Merge pull request #654 from mitmproxy/remove_certforward

Remove Certforward Feature
2015-06-27 09:22:41 +12:00 · 2015-06-27 09:22:41 +12:00 · 5f277408cf
parent 7990503eaf b369962cbe
commit 5f277408cf
4 changed files with 18 additions and 40 deletions
--- a/libmproxy/proxy/config.py
+++ b/libmproxy/proxy/config.py
@ -48,7 +48,6 @@ class ProxyConfig:
            ciphers_client=None,
            ciphers_server=None,
            certs=[],
-            certforward=False,
            ssl_version_client=tcp.SSL_DEFAULT_METHOD,
            ssl_version_server=tcp.SSL_DEFAULT_METHOD,
            ssl_ports=TRANSPARENT_SSL_PORTS,
@ -91,7 +90,6 @@ class ProxyConfig:
            CONF_BASENAME)
        for spec, cert in certs:
            self.certstore.add_cert_file(spec, cert)
-        self.certforward = certforward
        self.ssl_ports = ssl_ports

        if isinstance(ssl_version_client, int):
@ -202,7 +200,6 @@ def process_proxy_options(parser, options):
        ciphers_client=options.ciphers_client,
        ciphers_server=options.ciphers_server,
        certs=certs,
-        certforward=options.certforward,
        ssl_version_client=options.ssl_version_client,
        ssl_version_server=options.ssl_version_server,
        ssl_ports=ssl_ports,
@ -225,11 +222,6 @@ def ssl_option_group(parser):
        'it is used, else the default key in the conf dir is used. '
        'The PEM file should contain the full certificate chain, with the leaf certificate as the first entry. '
        'Can be passed multiple times.')
-    group.add_argument(
-        "--cert-forward", action="store_true",
-        dest="certforward", default=False,
-        help="Simply forward SSL certificates from upstream."
-    )
    group.add_argument(
        "--ciphers-client", action="store",
        type=str, dest="ciphers_client", default=None,
--- a/libmproxy/proxy/server.py
+++ b/libmproxy/proxy/server.py
@ -303,29 +303,25 @@ class ConnectionHandler:
        self.channel.tell("log", Log(msg, level))

    def find_cert(self):
-        if self.config.certforward and self.server_conn.ssl_established:
-            return self.server_conn.cert, self.config.certstore.gen_pkey(
-                self.server_conn.cert), None
-        else:
-            host = self.server_conn.address.host
-            sans = []
-            if self.server_conn.ssl_established and (
-                    not self.config.no_upstream_cert):
-                upstream_cert = self.server_conn.cert
-                sans.extend(upstream_cert.altnames)
-                if upstream_cert.cn:
-                    sans.append(host)
-                    host = upstream_cert.cn.decode("utf8").encode("idna")
-            if self.server_conn.sni:
-                sans.append(self.server_conn.sni)
-            # for ssl spoof mode
-            if hasattr(self.client_conn, "sni"):
-                sans.append(self.client_conn.sni)
+        host = self.server_conn.address.host
+        sans = []
+        if self.server_conn.ssl_established and (
+                not self.config.no_upstream_cert):
+            upstream_cert = self.server_conn.cert
+            sans.extend(upstream_cert.altnames)
+            if upstream_cert.cn:
+                sans.append(host)
+                host = upstream_cert.cn.decode("utf8").encode("idna")
+        if self.server_conn.sni:
+            sans.append(self.server_conn.sni)
+        # for ssl spoof mode
+        if hasattr(self.client_conn, "sni"):
+            sans.append(self.client_conn.sni)

-            ret = self.config.certstore.get_cert(host, sans)
-            if not ret:
-                raise ProxyError(502, "Unable to generate dummy cert.")
-            return ret
+        ret = self.config.certstore.get_cert(host, sans)
+        if not ret:
+            raise ProxyError(502, "Unable to generate dummy cert.")
+        return ret

    def handle_sni(self, connection):
        """
--- a/test/test_server.py
+++ b/test/test_server.py
@ -757,14 +757,6 @@ class TestIncompleteResponse(tservers.HTTPProxTest):
        assert self.pathod("200").status_code == 502


-class TestCertForward(tservers.HTTPProxTest):
-    certforward = True
-    ssl = True
-
-    def test_app_err(self):
-        tutils.raises("handshake error", self.pathod, "200:b@100")
-
-
 class TestUpstreamProxy(tservers.HTTPUpstreamProxTest, CommonMixin, AppMixin):
    ssl = False

--- a/test/tservers.py
+++ b/test/tservers.py
@ -89,7 +89,6 @@ class ProxTestBase(object):
    no_upstream_cert = False
    authenticator = None
    masterclass = TestMaster
-    certforward = False

    @classmethod
    def setupAll(cls):
@ -131,7 +130,6 @@ class ProxTestBase(object):
            no_upstream_cert = cls.no_upstream_cert,
            cadir = cls.cadir,
            authenticator = cls.authenticator,
-            certforward = cls.certforward,
            ssl_ports=([cls.server.port, cls.server2.port] if cls.ssl else []),
            clientcerts = tutils.test_data.path("data/clientcert") if cls.clientcerts else None
        )