCpI39RT85cNlTwxXjxPbZKbOKu1bv3YOrKPNDyXdYtR57A6saA
 uhy61QKCAQEAnax5AIFGyzrD7duTjlc5+Ri9e0dIPUSPkmS6q9T9MJH6JkwqUudk
 O7AFymGS2dJtsxifJV/LVLoc/tqX0Yxh8+un0bJ3bDFiJTJZ09Q0OjoV9UjgZNUF
 IkPrR8wp1JglYXGLCVvcgwGv7NigC7jgPZAHGX/1h+QD29AxVyfUfUQfb2osPv70
 67p7nKtZ+IPFiM+9CjjUokVJ/LahMmt9fUAVUvKwweiCDxqY96cCv3HPEDo3zN6P
 7GCCv40P8fi2ojZ9syLT52w7W8e8bhid2yvkM81CyyI1ShrV69BBqUj/tmru/n7P
 EycMc+zeWFWiGPHbGkrRj4y4jZfHiwMiTwKCAQEAk77dpDHxxTbmW0sdRYsEgwbz
 hhbi4vhaEsJODDg0WsqZYOxsfbjTXYYSClCel3QHuJGHmEqCTcj8SqWXwpQhTeW1
 Ngs1tOprfLAo+XCbUTy51b9Acx6l/EgP1n5lrjNnGgcygfAYSG34zXSnXpiJzqQP
 vKXntjJii5U8d+Qzvvwf6taU5v0JqO1J2ZWmvmgZN9qgVR42KVvdBc1F6qsN4F68
 ZrY9lULqi776Z60Dfl9S/7E4BCSEyZm4PjJ39zQYMYc4B77YYv/aO4WFZBm7gbc/
 0UP8WkOzc8wYOqgLF2KatJkaOLBfbhMGaKPvjvWDfjyVfZ8I4Gqx2rI8ILHEuQ==
 -----END RSA PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
-MIIBgTCCASugAwIBAgIJAKlcXsPLQAQuMA0GCSqGSIb3DQEBBQUAMA0xCzAJBgNV
+MIIFtTCCA52gAwIBAgIJAM/qkBYP5ExSMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
-BAYTAkFVMB4XDTEzMTIxMjAxMzA1NVoXDTE0MDExMTAxMzA1NVowDTELMAkGA1UE
+BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
-BhMCQVUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApUnjcL7xKM6833+k//wfDOYc
+aWRnaXRzIFB0eSBMdGQwHhcNMTcwNzI1MDg0MDAwWhcNMTgwNzI1MDg0MDAwWjBF
-ZCZG90r9HoqVZ2vsd7qKJcNA18dECn6CpfSEFFPzR5GMaFKZNMEsJaJdWfLhRQID
+MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
-AQABo24wbDAdBgNVHQ4EFgQUJm8BXcVRsROy0PVt5stkB3eVnEgwPQYDVR0jBDYw
+ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
-NIAUJm8BXcVRsROy0PVt5stkB3eVnEihEaQPMA0xCzAJBgNVBAYTAkFVggkAqVxe
+CgKCAgEA4Jut+R51opC773ToeUhwJOVGnpxNqzZTDMImO141WPvKMjMsi15f0U3O
-w8tABC4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAHHxcBEpWrIqtLVH
+KqK8YERDfDzaAbgqz6MNgqc8QbNJ0e9VxtMUzTkCwSlbDHMFgZNyXVRXOQEBJ/fT
-m6Yn1hgqrAbfMj9IK6zY9C5Cbad/DfUj3AZMb5u758WJK0x9brmckgqdrQsuf9He
+MlU+LimOH38QY0orifdAHH+kPUYIiqTBzgJvCy8w1o4hGSlzf2HW400dmlRSJEVg
-Ef51/SU=
+Bj6nXQENbVxmxf6f9H19eWpnLuP5aJIwP4LEsGdqLP0ESnWfZVPIAiEsLuYkhbRX
 qiuJfnc1am8LexzLi4VQMCw0K4Tm1lTbapcnOUakO6orQvX7MOEKYBU+ogGGby0M
 yOTaCkuUFi0YdTtU4DEdWJ9HfogRO/uG1325/8/T+tq8RgOkp9cUvjU3ONqpLZC6
 zs0YR8OzlTbXClmV+Mr6d1qEb3jk6zWlLykLVozOS3z5vdVxpbJqM/CtHporAA0c
 Ser2EGtN68OB3Hy3Bh7MPjqpSFSJ1uTQ755jS3qOzwggoQFCz2dBmfyi7nOGHFW4
 h/5NaF1mnIlJJVnJIZajSNl9e6klGeXmJv4ZtiqJd/CG0jTUnGWOTimukSmxVNcW
 s2vFjwQhuRJwawzGo7O1gZPkq3/0/F+yLp5karmRJs8sQ/JDvGL4rW5YqW7u1WuY
 QeHYHscfPwf0be8teKWcURIqBoHPxdJV3s9zf8Y/AN9OFFdPqwcCAwEAAaOBpzCB
 pDAdBgNVHQ4EFgQUZrQUSE9A8i0N4ZuQZq/F4I74QlwwdQYDVR0jBG4wbIAUZrQU
 SE9A8i0N4ZuQZq/F4I74QlyhSaRHMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpT
 b21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGSCCQDP
 6pAWD+RMUjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4ICAQDPeylCUY4k
 nG1KoT139g5T5G1/lxgmYnDqQB1+5JYCQWsPK7sy19tD58bq3+2N2Tozu2/f/GkG
 LZtouLyRciFtcAWy4LQlSR4hTLAWeik2WV/h+ovfv4XwvRuwS5PYVQNHQsOAO3ea
 hX+W+w+rwI+MFlgEHJO85P61ijcNVbiTpgd0s47RViKyJVDqfhCmpobzS5eTbbXn
 F1oFlV84lgEt84BE4RJxlr6fSIxZn6rQPjdbY65snol7Zs2oAt7nLb3hpZgWKobF
 3xAfkC9m19nQHeYz3JlNC7sf80top2H2HEZMVVOAD+MxXkcAjNbjBRT3/KAIyWex
 2fmoGRbvCIU0LFyyyk7/tG1xTgxNuBmd4Byz1LI25uz6eK4Ey8LeZmp5mvaewI53
 t65sAGBkx+LIRt0yGmMCRRFl735Ya4SJD7je1GTiw9I3Yd63dtaJTVd65kkFkLOk
