Merge pull request #493 from elitest/master

Adding support for server facing SSL cipher suite specification

libmproxy/proxy/config.py

@@ -45,7 +45,8 @@ class ProxyConfig:
             authenticator=None,
             ignore_hosts=[],
             tcp_hosts=[],
-            ciphers=None,
+            client_ciphers=None,
+            server_ciphers=None,
             certs=[],
             certforward=False,
             ssl_version_client="secure",
@@ -55,7 +56,8 @@ class ProxyConfig:
         self.host = host
         self.port = port
         self.server_version = server_version
-        self.ciphers = ciphers
+        self.client_ciphers = client_ciphers
+        self.server_ciphers = server_ciphers
         self.clientcerts = clientcerts
         self.no_upstream_cert = no_upstream_cert
         self.body_size_limit = body_size_limit
@@ -188,7 +190,8 @@ def process_proxy_options(parser, options):
         ignore_hosts=options.ignore_hosts,
         tcp_hosts=options.tcp_hosts,
         authenticator=authenticator,
-        ciphers=options.ciphers,
+        client_ciphers=options.client_ciphers,
+        server_ciphers=options.server_ciphers,
         certs=certs,
         certforward=options.certforward,
         ssl_version_client=options.ssl_version_client,
@@ -215,9 +218,14 @@ def ssl_option_group(parser):
         help="Client certificate directory."
     )
     group.add_argument(
-        "--ciphers", action="store",
+        "--client-ciphers", action="store",
-        type=str, dest="ciphers", default=None,
+        type=str, dest="client_ciphers", default=None,
-        help="SSL cipher specification."
+        help="Client facing SSL cipher specification."
+    )
+    group.add_argument(
+        "--server-ciphers", action="store",
+        type=str, dest="server_ciphers", default=None,
+        help="Server facing SSL cipher specification."
     )
     group.add_argument(
         "--cert-forward", action="store_true",
@@ -248,4 +256,4 @@ def ssl_option_group(parser):
         metavar="PORT",
         help="Can be passed multiple times. Specify destination ports which are assumed to be SSL. "
              "Defaults to %s." % str(TRANSPARENT_SSL_PORTS)
-    )
+    )

libmproxy/proxy/server.py

@@ -188,7 +188,8 @@ class ConnectionHandler:
                     self.config.clientcerts,
                     sni,
                     method=self.config.openssl_server_method,
-                    options=self.config.openssl_server_options
+                    options=self.config.openssl_server_options,
+                    cipher_list=self.config.server_ciphers,
                 )
             except tcp.NetLibError as v:
                 e = ProxyError(502, repr(v))
@@ -210,7 +211,7 @@ class ConnectionHandler:
                     method=self.config.openssl_client_method,
                     options=self.config.openssl_client_options,
                     handle_sni=self.handle_sni,
-                    cipher_list=self.config.ciphers,
+                    cipher_list=self.config.client_ciphers,
                     dhparams=self.config.certstore.dhparams,
                     chain_file=chain_file
                 )
@@ -298,7 +299,7 @@ class ConnectionHandler:
                     cert, key,
                     method=self.config.openssl_client_method,
                     options=self.config.openssl_client_options,
-                    cipher_list=self.config.ciphers,
+                    cipher_list=self.config.client_ciphers,
                     dhparams=self.config.certstore.dhparams,
                     chain_file=chain_file
                 )