Add SNI ignore docs and have code match it

This commit is contained in:
David Weinstein 2016-01-26 13:09:22 -05:00
parent 8f8c2efccd
commit 4be8d148b1
2 changed files with 11 additions and 11 deletions

View File

@ -31,9 +31,9 @@ mitmproxy allows you to specify a regex which is matched against a ``host:port``
There are two important quirks to consider:
- **In transparent mode, the ignore pattern is matched against the IP.** While we usually infer the
- **In transparent mode, the ignore pattern is matched against the IP and ClientHello SNI host.** While we usually infer the
hostname from the Host header if the :option:`--host` argument is passed to mitmproxy, we do not
have access to this information before the SSL handshake.
have access to this information before the SSL handshake. If the client uses SNI however, then we treat the SNI host as an ignore target.
- In regular mode, explicit HTTP requests are never ignored. [#explicithttp]_ The ignore pattern is
applied on CONNECT requests, which initiate HTTPS or clear-text WebSocket connections.

View File

@ -55,15 +55,15 @@ class RootContext(object):
# 1. check for --ignore
if self.config.check_ignore:
address = top_layer.server_conn.address
if client_tls:
ignore = self.config.check_ignore(top_layer.server_conn.address)
if not ignore and client_tls:
try:
client_hello = TlsClientHello.from_client_conn(self.client_conn)
except TlsProtocolException as e:
self.log("Cannot parse Client Hello: %s" % repr(e), "error")
else:
address = (client_hello.client_sni, 443)
if self.config.check_ignore(address):
ignore = self.config.check_ignore((client_hello.client_sni, 443))
if ignore:
return RawTCPLayer(top_layer, logging=False)
# 2. Always insert a TLS layer, even if there's neither client nor server tls.