kylefang/mitmproxy
1
0
Fork 0
mirror of https://github.com/zhigang1992/mitmproxy.git synced 2026-05-04 20:10:50 +08:00
Code Issues Packages Projects Releases Wiki Activity

Certificate forwarding.

Browse Source
This commit is contained in:
Aldo Cortesi
2014-03-11 13:02:10 +13:00
parent c1fff51b1b
commit e89e035d4a
4 changed files with 44 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
libmproxy/proxy/config.py
View File

@@ -13,7 +13,7 @@ class ProxyConfig:
def __init__(self, confdir=CONF_DIR, clientcerts=None,
no_upstream_cert=False, body_size_limit=None, get_upstream_server=None,
http_form_in="absolute", http_form_out="relative", authenticator=None,
ciphers=None, certs=None
ciphers=None, certs=None, certforward = False
):
self.ciphers = ciphers
self.clientcerts = clientcerts
@@ -25,6 +25,7 @@ class ProxyConfig:
self.authenticator = authenticator
self.confdir = os.path.expanduser(confdir)
self.certstore = certutils.CertStore.from_store(self.confdir, CONF_BASENAME)
self.certforward = certforward
def process_proxy_options(parser, options):
@@ -93,15 +94,17 @@ def process_proxy_options(parser, options):
certs.append(parts)
return ProxyConfig(
clientcerts=options.clientcerts,
body_size_limit=body_size_limit,
no_upstream_cert=options.no_upstream_cert,
get_upstream_server=get_upstream_server,
http_form_in=http_form_in,
http_form_out=http_form_out,
authenticator=authenticator,
ciphers=options.ciphers,
clientcerts = options.clientcerts,
body_size_limit = body_size_limit,
no_upstream_cert = options.no_upstream_cert,
get_upstream_server = get_upstream_server,
confdir = options.confdir,
http_form_in = http_form_in,
http_form_out = http_form_out,
authenticator = authenticator,
ciphers = options.ciphers,
certs = certs,
certforward = options.certforward,
)
@@ -124,4 +127,9 @@ def ssl_option_group(parser):
"--ciphers", action="store",
type=str, dest="ciphers", default=None,
help="SSL cipher specification."
)
)
group.add_argument(
"--cert-forward", action="store_true",
dest="certforward", default=False,
help="Simply forward SSL certificates from upstream."
)

30
libmproxy/proxy/server.py
View File

@@ -188,7 +188,8 @@ class ConnectionHandler:
self.client_conn.convert_to_ssl(
cert, key,
handle_sni = self.handle_sni,
cipher_list = self.config.ciphers
cipher_list = self.config.ciphers,
dhparams = self.config.certstore.dhparams
)
def server_reconnect(self, no_ssl=False):
@@ -217,18 +218,21 @@ class ConnectionHandler:
self.channel.tell("log", Log(msg))
def find_cert(self):
host = self.server_conn.address.host
sans = []
if not self.config.no_upstream_cert or not self.server_conn.ssl_established:
upstream_cert = self.server_conn.cert
if upstream_cert.cn:
host = upstream_cert.cn.decode("utf8").encode("idna")
sans = upstream_cert.altnames
if self.config.certforward and self.server_conn.ssl_established:
return self.server_conn.cert, self.config.certstore.gen_pkey(self.server_conn.cert)
else:
host = self.server_conn.address.host
sans = []
if not self.config.no_upstream_cert or not self.server_conn.ssl_established:
upstream_cert = self.server_conn.cert
if upstream_cert.cn:
host = upstream_cert.cn.decode("utf8").encode("idna")
sans = upstream_cert.altnames
ret = self.config.certstore.get_cert(host, sans)
if not ret:
raise ProxyError(502, "Unable to generate dummy cert.")
return ret
ret = self.config.certstore.get_cert(host, sans)
if not ret:
raise ProxyError(502, "Unable to generate dummy cert.")
return ret
def handle_sni(self, connection):
"""
@@ -251,4 +255,4 @@ class ConnectionHandler:
# An unhandled exception in this method will core dump PyOpenSSL, so
# make dang sure it doesn't happen.
except Exception, e: # pragma: no cover
pass
pass