 LD56iJHSyCY6JkDXd8RjozIVoaXkVQh2wFq/ZfXzAgIx/u5cJQCMG2DAu6/WI74+
 7invOv7dbYfoI02N4iB57iRbPxE4gSrRayYxUVdH1R/tlXbN9Fkd30fl2WfSO897
 QC/ODA9w86FSFANhn6nv2KuKIMUSEW+5ZhBowSFIBEdAaMS7yj9uuBWmQKrWNfOh
 mZJF1YiFmgRybkdKHPrlCSZyvVBdmnmM6g==
 -----END CERTIFICATE-----
--- a/test/mitmproxy/net/test_tcp.py
+++ b/test/mitmproxy/net/test_tcp.py
@ -3,7 +3,6 @@ import queue
 import time
 import socket
 import random
 import os
 import threading
 import pytest
 from unittest import mock
@ -15,7 +14,6 @@ from mitmproxy import exceptions
 from mitmproxy.test import tutils
 from . import tservers
 from ...conftest import requires_alpn
 class EchoHandler(tcp.BaseHandler):
@ -534,36 +532,18 @@ class TestTimeOut(tservers.ServerTestBase):
                c.rfile.read(10)
 class TestCryptographyALPN:
    def test_has_alpn(self):
        if os.environ.get("OPENSSL") == "with-alpn":
            assert tcp.HAS_ALPN
            assert SSL._lib.Cryptography_HAS_ALPN
        elif os.environ.get("OPENSSL") == "old":
            assert not tcp.HAS_ALPN
            assert not SSL._lib.Cryptography_HAS_ALPN
 class TestALPNClient(tservers.ServerTestBase):
    handler = ALPNHandler
    ssl = dict(
        alpn_select=b"bar"
    )
-    @requires_alpn
+    @pytest.mark.parametrize('alpn_protos, expected_negotiated, expected_response', [
-    @pytest.mark.parametrize('has_alpn,alpn_protos, expected_negotiated, expected_response', [
+        ([b"foo", b"bar", b"fasel"], b'bar', b'bar'),
-        (True, [b"foo", b"bar", b"fasel"], b'bar', b'bar'),
+        ([], b'', b'NONE'),
-        (True, [], b'', b'NONE'),
+        (None, b'', b'NONE'),
        (True, None, b'', b'NONE'),
        (False, [b"foo", b"bar", b"fasel"], b'', b'NONE'),
        (False, [], b'', b'NONE'),
        (False, None, b'', b'NONE'),
    ])
-    def test_alpn(self, monkeypatch, has_alpn, alpn_protos, expected_negotiated, expected_response):
+    def test_alpn(self, monkeypatch, alpn_protos, expected_negotiated, expected_response):
        monkeypatch.setattr(tcp, 'HAS_ALPN', has_alpn)
        monkeypatch.setattr(SSL._lib, 'Cryptography_HAS_ALPN', has_alpn)
        c = tcp.TCPClient(("127.0.0.1", self.port))
        with c.connect():
            c.convert_to_ssl(alpn_protos=alpn_protos)
@ -574,7 +554,7 @@ class TestALPNClient(tservers.ServerTestBase):
 class TestNoSSLNoALPNClient(tservers.ServerTestBase):
    handler = ALPNHandler
-    def test_no_ssl_no_alpn(self, disable_alpn):
+    def test_no_ssl_no_alpn(self):
        c = tcp.TCPClient(("127.0.0.1", self.port))
        with c.connect():
            assert c.get_alpn_proto_negotiated() == b""
@ -857,9 +837,8 @@ class TestSSLInvalid(tservers.ServerTestBase):
    def test_alpn_error(self):
        c = tcp.TCPClient(("127.0.0.1", self.port))
        with c.connect():
-            if tcp.HAS_ALPN:
+            with pytest.raises(exceptions.TlsException, match="must be a function"):
-                with pytest.raises(exceptions.TlsException, match="must be a function"):
+                c.create_ssl_context(alpn_select_callback="foo")
                    c.create_ssl_context(alpn_select_callback="foo")
-                with pytest.raises(exceptions.TlsException, match="ALPN error"):
