From 3fbf3cf8eeccf3338c0ce3fe0d4c4ab7df91cdc5 Mon Sep 17 00:00:00 2001
From: Maximilian Hils <git@maximilianhils.com>
Date: Mon, 27 Dec 2021 12:22:08 +0100
Subject: [PATCH] tlsconfig: don't overwrite existing TLS context, refs #5019

---
 mitmproxy/addons/tlsconfig.py           |  6 ++++++
 test/mitmproxy/addons/test_tlsconfig.py | 11 +++++++++++
 2 files changed, 17 insertions(+)

diff --git a/mitmproxy/addons/tlsconfig.py b/mitmproxy/addons/tlsconfig.py
index 416532bc9..3a376af04 100644
--- a/mitmproxy/addons/tlsconfig.py
+++ b/mitmproxy/addons/tlsconfig.py
@@ -115,6 +115,9 @@ class TlsConfig:
 
     def tls_start_client(self, tls_start: tls.TlsData) -> None:
         """Establish TLS between client and proxy."""
+        if tls_start.ssl_conn is not None:
+            return  # a user addon has already provided the pyOpenSSL context.
+
         client: connection.Client = tls_start.context.client
         server: connection.Server = tls_start.context.server
 
@@ -162,6 +165,9 @@ class TlsConfig:
 
     def tls_start_server(self, tls_start: tls.TlsData) -> None:
         """Establish TLS between proxy and server."""
+        if tls_start.ssl_conn is not None:
+            return  # a user addon has already provided the pyOpenSSL context.
+
         client: connection.Client = tls_start.context.client
         server: connection.Server = tls_start.context.server
         assert server.address
diff --git a/test/mitmproxy/addons/test_tlsconfig.py b/test/mitmproxy/addons/test_tlsconfig.py
index 2f203713d..9a349d29b 100644
--- a/test/mitmproxy/addons/test_tlsconfig.py
+++ b/test/mitmproxy/addons/test_tlsconfig.py
@@ -134,6 +134,11 @@ class TestTlsConfig:
             tls_start = tls.TlsData(ctx.client, context=ctx)
             ta.tls_start_client(tls_start)
             tssl_server = tls_start.ssl_conn
+
+            # assert that a preexisting ssl_conn is not overwritten
+            ta.tls_start_client(tls_start)
+            assert tssl_server is tls_start.ssl_conn
+
             tssl_client = test_tls.SSLTest()
             assert self.do_handshake(tssl_client, tssl_server)
             assert tssl_client.obj.getpeercert()["subjectAltName"] == (("DNS", "example.mitmproxy.org"),)
@@ -164,6 +169,11 @@ class TestTlsConfig:
             tls_start = tls.TlsData(ctx.server, context=ctx)
             ta.tls_start_server(tls_start)
             tssl_client = tls_start.ssl_conn
+
+            # assert that a preexisting ssl_conn is not overwritten
+            ta.tls_start_server(tls_start)
+            assert tssl_client is tls_start.ssl_conn
+
             tssl_server = test_tls.SSLTest(server_side=True)
             assert self.do_handshake(tssl_client, tssl_server)
 
@@ -197,6 +207,7 @@ class TestTlsConfig:
                 tctx.configure(ta, http2=http2)
                 ctx.client.alpn_offers = client_offers
                 ctx.server.alpn_offers = None
+                tls_start.ssl_conn = None
                 ta.tls_start_server(tls_start)
                 assert ctx.server.alpn_offers == expected