diff --git a/libmproxy/proxy/config.py b/libmproxy/proxy/config.py index b6d733140..a7a719cff 100644 --- a/libmproxy/proxy/config.py +++ b/libmproxy/proxy/config.py @@ -48,7 +48,6 @@ class ProxyConfig: ciphers_client=None, ciphers_server=None, certs=[], - certforward=False, ssl_version_client=tcp.SSL_DEFAULT_METHOD, ssl_version_server=tcp.SSL_DEFAULT_METHOD, ssl_ports=TRANSPARENT_SSL_PORTS, @@ -91,7 +90,6 @@ class ProxyConfig: CONF_BASENAME) for spec, cert in certs: self.certstore.add_cert_file(spec, cert) - self.certforward = certforward self.ssl_ports = ssl_ports if isinstance(ssl_version_client, int): @@ -202,7 +200,6 @@ def process_proxy_options(parser, options): ciphers_client=options.ciphers_client, ciphers_server=options.ciphers_server, certs=certs, - certforward=options.certforward, ssl_version_client=options.ssl_version_client, ssl_version_server=options.ssl_version_server, ssl_ports=ssl_ports, @@ -225,11 +222,6 @@ def ssl_option_group(parser): 'it is used, else the default key in the conf dir is used. ' 'The PEM file should contain the full certificate chain, with the leaf certificate as the first entry. ' 'Can be passed multiple times.') - group.add_argument( - "--cert-forward", action="store_true", - dest="certforward", default=False, - help="Simply forward SSL certificates from upstream." - ) group.add_argument( "--ciphers-client", action="store", type=str, dest="ciphers_client", default=None, diff --git a/libmproxy/proxy/server.py b/libmproxy/proxy/server.py index 71704413a..051e84893 100644 --- a/libmproxy/proxy/server.py +++ b/libmproxy/proxy/server.py @@ -303,29 +303,25 @@ class ConnectionHandler: self.channel.tell("log", Log(msg, level)) def find_cert(self): - if self.config.certforward and self.server_conn.ssl_established: - return self.server_conn.cert, self.config.certstore.gen_pkey( - self.server_conn.cert), None - else: - host = self.server_conn.address.host - sans = [] - if self.server_conn.ssl_established and ( - not self.config.no_upstream_cert): - upstream_cert = self.server_conn.cert - sans.extend(upstream_cert.altnames) - if upstream_cert.cn: - sans.append(host) - host = upstream_cert.cn.decode("utf8").encode("idna") - if self.server_conn.sni: - sans.append(self.server_conn.sni) - # for ssl spoof mode - if hasattr(self.client_conn, "sni"): - sans.append(self.client_conn.sni) + host = self.server_conn.address.host + sans = [] + if self.server_conn.ssl_established and ( + not self.config.no_upstream_cert): + upstream_cert = self.server_conn.cert + sans.extend(upstream_cert.altnames) + if upstream_cert.cn: + sans.append(host) + host = upstream_cert.cn.decode("utf8").encode("idna") + if self.server_conn.sni: + sans.append(self.server_conn.sni) + # for ssl spoof mode + if hasattr(self.client_conn, "sni"): + sans.append(self.client_conn.sni) - ret = self.config.certstore.get_cert(host, sans) - if not ret: - raise ProxyError(502, "Unable to generate dummy cert.") - return ret + ret = self.config.certstore.get_cert(host, sans) + if not ret: + raise ProxyError(502, "Unable to generate dummy cert.") + return ret def handle_sni(self, connection): """ diff --git a/test/test_server.py b/test/test_server.py index 07b8a5f23..8cf4095b9 100644 --- a/test/test_server.py +++ b/test/test_server.py @@ -757,14 +757,6 @@ class TestIncompleteResponse(tservers.HTTPProxTest): assert self.pathod("200").status_code == 502 -class TestCertForward(tservers.HTTPProxTest): - certforward = True - ssl = True - - def test_app_err(self): - tutils.raises("handshake error", self.pathod, "200:b@100") - - class TestUpstreamProxy(tservers.HTTPUpstreamProxTest, CommonMixin, AppMixin): ssl = False diff --git a/test/tservers.py b/test/tservers.py index c70ad68a0..96e340e95 100644 --- a/test/tservers.py +++ b/test/tservers.py @@ -89,7 +89,6 @@ class ProxTestBase(object): no_upstream_cert = False authenticator = None masterclass = TestMaster - certforward = False @classmethod def setupAll(cls): @@ -131,7 +130,6 @@ class ProxTestBase(object): no_upstream_cert = cls.no_upstream_cert, cadir = cls.cadir, authenticator = cls.authenticator, - certforward = cls.certforward, ssl_ports=([cls.server.port, cls.server2.port] if cls.ssl else []), clientcerts = tutils.test_data.path("data/clientcert") if cls.clientcerts else None )