+            with pytest.raises(exceptions.TlsException, match="ALPN error"):
-                    c.create_ssl_context(alpn_select="foo", alpn_select_callback="bar")
+                c.create_ssl_context(alpn_select="foo", alpn_select_callback="bar")
--- a/test/mitmproxy/proxy/protocol/test_http2.py
+++ b/test/mitmproxy/proxy/protocol/test_http2.py
@ -17,7 +17,6 @@ from mitmproxy.net.http import http1, http2
 from pathod.language import generators
 from ... import tservers
 from ....conftest import requires_alpn
 import logging
 logging.getLogger("hyper.packages.hpack.hpack").setLevel(logging.WARNING)
@ -203,7 +202,6 @@ class _Http2Test(_Http2TestBase, _Http2ServerBase):
        _Http2ServerBase.teardown_class()
@requires_alpn
 class TestSimple(_Http2Test):
    request_body_buffer = b''
@ -286,7 +284,6 @@ class TestSimple(_Http2Test):
        assert response_body_buffer == b'response body'
@requires_alpn
 class TestRequestWithPriority(_Http2Test):
    @classmethod
@ -368,7 +365,6 @@ class TestRequestWithPriority(_Http2Test):
        assert resp.headers.get('priority_weight', None) == expected_priority[2]
@requires_alpn
 class TestPriority(_Http2Test):
    @classmethod
@ -453,7 +449,6 @@ class TestPriority(_Http2Test):
        assert self.priority_data == expected_priority
@requires_alpn
 class TestStreamResetFromServer(_Http2Test):
    @classmethod
@ -504,7 +499,6 @@ class TestStreamResetFromServer(_Http2Test):
        assert self.master.state.flows[0].response is None
@requires_alpn
 class TestBodySizeLimit(_Http2Test):
    @classmethod
@ -554,7 +548,6 @@ class TestBodySizeLimit(_Http2Test):
        assert len(self.master.state.flows) == 0
@requires_alpn
 class TestPushPromise(_Http2Test):
    @classmethod
@ -723,7 +716,6 @@ class TestPushPromise(_Http2Test):
        # the other two bodies might not be transmitted before the reset
@requires_alpn
 class TestConnectionLost(_Http2Test):
    @classmethod
@ -765,7 +757,6 @@ class TestConnectionLost(_Http2Test):
            assert self.master.state.flows[0].response is None
@requires_alpn
 class TestMaxConcurrentStreams(_Http2Test):
    @classmethod
@ -826,7 +817,6 @@ class TestMaxConcurrentStreams(_Http2Test):
            assert b"Stream-ID " in flow.response.content
@requires_alpn
 class TestConnectionTerminated(_Http2Test):
    @classmethod
@ -867,7 +857,6 @@ class TestConnectionTerminated(_Http2Test):
        assert connection_terminated_event.additional_data == b'foobar'
@requires_alpn
 class TestRequestStreaming(_Http2Test):
    @classmethod
@ -926,7 +915,6 @@ class TestRequestStreaming(_Http2Test):
            assert connection_terminated_event is None
@requires_alpn
 class TestResponseStreaming(_Http2Test):
    @classmethod
--- a/test/mitmproxy/utils/test_version_check.py
+++ b/test/mitmproxy/utils/test_version_check.py
@ -1,25 +0,0 @@
 import io
 from unittest import mock
 from mitmproxy.utils import version_check
@mock.patch("sys.exit")
 def test_check_pyopenssl_version(sexit):
    fp = io.StringIO()
    version_check.check_pyopenssl_version(fp=fp)
    assert not fp.getvalue()
    assert not sexit.called
    version_check.check_pyopenssl_version((9999,), fp=fp)
