Merge pull request #493 from elitest/master

Adding support for server facing SSL cipher suite specification
2015-03-02 14:25:14 +01:00 · 2015-03-02 14:25:14 +01:00 · 7cf1ec7435
parent dff70150f5 5e07fe08ea
commit 7cf1ec7435
2 changed files with 19 additions and 10 deletions
--- a/libmproxy/proxy/config.py
+++ b/libmproxy/proxy/config.py
@ -45,7 +45,8 @@ class ProxyConfig:
            authenticator=None,
            ignore_hosts=[],
            tcp_hosts=[],
-            ciphers=None,
+            client_ciphers=None,
+            server_ciphers=None,
            certs=[],
            certforward=False,
            ssl_version_client="secure",
@ -55,7 +56,8 @@ class ProxyConfig:
        self.host = host
        self.port = port
        self.server_version = server_version
-        self.ciphers = ciphers
+        self.client_ciphers = client_ciphers
+        self.server_ciphers = server_ciphers
        self.clientcerts = clientcerts
        self.no_upstream_cert = no_upstream_cert
        self.body_size_limit = body_size_limit
@ -188,7 +190,8 @@ def process_proxy_options(parser, options):
        ignore_hosts=options.ignore_hosts,
        tcp_hosts=options.tcp_hosts,
        authenticator=authenticator,
-        ciphers=options.ciphers,
+        client_ciphers=options.client_ciphers,
+        server_ciphers=options.server_ciphers,
        certs=certs,
        certforward=options.certforward,
        ssl_version_client=options.ssl_version_client,
@ -215,9 +218,14 @@ def ssl_option_group(parser):
        help="Client certificate directory."
    )
    group.add_argument(
-        "--ciphers", action="store",
-        type=str, dest="ciphers", default=None,
-        help="SSL cipher specification."
+        "--client-ciphers", action="store",
+        type=str, dest="client_ciphers", default=None,
+        help="Client facing SSL cipher specification."
+    )
+    group.add_argument(
+        "--server-ciphers", action="store",
+        type=str, dest="server_ciphers", default=None,
+        help="Server facing SSL cipher specification."
    )
    group.add_argument(
        "--cert-forward", action="store_true",
@ -248,4 +256,4 @@ def ssl_option_group(parser):
        metavar="PORT",
        help="Can be passed multiple times. Specify destination ports which are assumed to be SSL. "
             "Defaults to %s." % str(TRANSPARENT_SSL_PORTS)
-    )
+    )
--- a/libmproxy/proxy/server.py
+++ b/libmproxy/proxy/server.py
@ -188,7 +188,8 @@ class ConnectionHandler:
                    self.config.clientcerts,
                    sni,
                    method=self.config.openssl_server_method,
-                    options=self.config.openssl_server_options
+                    options=self.config.openssl_server_options,
+                    cipher_list=self.config.server_ciphers,
                )
            except tcp.NetLibError as v:
                e = ProxyError(502, repr(v))
@ -210,7 +211,7 @@ class ConnectionHandler:
                    method=self.config.openssl_client_method,
                    options=self.config.openssl_client_options,
                    handle_sni=self.handle_sni,
-                    cipher_list=self.config.ciphers,
+                    cipher_list=self.config.client_ciphers,
                    dhparams=self.config.certstore.dhparams,
                    chain_file=chain_file
                )
@ -298,7 +299,7 @@ class ConnectionHandler:
                    cert, key,
                    method=self.config.openssl_client_method,
                    options=self.config.openssl_client_options,
-                    cipher_list=self.config.ciphers,
+                    cipher_list=self.config.client_ciphers,
                    dhparams=self.config.certstore.dhparams,
                    chain_file=chain_file
                )