Maximilian Hils
810c2f2414
Merge remote-tracking branch 'origin/hostname-validation'
2015-11-04 21:33:32 +01:00
Maximilian Hils
9d36f8e43f
minor fixes
2015-11-01 18:20:00 +01:00
Maximilian Hils
5af9df326a
fix certificate verification
...
This commit fixes netlib's optional (turned off by default)
certificate verification, which previously did not validate the
cert's host name. As it turns out, verifying the connection's host
name on an intercepting proxy is not really straightforward - if
we receive a connection in transparent mode without SNI, we have no
clue which hosts the client intends to connect to. There are two
basic approaches to solve this problem:
1. Exactly mirror the host names presented by the server in the
spoofed certificate presented to the client.
2. Require the client to send the TLS Server Name Indication
extension. While this does not work with older clients,
we can validate the hostname on the proxy.
Approach 1 is problematic in mitmproxy's use case, as we may want
to deliberately divert connections without the client's knowledge.
As a consequence, we opt for approach 2. While mitmproxy does now
require a SNI value to be sent by the client if certificate
verification is turned on, we retain our ability to present
certificates to the client which are accepted with a maximum
likelihood.
2015-11-01 18:15:30 +01:00
Thomas Kriechbaumer
e9fe45f3f4
backport changes
2015-09-21 18:45:49 +02:00
Maximilian Hils
daebd1bd27
python3++
2015-09-20 20:35:45 +02:00
Maximilian Hils
0ad5cbc6bf
python3++
2015-09-20 19:56:45 +02:00
Maximilian Hils
3f1ca556d1
python3++
2015-09-20 18:12:55 +02:00
Maximilian Hils
dad9f06cb9
organize exceptions, improve content-length handling
2015-09-17 02:14:14 +02:00
Maximilian Hils
11e7f476bd
wip
2015-09-15 19:12:15 +02:00
Maximilian Hils
a38142d595
don't yield empty chunks
2015-09-11 01:17:39 +02:00
Maximilian Hils
a5f7752cf1
add ssl_read_select
2015-09-10 11:30:41 +02:00
Maximilian Hils
32b3c32138
add tcp.Address.__hash__
2015-09-08 21:31:27 +02:00
Maximilian Hils
1265945f55
move sslversion mapping to netlib
2015-08-29 12:30:35 +02:00
Maximilian Hils
982d8000c4
wip
2015-08-28 17:35:48 +02:00
Maximilian Hils
de0ced73f8
fix error messages
2015-08-25 18:33:55 +02:00
Maximilian Hils
9920de1e15
tcp._Connection: clean up code, fix inheritance
2015-08-19 16:06:33 +02:00
Maximilian Hils
6810fba54e
add ssl peek polyfill
2015-08-19 16:05:42 +02:00
Maximilian Hils
231656859f
TCPClient: more sophisticated address handling
2015-08-18 21:08:42 +02:00
Maximilian Hils
62416daa4a
add Reader.peek()
2015-08-18 21:08:01 +02:00
Maximilian Hils
c92dc1b868
re-add form_out
2015-08-18 21:07:38 +02:00
Thomas Kriechbaumer
85cede47aa
allow direct ALPN callback method
2015-08-16 11:41:34 +02:00
Maximilian Hils
c2832ef72b
fix mitmproxy/mitmproxy#705
2015-08-03 18:06:31 +02:00
Maximilian Hils
1b26161382
add distinct error for cert verification issues
2015-07-24 16:47:28 +02:00
Kyle Morton
c17af4162b
Added a fix for pre-1.0 OpenSSL which wasn't correctly erring on failed certificate validation
2015-07-21 19:15:11 -07:00
Kyle Morton
155bdeb123
Fixing default CA which ought to be read as a pemfile and not a directory
2015-07-21 18:09:42 -07:00
Kyle Morton
0a2b25187f
Fixing how certifi is made the default ca_path to simplify calling logic.
2015-06-26 14:57:00 -07:00
Aldo Cortesi
db6576ca6f
Merge pull request #76 from kyle-m/master
...
Provide debugging information when upstream server certificate fails validation
2015-06-24 09:27:08 +12:00
Kyle Morton
d1452424be
Cleaning up upstream server verification. Adding storage of cerificate
...
verification errors on TCPClient object to enable warnings in downstream
projects.
2015-06-22 17:31:13 -07:00
Kyle Morton
7afe44ba4e
Updating TCPServer to allow tests (and potentially other use cases) to serve
...
certificate chains instead of only single certificates.
2015-06-22 16:48:09 -07:00
Thomas Kriechbaumer
58118d607e
unify SSL version/method handling
2015-06-22 20:39:34 +02:00
Thomas Kriechbaumer
69e71097f7
mark unused variables and arguments
2015-06-18 17:14:38 +02:00
Aldo Cortesi
4579c67150
Merge branch 'master' of https://github.com/kyle-m/netlib into kyle-m-master
2015-06-18 12:23:03 +12:00
Aldo Cortesi
6e301f37d0
Only set OP_NO_COMPRESSION by default if it exists in our version of OpenSSL
...
We'll need to start testing under both new and old versions of OpenSSL
somehow to catch these...
2015-06-18 12:18:22 +12:00
Aldo Cortesi
4152b14387
Merge pull request #71 from Kriechi/landscape
...
fix warnings and code smells
2015-06-18 12:07:20 +12:00
Thomas Kriechbaumer
836b1eab97
fix warnings and code smells
...
use prospector to find them
2015-06-17 13:10:27 +02:00
Kyle Morton
c9c93af453
Adding certifi as default CA bundle.
2015-06-16 11:11:10 -07:00
Thomas Kriechbaumer
abb37a3ef5
http2: improve test suite
2015-06-16 15:00:28 +02:00
Thomas Kriechbaumer
79ff439930
add elliptic curve during TLS handshake
2015-06-16 15:00:28 +02:00
Aldo Cortesi
bb206323ab
Merge pull request #69 from kyle-m/master
...
Adding support for upstream certificate validation when using SSL/TLS…
2015-06-16 10:34:09 +12:00
Kyle Morton
fe764cde52
Adding support for upstream certificate validation when using SSL/TLS with an
...
instance of TCPClient.
2015-06-15 10:18:54 -07:00
Thomas Kriechbaumer
0d137eac6f
simplify ALPN
2015-06-14 19:50:35 +02:00
Thomas Kriechbaumer
9c6d237d02
add new TLS methods
2015-06-14 18:17:53 +02:00
Thomas Kriechbaumer
5fab755a05
add more tests
2015-06-12 15:27:29 +02:00
Thomas Kriechbaumer
eeaed93a83
improve ALPN integration
2015-06-11 15:37:17 +02:00
Thomas Kriechbaumer
0595585974
fix coding style
2015-06-08 17:00:03 +02:00
Thomas Kriechbaumer
fdbb3b76cf
http2: add warning if raw data looks like HTTP/1
2015-06-08 16:54:19 +02:00
Thomas Kriechbaumer
abbe88c8ce
fix non-ALPN supported OpenSSL-related tests
2015-06-08 13:25:42 +02:00
Thomas Kriechbaumer
4666d1e7bb
improve ALPN support on travis
2015-06-08 12:52:06 +02:00
Aldo Cortesi
2d9b9be1f4
Revert "tcp: clear_log to clear socket logs"
...
start_log also clears the log, which is good enough.
This reverts commit 4ca62e0d9b
.
2015-06-05 11:50:29 +12:00
Aldo Cortesi
4ca62e0d9b
tcp: clear_log to clear socket logs
2015-06-05 11:42:06 +12:00