    assert "outdated" in fp.getvalue()
    assert sexit.called
@mock.patch("sys.exit")
@mock.patch("OpenSSL.__version__")
 def test_unparseable_pyopenssl_version(version, sexit):
    version.split.return_value = ["foo", "bar"]
    fp = io.StringIO()
    version_check.check_pyopenssl_version(fp=fp)
    assert "Cannot parse" in fp.getvalue()
    assert not sexit.called
--- a/test/pathod/protocols/test_http2.py
+++ b/test/pathod/protocols/test_http2.py
@ -11,8 +11,6 @@ from ...mitmproxy.net import tservers as net_tservers
 from pathod.protocols.http2 import HTTP2StateProtocol, TCPHandler
 from ...conftest import requires_alpn
 class TestTCPHandlerWrapper:
    def test_wrapped(self):
@ -68,7 +66,6 @@ class TestProtocol:
        assert mock_server_method.called
@requires_alpn
 class TestCheckALPNMatch(net_tservers.ServerTestBase):
    handler = EchoHandler
    ssl = dict(
@ -83,7 +80,6 @@ class TestCheckALPNMatch(net_tservers.ServerTestBase):
            assert protocol.check_alpn()
@requires_alpn
 class TestCheckALPNMismatch(net_tservers.ServerTestBase):
    handler = EchoHandler
    ssl = dict(
--- a/test/pathod/test_pathoc.py
+++ b/test/pathod/test_pathoc.py
@ -11,7 +11,6 @@ from pathod.protocols.http2 import HTTP2StateProtocol
 from mitmproxy.test import tutils
 from . import tservers
 from ..conftest import requires_alpn
 def test_response():
@ -216,7 +215,6 @@ class TestDaemonHTTP2(PathocTestDaemon):
    ssl = True
    explain = False
    @requires_alpn
    def test_http2(self):
        c = pathoc.Pathoc(
            ("127.0.0.1", self.d.port),
@ -231,7 +229,6 @@ class TestDaemonHTTP2(PathocTestDaemon):
        )
        assert c.protocol == http1
    @requires_alpn
    def test_http2_alpn(self):
        c = pathoc.Pathoc(
            ("127.0.0.1", self.d.port),
@ -248,7 +245,6 @@ class TestDaemonHTTP2(PathocTestDaemon):
            _, kwargs = c.convert_to_ssl.call_args
            assert set(kwargs['alpn_protos']) == set([b'http/1.1', b'h2'])
    @requires_alpn
    def test_request(self):
        c = pathoc.Pathoc(
            ("127.0.0.1", self.d.port),
@ -259,14 +255,3 @@ class TestDaemonHTTP2(PathocTestDaemon):
        with c.connect():
            resp = c.request("get:/p/200")
        assert resp.status_code == 200
    def test_failing_request(self, disable_alpn):
        c = pathoc.Pathoc(
            ("127.0.0.1", self.d.port),
            fp=None,
            ssl=True,
            use_http2=True,
        )
        with pytest.raises(NotImplementedError):
            with c.connect():
                c.request("get:/p/200")
--- a/test/pathod/test_pathod.py
+++ b/test/pathod/test_pathod.py
@ -8,7 +8,6 @@ from mitmproxy import exceptions
 from mitmproxy.test import tutils
 from . import tservers
 from ..conftest import requires_alpn
 class TestPathod:
@ -257,11 +256,6 @@ class TestHTTP2(tservers.DaemonTests):
    ssl = True
    nohang = True
    @requires_alpn
    def test_http2(self):
        r, _ = self.pathoc(["GET:/"], ssl=True, use_http2=True)
        assert r[0].status_code == 800
    def test_no_http2(self, disable_alpn):
        with pytest.raises(NotImplementedError):
            r, _ = self.pathoc(["GET:/"], ssl=True, use_http2=True)