mirror of
https://github.com/Grasscutters/mitmproxy.git
synced 2024-11-23 00:01:36 +00:00
Certificate forwarding.
This commit is contained in:
Aldo Cortesi
parent
c1fff51b1b
commit
e89e035d4a
@ -13,7 +13,7 @@ class ProxyConfig:
|
||||
def __init__(self, confdir=CONF_DIR, clientcerts=None,
|
||||
no_upstream_cert=False, body_size_limit=None, get_upstream_server=None,
|
||||
http_form_in="absolute", http_form_out="relative", authenticator=None,
|
||||
ciphers=None, certs=None
|
||||
ciphers=None, certs=None, certforward = False
|
||||
):
|
||||
self.ciphers = ciphers
|
||||
self.clientcerts = clientcerts
|
||||
@ -25,6 +25,7 @@ class ProxyConfig:
|
||||
self.authenticator = authenticator
|
||||
self.confdir = os.path.expanduser(confdir)
|
||||
self.certstore = certutils.CertStore.from_store(self.confdir, CONF_BASENAME)
|
||||
self.certforward = certforward
|
||||
|
||||
|
||||
def process_proxy_options(parser, options):
|
||||
@ -93,15 +94,17 @@ def process_proxy_options(parser, options):
|
||||
certs.append(parts)
|
||||
|
||||
return ProxyConfig(
|
||||
clientcerts=options.clientcerts,
|
||||
body_size_limit=body_size_limit,
|
||||
no_upstream_cert=options.no_upstream_cert,
|
||||
get_upstream_server=get_upstream_server,
|
||||
http_form_in=http_form_in,
|
||||
http_form_out=http_form_out,
|
||||
authenticator=authenticator,
|
||||
ciphers=options.ciphers,
|
||||
clientcerts = options.clientcerts,
|
||||
body_size_limit = body_size_limit,
|
||||
no_upstream_cert = options.no_upstream_cert,
|
||||
get_upstream_server = get_upstream_server,
|
||||
confdir = options.confdir,
|
||||
http_form_in = http_form_in,
|
||||
http_form_out = http_form_out,
|
||||
authenticator = authenticator,
|
||||
ciphers = options.ciphers,
|
||||
certs = certs,
|
||||
certforward = options.certforward,
|
||||
)
|
||||
|
||||
|
||||
@ -124,4 +127,9 @@ def ssl_option_group(parser):
|
||||
"--ciphers", action="store",
|
||||
type=str, dest="ciphers", default=None,
|
||||
help="SSL cipher specification."
|
||||
)
|
||||
)
|
||||
group.add_argument(
|
||||
"--cert-forward", action="store_true",
|
||||
dest="certforward", default=False,
|
||||
help="Simply forward SSL certificates from upstream."
|
||||
)
|
||||
|
||||
@ -188,7 +188,8 @@ class ConnectionHandler:
|
||||
self.client_conn.convert_to_ssl(
|
||||
cert, key,
|
||||
handle_sni = self.handle_sni,
|
||||
cipher_list = self.config.ciphers
|
||||
cipher_list = self.config.ciphers,
|
||||
dhparams = self.config.certstore.dhparams
|
||||
)
|
||||
|
||||
def server_reconnect(self, no_ssl=False):
|
||||
@ -217,18 +218,21 @@ class ConnectionHandler:
|
||||
self.channel.tell("log", Log(msg))
|
||||
|
||||
def find_cert(self):
|
||||
host = self.server_conn.address.host
|
||||
sans = []
|
||||
if not self.config.no_upstream_cert or not self.server_conn.ssl_established:
|
||||
upstream_cert = self.server_conn.cert
|
||||
if upstream_cert.cn:
|
||||
host = upstream_cert.cn.decode("utf8").encode("idna")
|
||||
sans = upstream_cert.altnames
|
||||
if self.config.certforward and self.server_conn.ssl_established:
|
||||
return self.server_conn.cert, self.config.certstore.gen_pkey(self.server_conn.cert)
|
||||
else:
|
||||
host = self.server_conn.address.host
|
||||
sans = []
|
||||
if not self.config.no_upstream_cert or not self.server_conn.ssl_established:
|
||||
upstream_cert = self.server_conn.cert
|
||||
if upstream_cert.cn:
|
||||
host = upstream_cert.cn.decode("utf8").encode("idna")
|
||||
sans = upstream_cert.altnames
|
||||
|
||||
ret = self.config.certstore.get_cert(host, sans)
|
||||
if not ret:
|
||||
raise ProxyError(502, "Unable to generate dummy cert.")
|
||||
return ret
|
||||
ret = self.config.certstore.get_cert(host, sans)
|
||||
if not ret:
|
||||
raise ProxyError(502, "Unable to generate dummy cert.")
|
||||
return ret
|
||||
|
||||
def handle_sni(self, connection):
|
||||
"""
|
||||
@ -251,4 +255,4 @@ class ConnectionHandler:
|
||||
# An unhandled exception in this method will core dump PyOpenSSL, so
|
||||
# make dang sure it doesn't happen.
|
||||
except Exception, e: # pragma: no cover
|
||||
pass
|
||||
pass
|
||||
|
||||
@ -390,3 +390,10 @@ class TestIncompleteResponse(tservers.HTTPProxTest):
|
||||
def test_incomplete(self):
|
||||
assert self.pathod("200").status_code == 502
|
||||
|
||||
|
||||
class TestCertForward(tservers.HTTPProxTest):
|
||||
certforward = True
|
||||
ssl = True
|
||||
def test_app_err(self):
|
||||
tutils.raises("handshake error", self.pathod, "200:b@100")
|
||||
|
||||
|
||||
@ -81,6 +81,7 @@ class ProxTestBase(object):
|
||||
authenticator = None
|
||||
masterclass = TestMaster
|
||||
externalapp = False
|
||||
certforward = False
|
||||
@classmethod
|
||||
def setupAll(cls):
|
||||
cls.server = libpathod.test.Daemon(ssl=cls.ssl, ssloptions=cls.ssloptions)
|
||||
@ -91,6 +92,7 @@ class ProxTestBase(object):
|
||||
no_upstream_cert = cls.no_upstream_cert,
|
||||
confdir = cls.confdir,
|
||||
authenticator = cls.authenticator,
|
||||
certforward = cls.certforward,
|
||||
**pconf
|
||||
)
|
||||
tmaster = cls.masterclass(config)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user