diff --git a/mitmproxy/cmdline.py b/mitmproxy/cmdline.py index 3c63ec355..9cf8be3cb 100644 --- a/mitmproxy/cmdline.py +++ b/mitmproxy/cmdline.py @@ -184,6 +184,15 @@ def get_common_options(args): "That would trigger an infinite loop." ) + + # Proxy config + certs = [] + for i in args.certs: + parts = i.split("=", 1) + if len(parts) == 1: + parts = ["*", parts[0]] + certs.append(parts) + return dict( app=args.app, app_host=args.app_host, @@ -213,10 +222,11 @@ def get_common_options(args): replay_ignore_payload_params=args.replay_ignore_payload_params, replay_ignore_host=args.replay_ignore_host, + cadir = args.cadir, + certs = certs, + clientcerts = args.clientcerts, listen_host = args.addr, listen_port = args.port, - cadir = args.cadir, - clientcerts = args.clientcerts, ) diff --git a/mitmproxy/flow/options.py b/mitmproxy/flow/options.py index f05d2373f..51672f9c0 100644 --- a/mitmproxy/flow/options.py +++ b/mitmproxy/flow/options.py @@ -40,6 +40,7 @@ class Options(options.Options): # Proxy options cadir = cmdline.CA_DIR, # type: str + certs = (), # type: Sequence[Tuple[str, str]] clientcerts = None, # type: Optional[str] listen_host = "", # type: str listen_port = 8080, # type: int @@ -74,7 +75,9 @@ class Options(options.Options): self.replay_ignore_payload_params = replay_ignore_payload_params self.replay_ignore_host = replay_ignore_host + # Proxy options self.cadir = cadir + self.certs = certs self.clientcerts = clientcerts self.listen_host = listen_host self.listen_port = listen_port diff --git a/mitmproxy/proxy/config.py b/mitmproxy/proxy/config.py index 0a0188a56..ae15a3472 100644 --- a/mitmproxy/proxy/config.py +++ b/mitmproxy/proxy/config.py @@ -5,7 +5,7 @@ import os import re import six -from OpenSSL import SSL +from OpenSSL import SSL, crypto from mitmproxy import platform from mitmproxy import exceptions @@ -117,9 +117,6 @@ class ProxyConfig: self.config(options) options.changed.connect(self) - for spec, cert in certs: - self.certstore.add_cert_file(spec, cert) - def config(self, options): certstore_path = os.path.expanduser(options.cadir) if not os.path.exists(certstore_path): @@ -140,6 +137,20 @@ class ProxyConfig: ) self.clientcerts = clientcerts + for spec, cert in options.certs: + cert = os.path.expanduser(cert) + if not os.path.exists(cert): + raise exceptions.OptionsError( + "Certificate file does not exist: %s" % cert + ) + try: + self.certstore.add_cert_file(spec, cert) + except crypto.Error: + raise exceptions.OptionsError( + "Invalid certificate format: %s" % cert + ) + + def process_proxy_options(parser, options, args): body_size_limit = args.body_size_limit @@ -214,16 +225,6 @@ def process_proxy_options(parser, options, args): else: authenticator = authentication.NullProxyAuth(None) - certs = [] - for i in args.certs: - parts = i.split("=", 1) - if len(parts) == 1: - parts = ["*", parts[0]] - parts[1] = os.path.expanduser(parts[1]) - if not os.path.exists(parts[1]): - parser.error("Certificate file does not exist: %s" % parts[1]) - certs.append(parts) - return ProxyConfig( options, no_upstream_cert=args.no_upstream_cert, @@ -238,7 +239,6 @@ def process_proxy_options(parser, options, args): authenticator=authenticator, ciphers_client=args.ciphers_client, ciphers_server=args.ciphers_server, - certs=tuple(certs), ssl_version_client=args.ssl_version_client, ssl_version_server=args.ssl_version_server, ssl_verify_upstream_cert=args.ssl_verify_upstream_cert,