Rooba
/
mitmproxy
mirror of https://github.com/mitmproxy/mitmproxy.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

unify SSL version/method handling

This commit is contained in:
Thomas Kriechbaumer 2015-06-22 20:40:07 +02:00
parent 2c928181e8
commit 14e49f4fc7
1 changed files with 25 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
libmproxy/proxy/config.py
View File

@ -49,10 +49,10 @@ class ProxyConfig:
ciphers_server=None, ciphers_server=None,
certs=[], certs=[],
certforward=False, certforward=False,
ssl_version_client="secure", ssl_version_client=tcp.SSL_DEFAULT_METHOD,
ssl_version_server="secure", ssl_version_server=tcp.SSL_DEFAULT_METHOD,
ssl_ports=TRANSPARENT_SSL_PORTS, ssl_ports=TRANSPARENT_SSL_PORTS,
spoofed_ssl_port=None spoofed_ssl_port=None,
): ):
self.host = host self.host = host
self.port = port self.port = port
@ -92,39 +92,19 @@ class ProxyConfig:
for spec, cert in certs: for spec, cert in certs:
self.certstore.add_cert_file(spec, cert) self.certstore.add_cert_file(spec, cert)
self.certforward = certforward self.certforward = certforward
self.openssl_method_client, self.openssl_options_client = version_to_openssl(
ssl_version_client)
self.openssl_method_server, self.openssl_options_server = version_to_openssl(
ssl_version_server)
self.ssl_ports = ssl_ports self.ssl_ports = ssl_ports
if isinstance(ssl_version_client, int):
self.openssl_method_client = ssl_version_client
else:
self.openssl_method_client = tcp.SSL_VERSIONS[ssl_version_client]
if isinstance(ssl_version_server, int):
self.openssl_method_server = ssl_version_server
else:
self.openssl_method_server = tcp.SSL_VERSIONS[ssl_version_server]
sslversion_choices = ( self.openssl_options_client = tcp.SSL_DEFAULT_OPTIONS
"all", self.openssl_options_server = tcp.SSL_DEFAULT_OPTIONS
"secure",
"SSLv2",
"SSLv3",
"TLSv1",
"TLSv1_1",
"TLSv1_2")
def version_to_openssl(version):
"""
Convert a reasonable SSL version specification into the format OpenSSL expects.
Don't ask...
https://bugs.launchpad.net/pyopenssl/+bug/1020632/comments/3
"""
if version == "all":
return SSL.SSLv23_METHOD, None
elif version == "secure":
# SSLv23_METHOD + NO_SSLv2 + NO_SSLv3 == TLS 1.0+
# TLSv1_METHOD would be TLS 1.0 only
return SSL.SSLv23_METHOD, (SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
elif version in sslversion_choices:
return getattr(SSL, "%s_METHOD" % version), None
else:
raise ValueError("Invalid SSL version: %s" % version)
def process_proxy_options(parser, options): def process_proxy_options(parser, options):
@ -281,16 +261,18 @@ def ssl_option_group(parser):
"Defaults to %s." % "Defaults to %s." %
str(TRANSPARENT_SSL_PORTS)) str(TRANSPARENT_SSL_PORTS))
group.add_argument( group.add_argument(
"--ssl-version-client", dest="ssl_version_client", "--ssl-version-client", dest="ssl_version_client", type=str, default=tcp.SSL_DEFAULT_VERSION,
default="secure", action="store", choices=tcp.SSL_VERSIONS.keys(),
choices=sslversion_choices, help=""""
help="Set supported SSL/TLS version for client connections. " Use a specified protocol for client connections:
"SSLv2, SSLv3 and 'all' are INSECURE. Defaults to secure." TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2, SSLv23.
Default to SSLv23."""
) )
group.add_argument( group.add_argument(
"--ssl-version-server", dest="ssl_version_server", "--ssl-version-server", dest="ssl_version_server", type=str, default=tcp.SSL_DEFAULT_VERSION,
default="secure", action="store", choices=tcp.SSL_VERSIONS.keys(),
choices=sslversion_choices, help=""""
help="Set supported SSL/TLS version for server connections. " Use a specified protocol for server connections:
"SSLv2, SSLv3 and 'all' are INSECURE. Defaults to secure." TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2, SSLv23.
Default to SSLv23."""
) )