Add SNI ignore docs and have code match it
This commit is contained in:
parent
8f8c2efccd
commit
4be8d148b1
|
@ -31,9 +31,9 @@ mitmproxy allows you to specify a regex which is matched against a ``host:port``
|
|||
|
||||
There are two important quirks to consider:
|
||||
|
||||
- **In transparent mode, the ignore pattern is matched against the IP.** While we usually infer the
|
||||
- **In transparent mode, the ignore pattern is matched against the IP and ClientHello SNI host.** While we usually infer the
|
||||
hostname from the Host header if the :option:`--host` argument is passed to mitmproxy, we do not
|
||||
have access to this information before the SSL handshake.
|
||||
have access to this information before the SSL handshake. If the client uses SNI however, then we treat the SNI host as an ignore target.
|
||||
- In regular mode, explicit HTTP requests are never ignored. [#explicithttp]_ The ignore pattern is
|
||||
applied on CONNECT requests, which initiate HTTPS or clear-text WebSocket connections.
|
||||
|
||||
|
|
|
@ -55,15 +55,15 @@ class RootContext(object):
|
|||
|
||||
# 1. check for --ignore
|
||||
if self.config.check_ignore:
|
||||
address = top_layer.server_conn.address
|
||||
if client_tls:
|
||||
try:
|
||||
client_hello = TlsClientHello.from_client_conn(self.client_conn)
|
||||
except TlsProtocolException as e:
|
||||
self.log("Cannot parse Client Hello: %s" % repr(e), "error")
|
||||
else:
|
||||
address = (client_hello.client_sni, 443)
|
||||
if self.config.check_ignore(address):
|
||||
ignore = self.config.check_ignore(top_layer.server_conn.address)
|
||||
if not ignore and client_tls:
|
||||
try:
|
||||
client_hello = TlsClientHello.from_client_conn(self.client_conn)
|
||||
except TlsProtocolException as e:
|
||||
self.log("Cannot parse Client Hello: %s" % repr(e), "error")
|
||||
else:
|
||||
ignore = self.config.check_ignore((client_hello.client_sni, 443))
|
||||
if ignore:
|
||||
return RawTCPLayer(top_layer, logging=False)
|
||||
|
||||
# 2. Always insert a TLS layer, even if there's neither client nor server tls.
|
||||
|
|
Loading…
Reference in New Issue