Commit Graph

74 Commits

Author SHA1 Message Date
Maximilian Hils
5af9df326a fix certificate verification
This commit fixes netlib's optional (turned off by default)
certificate verification, which previously did not validate the
cert's host name. As it turns out, verifying the connection's host
name on an intercepting proxy is not really straightforward - if
we receive a connection in transparent mode without SNI, we have no
clue which hosts the client intends to connect to. There are two
basic approaches to solve this problem:

 1. Exactly mirror the host names presented by the server in the
    spoofed certificate presented to the client.
 2. Require the client to send the TLS Server Name Indication
    extension. While this does not work with older clients,
    we can validate the hostname on the proxy.

Approach 1 is problematic in mitmproxy's use case, as we may want
to deliberately divert connections without the client's knowledge.
As a consequence, we opt for approach 2. While mitmproxy does now
require a SNI value to be sent by the client if certificate
verification is turned on, we retain our ability to present
certificates to the client which are accepted with a maximum
likelihood.
2015-11-01 18:15:30 +01:00
Maximilian Hils
daebd1bd27 python3++ 2015-09-20 20:35:45 +02:00
Maximilian Hils
0ad5cbc6bf python3++ 2015-09-20 19:56:45 +02:00
Maximilian Hils
3f1ca556d1 python3++ 2015-09-20 18:12:55 +02:00
Maximilian Hils
dad9f06cb9 organize exceptions, improve content-length handling 2015-09-17 02:14:14 +02:00
Thomas Kriechbaumer
0be84fd6b9 fix tutils imports 2015-08-01 14:49:15 +02:00
Maximilian Hils
1b26161382 add distinct error for cert verification issues 2015-07-24 16:47:28 +02:00
Maximilian Hils
2723a0e573 remove certffi 2015-06-26 13:26:35 +02:00
Kyle Morton
d1452424be Cleaning up upstream server verification. Adding storage of cerificate
verification errors on TCPClient object to enable warnings in downstream
projects.
2015-06-22 17:31:13 -07:00
Aldo Cortesi
2aa1b98fbf netlib/test.py -> test/tservers.py 2015-06-22 14:52:23 +12:00
Thomas Kriechbaumer
abb37a3ef5 http2: improve test suite 2015-06-16 15:00:28 +02:00
Aldo Cortesi
bb206323ab Merge pull request #69 from kyle-m/master
Adding support for upstream certificate validation when using SSL/TLS…
2015-06-16 10:34:09 +12:00
Kyle Morton
fe764cde52 Adding support for upstream certificate validation when using SSL/TLS with an
instance of TCPClient.
2015-06-15 10:18:54 -07:00
Thomas Kriechbaumer
5fab755a05 add more tests 2015-06-12 15:27:29 +02:00
Thomas Kriechbaumer
abbe88c8ce fix non-ALPN supported OpenSSL-related tests 2015-06-08 13:25:42 +02:00
Thomas Kriechbaumer
49043131cc increase test coverage 2015-06-05 20:22:20 +02:00
Thomas Kriechbaumer
9883509f89 simplify default ssl params for test servers 2015-06-05 13:33:37 +02:00
Aldo Cortesi
f76bfabc5d Adjust pep8 parameters, reformat 2015-05-30 12:02:58 +12:00
Thomas Kriechbaumer
629fa8e552 make tests aware of ALPN & OpenSSL 1.0.2 dependency 2015-05-29 17:04:12 +02:00
Thomas Kriechbaumer
780836b182 add ALPN support to TCP abstraction 2015-05-29 15:31:22 +02:00
Thomas Kriechbaumer
bdb62101bb test Address __str__ 2015-05-29 11:42:46 +02:00
