Commit Graph

175 Commits

Author SHA1 Message Date
Maximilian Hils
810c2f2414 Merge remote-tracking branch 'origin/hostname-validation' 2015-11-04 21:33:32 +01:00
Maximilian Hils
9d36f8e43f minor fixes 2015-11-01 18:20:00 +01:00
Maximilian Hils
5af9df326a fix certificate verification
This commit fixes netlib's optional (turned off by default)
certificate verification, which previously did not validate the
cert's host name. As it turns out, verifying the connection's host
name on an intercepting proxy is not really straightforward - if
we receive a connection in transparent mode without SNI, we have no
clue which hosts the client intends to connect to. There are two
basic approaches to solve this problem:

 1. Exactly mirror the host names presented by the server in the
    spoofed certificate presented to the client.
 2. Require the client to send the TLS Server Name Indication
    extension. While this does not work with older clients,
    we can validate the hostname on the proxy.

Approach 1 is problematic in mitmproxy's use case, as we may want
to deliberately divert connections without the client's knowledge.
As a consequence, we opt for approach 2. While mitmproxy does now
require a SNI value to be sent by the client if certificate
verification is turned on, we retain our ability to present
certificates to the client which are accepted with a maximum
likelihood.
2015-11-01 18:15:30 +01:00
Thomas Kriechbaumer
e9fe45f3f4 backport changes 2015-09-21 18:45:49 +02:00
Maximilian Hils
daebd1bd27 python3++ 2015-09-20 20:35:45 +02:00
Maximilian Hils
0ad5cbc6bf python3++ 2015-09-20 19:56:45 +02:00
Maximilian Hils
3f1ca556d1 python3++ 2015-09-20 18:12:55 +02:00
Maximilian Hils
dad9f06cb9 organize exceptions, improve content-length handling 2015-09-17 02:14:14 +02:00
Maximilian Hils
11e7f476bd wip 2015-09-15 19:12:15 +02:00
Maximilian Hils
a38142d595 don't yield empty chunks 2015-09-11 01:17:39 +02:00
Maximilian Hils
a5f7752cf1 add ssl_read_select 2015-09-10 11:30:41 +02:00
Maximilian Hils
32b3c32138 add tcp.Address.__hash__ 2015-09-08 21:31:27 +02:00
Maximilian Hils
1265945f55 move sslversion mapping to netlib 2015-08-29 12:30:35 +02:00
Maximilian Hils
982d8000c4 wip 2015-08-28 17:35:48 +02:00
Maximilian Hils
de0ced73f8 fix error messages 2015-08-25 18:33:55 +02:00
Maximilian Hils
9920de1e15 tcp._Connection: clean up code, fix inheritance 2015-08-19 16:06:33 +02:00
Maximilian Hils
6810fba54e add ssl peek polyfill 2015-08-19 16:05:42 +02:00
Maximilian Hils
231656859f TCPClient: more sophisticated address handling 2015-08-18 21:08:42 +02:00
Maximilian Hils
62416daa4a add Reader.peek() 2015-08-18 21:08:01 +02:00
Maximilian Hils
c92dc1b868 re-add form_out 2015-08-18 21:07:38 +02:00
Thomas Kriechbaumer
85cede47aa allow direct ALPN callback method 2015-08-16 11:41:34 +02:00
Maximilian Hils
c2832ef72b fix mitmproxy/mitmproxy#705 2015-08-03 18:06:31 +02:00
Maximilian Hils
1b26161382 add distinct error for cert verification issues 2015-07-24 16:47:28 +02:00
Kyle Morton
c17af4162b Added a fix for pre-1.0 OpenSSL which wasn't correctly erring on failed certificate validation 2015-07-21 19:15:11 -07:00
Kyle Morton
155bdeb123 Fixing default CA which ought to be read as a pemfile and not a directory 2015-07-21 18:09:42 -07:00
Kyle Morton
0a2b25187f Fixing how certifi is made the default ca_path to simplify calling logic. 2015-06-26 14:57:00 -07:00
Aldo Cortesi
db6576ca6f Merge pull request #76 from kyle-m/master
Provide debugging information when upstream server certificate fails validation
2015-06-24 09:27:08 +12:00
Kyle Morton
d1452424be Cleaning up upstream server verification. Adding storage of cerificate
verification errors on TCPClient object to enable warnings in downstream
projects.
2015-06-22 17:31:13 -07:00
Kyle Morton
7afe44ba4e Updating TCPServer to allow tests (and potentially other use cases) to serve
certificate chains instead of only single certificates.
2015-06-22 16:48:09 -07:00
Thomas Kriechbaumer
58118d607e unify SSL version/method handling 2015-06-22 20:39:34 +02:00
Thomas Kriechbaumer
69e71097f7 mark unused variables and arguments 2015-06-18 17:14:38 +02:00
Aldo Cortesi
4579c67150 Merge branch 'master' of https://github.com/kyle-m/netlib into kyle-m-master 2015-06-18 12:23:03 +12:00
Aldo Cortesi
6e301f37d0 Only set OP_NO_COMPRESSION by default if it exists in our version of OpenSSL
We'll need to start testing under both new and old versions of OpenSSL
somehow to catch these...
2015-06-18 12:18:22 +12:00
Aldo Cortesi
4152b14387 Merge pull request #71 from Kriechi/landscape
fix warnings and code smells
2015-06-18 12:07:20 +12:00
Thomas Kriechbaumer
836b1eab97 fix warnings and code smells
use prospector to find them
2015-06-17 13:10:27 +02:00
Kyle Morton
c9c93af453 Adding certifi as default CA bundle. 2015-06-16 11:11:10 -07:00
Thomas Kriechbaumer
abb37a3ef5 http2: improve test suite 2015-06-16 15:00:28 +02:00
Thomas Kriechbaumer
79ff439930 add elliptic curve during TLS handshake 2015-06-16 15:00:28 +02:00
Aldo Cortesi
bb206323ab Merge pull request #69 from kyle-m/master
Adding support for upstream certificate validation when using SSL/TLS…
2015-06-16 10:34:09 +12:00
Kyle Morton
fe764cde52 Adding support for upstream certificate validation when using SSL/TLS with an
instance of TCPClient.
2015-06-15 10:18:54 -07:00
Thomas Kriechbaumer
0d137eac6f simplify ALPN 2015-06-14 19:50:35 +02:00
Thomas Kriechbaumer
9c6d237d02 add new TLS methods 2015-06-14 18:17:53 +02:00
Thomas Kriechbaumer
5fab755a05 add more tests 2015-06-12 15:27:29 +02:00
Thomas Kriechbaumer
eeaed93a83 improve ALPN integration 2015-06-11 15:37:17 +02:00
Thomas Kriechbaumer
0595585974 fix coding style 2015-06-08 17:00:03 +02:00
Thomas Kriechbaumer
fdbb3b76cf http2: add warning if raw data looks like HTTP/1 2015-06-08 16:54:19 +02:00
Thomas Kriechbaumer
abbe88c8ce fix non-ALPN supported OpenSSL-related tests 2015-06-08 13:25:42 +02:00
Thomas Kriechbaumer
4666d1e7bb improve ALPN support on travis 2015-06-08 12:52:06 +02:00
Aldo Cortesi
2d9b9be1f4 Revert "tcp: clear_log to clear socket logs"
start_log also clears the log, which is good enough.

This reverts commit 4ca62e0d9b.
2015-06-05 11:50:29 +12:00
Aldo Cortesi
4ca62e0d9b tcp: clear_log to clear socket logs 2015-06-05 11:42:06 +12:00