tlsconfig: make sure to use the correct connection, fix #5109 (#5224)

CHANGELOG.md

@@ -2,8 +2,12 @@
 
 ## Unreleased: mitmproxy next
 
-* Add flatpak support to the browser addon (#5200, @pauloromeira)
+* Add flatpak support to the browser addon
-* Add example addon to dump contents to files based on a filter expression (#5190, @redraw)
+  ([#5200](https://github.com/mitmproxy/mitmproxy/issues/5200), @pauloromeira)
+* Add example addon to dump contents to files based on a filter expression 
+  ([#5190](https://github.com/mitmproxy/mitmproxy/issues/5190), @redraw)
+* Fix a bug where the wrong SNI is sent to an upstream HTTPS proxy
+  ([#5109](https://github.com/mitmproxy/mitmproxy/issues/5109), @mhils)
 
 ## 19 March 2022: mitmproxy 8.0.0
 

mitmproxy/addons/tlsconfig.py

@@ -118,7 +118,9 @@ class TlsConfig:
         if tls_start.ssl_conn is not None:
             return  # a user addon has already provided the pyOpenSSL context.
 
-        client: connection.Client = tls_start.context.client
+        assert isinstance(tls_start.conn, connection.Client)
+
+        client: connection.Client = tls_start.conn
         server: connection.Server = tls_start.context.server
 
         entry = self.get_cert(tls_start.context)
@@ -168,8 +170,11 @@ class TlsConfig:
         if tls_start.ssl_conn is not None:
             return  # a user addon has already provided the pyOpenSSL context.
 
+        assert isinstance(tls_start.conn, connection.Server)
+
         client: connection.Client = tls_start.context.client
-        server: connection.Server = tls_start.context.server
+        # tls_start.conn may be different from tls_start.context.server, e.g. an upstream HTTPS proxy.
+        server: connection.Server = tls_start.conn
         assert server.address
 
         if ctx.options.ssl_insecure:

mitmproxy/proxy/layers/tls.py

@@ -351,6 +351,7 @@ class ServerTLSLayer(_TLSLayer):
             self.tunnel_state = tunnel.TunnelState.CLOSED
         else:
             yield from self.start_tls()
+            if self.tls:
                 yield from self.receive_handshake_data(b"")
 
     def event_to_child(self, event: events.Event) -> layer.CommandGenerator[None]:

test/mitmproxy/proxy/layers/test_modes.py

@@ -70,6 +70,7 @@ def test_upstream_https(tctx):
         << SendData(upstream, clienthello)
     )
     assert upstream().address == ("example.mitmproxy.org", 8081)
+    assert upstream().sni == "example.mitmproxy.org"
     assert (
         proxy2
         >> DataReceived(tctx2.client, clienthello())

test/mitmproxy/proxy/tutils.py

@@ -201,9 +201,13 @@ class Playbook:
                     x.connection.timestamp_end = 1624544787
 
                 self.actual.append(x)
+                cmds: typing.List[commands.Command] = []
                 try:
-                    cmds: typing.List[commands.Command] = list(self.layer.handle_event(x))
+                    # consume them one by one so that we can extend the log with all commands until traceback.
+                    for cmd in self.layer.handle_event(x):
+                        cmds.append(cmd)
                 except Exception:
+                    self.actual.extend(cmds)
                     self.actual.append(_TracebackInPlaybook(traceback.format_exc()))
                     break