Thomas Kriechbaumer
e3d390e036 cleanup code with autopep8
run the following command:
  $ autopep8 -i -r -a -a .
2015-05-27 11:19:11 +02:00
Maximilian Hils
7f7ccd3a18 100% test coverage 2015-04-09 00:57:37 +02:00
Maximilian Hils
24a3dd59fe try harder to fix race condition in tests 2015-02-27 22:34:36 +01:00
Maximilian Hils
d71f3b68fd make tests more robust, fix coveralls 2015-02-27 22:27:23 +01:00
Maximilian Hils
da1eb94ccd 100% test coverage 🎉 2015-02-27 22:02:52 +01:00
Maximilian Hils
74a5600190 fix tests 2014-10-23 15:31:42 +02:00
Maximilian Hils
9ef84ccc1c clean up code 2014-10-09 00:15:39 +02:00
Maximilian Hils
fdb6f5552d CertStore: add support for cert chains 2014-10-08 20:46:30 +02:00
Aldo Cortesi
63c1efd394 Remove avoidable imports from OpenSSL
Fixes #38
2014-09-09 10:08:56 +12:00
Maximilian Hils
6d1b601ddf minor cleanups 2014-08-16 15:53:07 +02:00
Maximilian Hils
cba927885e fix tests 2014-07-18 23:08:29 +02:00
Maximilian Hils
55c2133b69 add test case for mitmproxy/mitmproxy#295 2014-07-17 01:47:24 +02:00
Maximilian Hils
4bd15a28b7 fix #28 2014-03-10 17:43:39 +01:00
Aldo Cortesi
f5cc63d653 Certificate flags 2014-03-10 17:29:27 +13:00
Aldo Cortesi
2a12aa3c47 Support Ephemeral Diffie-Hellman 2014-03-07 16:38:50 +13:00
Aldo Cortesi
d56f7fba80 We now require PyOpenSSL >= 0.14 2014-03-02 22:14:33 +13:00
Aldo Cortesi
cfaa3da25c Use PyOpenSSL's underlying ffi interface to get current cipher for connections. 2014-03-02 21:37:28 +13:00
Aldo Cortesi
e381c03668 Cleanups, tests, and no-cover directives for code sections we can't test. 2014-03-02 16:47:10 +13:00
Aldo Cortesi
3443bae94e Cipher suite selection for client connections, improved error handling 2014-02-27 18:35:16 +13:00
Maximilian Hils
7fc544bc7f adjust netlib.wsgi to reflect changes in mitmproxys flow format 2014-02-05 21:34:14 +01:00
Maximilian Hils
763cb90b66 add tcp.Address to unify ipv4/ipv6 address handling 2014-01-28 17:26:35 +01:00
Maximilian Hils
cebec67e08 refactor read_http_body 2013-12-15 06:43:54 +01:00
Maximilian Hils
0187d92ec0 test tcpclient.source_address, increase coverage 2013-12-14 00:19:24 +01:00
Maximilian Hils
f2e8efdf15 merge smurfix/ipv6, add ipv6 support for TCPServer, add ipv6 test 2013-12-13 15:04:38 +01:00
Aldo Cortesi
4840c6b3bf Fix race condition in test suite. 2013-12-08 15:26:30 +13:00
Aldo Cortesi
75745cb0af Zap stray print in tests. 2013-12-08 13:04:27 +13:00
Israel Nir
d5b3e397e1 adding cipher list selection option to BaseHandler 2013-08-21 13:42:30 +03:00
Aldo Cortesi
7f0aa415e1 Add a request_client_cert argument to server SSL conversion.
By default, we now do not request the client cert. We're supposed to be able to
do this with no negative effects - if the client has no cert to present, we're
notified and proceed as usual.  Unfortunately, Android seems to have a bug
(tested on 4.2.2) - when an Android client is asked to present a certificate it
does not have, it hangs up, which is frankly bogus.  Some time down the track
we may be able to make the proper behaviour the default again, but until then
we're conservative.
2013-05-13 08:48:21 +12:00
Aldo Cortesi
97e11a219f Housekeeping and cleanup, some minor argument name changes. 2013-02-24 15:36:15 +13:00