tlsconfig: make sure to use the correct connection, fix #5109 (#5224)

2024-11-22 07:08:10 +00:00 · 2022-03-29 10:27:53 +02:00 · 2022-03-29 10:27:53 +02:00 · f0da667516
commit f0da667516
parent a63c96ce72
5 changed files with 21 additions and 6 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,8 +2,12 @@

 ## Unreleased: mitmproxy next

-* Add flatpak support to the browser addon (#5200, @pauloromeira)
-* Add example addon to dump contents to files based on a filter expression (#5190, @redraw)
+* Add flatpak support to the browser addon
+  ([#5200](https://github.com/mitmproxy/mitmproxy/issues/5200), @pauloromeira)
+* Add example addon to dump contents to files based on a filter expression 
+  ([#5190](https://github.com/mitmproxy/mitmproxy/issues/5190), @redraw)
+* Fix a bug where the wrong SNI is sent to an upstream HTTPS proxy
+  ([#5109](https://github.com/mitmproxy/mitmproxy/issues/5109), @mhils)

 ## 19 March 2022: mitmproxy 8.0.0

--- a/mitmproxy/addons/tlsconfig.py
+++ b/mitmproxy/addons/tlsconfig.py
@ -118,7 +118,9 @@ class TlsConfig:
        if tls_start.ssl_conn is not None:
            return  # a user addon has already provided the pyOpenSSL context.

-        client: connection.Client = tls_start.context.client
+        assert isinstance(tls_start.conn, connection.Client)
+
+        client: connection.Client = tls_start.conn
        server: connection.Server = tls_start.context.server

        entry = self.get_cert(tls_start.context)
@ -168,8 +170,11 @@ class TlsConfig:
        if tls_start.ssl_conn is not None:
            return  # a user addon has already provided the pyOpenSSL context.

+        assert isinstance(tls_start.conn, connection.Server)
+
        client: connection.Client = tls_start.context.client
-        server: connection.Server = tls_start.context.server
+        # tls_start.conn may be different from tls_start.context.server, e.g. an upstream HTTPS proxy.
+        server: connection.Server = tls_start.conn
        assert server.address

        if ctx.options.ssl_insecure:
--- a/mitmproxy/proxy/layers/tls.py
+++ b/mitmproxy/proxy/layers/tls.py
@ -351,7 +351,8 @@ class ServerTLSLayer(_TLSLayer):
            self.tunnel_state = tunnel.TunnelState.CLOSED
        else:
            yield from self.start_tls()
-            yield from self.receive_handshake_data(b"")
+            if self.tls:
+                yield from self.receive_handshake_data(b"")

    def event_to_child(self, event: events.Event) -> layer.CommandGenerator[None]:
        if self.wait_for_clienthello:
--- a/test/mitmproxy/proxy/layers/test_modes.py
+++ b/test/mitmproxy/proxy/layers/test_modes.py
@ -70,6 +70,7 @@ def test_upstream_https(tctx):
        << SendData(upstream, clienthello)
    )
    assert upstream().address == ("example.mitmproxy.org", 8081)
+    assert upstream().sni == "example.mitmproxy.org"
    assert (
        proxy2
        >> DataReceived(tctx2.client, clienthello())
--- a/test/mitmproxy/proxy/tutils.py
+++ b/test/mitmproxy/proxy/tutils.py
@ -201,9 +201,13 @@ class Playbook:
                    x.connection.timestamp_end = 1624544787

                self.actual.append(x)
+                cmds: typing.List[commands.Command] = []
                try:
-                    cmds: typing.List[commands.Command] = list(self.layer.handle_event(x))
+                    # consume them one by one so that we can extend the log with all commands until traceback.
+                    for cmd in self.layer.handle_event(x):
+                        cmds.append(cmd)
                except Exception:
+                    self.actual.extend(cmds)
                    self.actual.append(_TracebackInPlaybook(traceback.format_exc()))
                    break