From 0b7b0ac33dd8bb5d057ebc36b8979d5e3ddc0384 Mon Sep 17 00:00:00 2001 From: elitest Date: Sat, 28 Feb 2015 10:16:31 -0600 Subject: [PATCH 1/7] Update Config.py to improve cipher selection added support for specifying cipher suites on both sides of the proxy instead of just the one. --- libmproxy/proxy/config.py | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/libmproxy/proxy/config.py b/libmproxy/proxy/config.py index 84893323f..335d2dcf4 100644 --- a/libmproxy/proxy/config.py +++ b/libmproxy/proxy/config.py @@ -55,7 +55,8 @@ class ProxyConfig: self.host = host self.port = port self.server_version = server_version - self.ciphers = ciphers + self.client_ciphers = client_ciphers + self.server_ciphers = server_ciphers self.clientcerts = clientcerts self.no_upstream_cert = no_upstream_cert self.body_size_limit = body_size_limit @@ -215,9 +216,14 @@ def ssl_option_group(parser): help="Client certificate directory." ) group.add_argument( - "--ciphers", action="store", - type=str, dest="ciphers", default=None, - help="SSL cipher specification." + "--client-ciphers", action="store", + type=str, dest="client_ciphers", default=None, + help="Proxy client SSL cipher specification." + ) + group.add_argument( + "--server-ciphers", action="store", + type=str, dest="server_ciphers", default=None, + help="Proxy server SSL cipher specification." ) group.add_argument( "--cert-forward", action="store_true", @@ -248,4 +254,4 @@ def ssl_option_group(parser): metavar="PORT", help="Can be passed multiple times. Specify destination ports which are assumed to be SSL. " "Defaults to %s." % str(TRANSPARENT_SSL_PORTS) - ) \ No newline at end of file + ) From 6a1e2941496d1606f9a112cb83652e0609be31d6 Mon Sep 17 00:00:00 2001 From: elitest Date: Sat, 28 Feb 2015 11:07:18 -0600 Subject: [PATCH 2/7] Update Server.py to improve cipher selection Differentiated client ciphers and added server ciphers. --- libmproxy/proxy/server.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libmproxy/proxy/server.py b/libmproxy/proxy/server.py index 8544ff723..7306331c5 100644 --- a/libmproxy/proxy/server.py +++ b/libmproxy/proxy/server.py @@ -189,6 +189,7 @@ class ConnectionHandler: sni, method=self.config.openssl_server_method, options=self.config.openssl_server_options + cipher_list=self.config.server_ciphers, ) except tcp.NetLibError as v: e = ProxyError(502, repr(v)) @@ -210,7 +211,7 @@ class ConnectionHandler: method=self.config.openssl_client_method, options=self.config.openssl_client_options, handle_sni=self.handle_sni, - cipher_list=self.config.ciphers, + cipher_list=self.config.client_ciphers, dhparams=self.config.certstore.dhparams, chain_file=chain_file ) From b063d6020f18e8b0f3da56ebad557cec49a7ada5 Mon Sep 17 00:00:00 2001 From: Jim Shaver Date: Sun, 1 Mar 2015 20:12:27 -0600 Subject: [PATCH 3/7] specified cipher_list in a few more locations, added a missing comma --- libmproxy/proxy/config.py | 6 ++++-- libmproxy/proxy/server.py | 2 +- setup.py | 0 3 files changed, 5 insertions(+), 3 deletions(-) mode change 100644 => 100755 setup.py diff --git a/libmproxy/proxy/config.py b/libmproxy/proxy/config.py index 335d2dcf4..0215f92c9 100644 --- a/libmproxy/proxy/config.py +++ b/libmproxy/proxy/config.py @@ -45,7 +45,8 @@ class ProxyConfig: authenticator=None, ignore_hosts=[], tcp_hosts=[], - ciphers=None, + client_ciphers=None, + server_ciphers=None, certs=[], certforward=False, ssl_version_client="secure", @@ -189,7 +190,8 @@ def process_proxy_options(parser, options): ignore_hosts=options.ignore_hosts, tcp_hosts=options.tcp_hosts, authenticator=authenticator, - ciphers=options.ciphers, + client_ciphers=options.client_ciphers, + server_ciphers=options.server_ciphers, certs=certs, certforward=options.certforward, ssl_version_client=options.ssl_version_client, diff --git a/libmproxy/proxy/server.py b/libmproxy/proxy/server.py index 7306331c5..ebe91d227 100644 --- a/libmproxy/proxy/server.py +++ b/libmproxy/proxy/server.py @@ -188,7 +188,7 @@ class ConnectionHandler: self.config.clientcerts, sni, method=self.config.openssl_server_method, - options=self.config.openssl_server_options + options=self.config.openssl_server_options, cipher_list=self.config.server_ciphers, ) except tcp.NetLibError as v: diff --git a/setup.py b/setup.py old mode 100644 new mode 100755 From ac92df0fda7535a17b7ee3522e2d50b7ce2c01a7 Mon Sep 17 00:00:00 2001 From: Jim Shaver Date: Sun, 1 Mar 2015 20:13:47 -0600 Subject: [PATCH 4/7] Un-executable'd setup.py --- setup.py | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 setup.py diff --git a/setup.py b/setup.py old mode 100755 new mode 100644 From 13e74facb6b7af85cd9543ec56e01c3cd9b8270b Mon Sep 17 00:00:00 2001 From: elitest Date: Sun, 1 Mar 2015 20:21:35 -0600 Subject: [PATCH 5/7] Update config.py --- libmproxy/proxy/config.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libmproxy/proxy/config.py b/libmproxy/proxy/config.py index 0215f92c9..e8c75bee9 100644 --- a/libmproxy/proxy/config.py +++ b/libmproxy/proxy/config.py @@ -191,7 +191,7 @@ def process_proxy_options(parser, options): tcp_hosts=options.tcp_hosts, authenticator=authenticator, client_ciphers=options.client_ciphers, - server_ciphers=options.server_ciphers, + server_ciphers=options.server_ciphers, certs=certs, certforward=options.certforward, ssl_version_client=options.ssl_version_client, From c6f54605a72fa577ad1c968eb438f0aad8347c82 Mon Sep 17 00:00:00 2001 From: elitest Date: Sun, 1 Mar 2015 20:49:03 -0600 Subject: [PATCH 6/7] Update Config.py to clarify help messages --- libmproxy/proxy/config.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libmproxy/proxy/config.py b/libmproxy/proxy/config.py index e8c75bee9..a4765852e 100644 --- a/libmproxy/proxy/config.py +++ b/libmproxy/proxy/config.py @@ -220,12 +220,12 @@ def ssl_option_group(parser): group.add_argument( "--client-ciphers", action="store", type=str, dest="client_ciphers", default=None, - help="Proxy client SSL cipher specification." + help="Client facing SSL cipher specification." ) group.add_argument( "--server-ciphers", action="store", type=str, dest="server_ciphers", default=None, - help="Proxy server SSL cipher specification." + help="Server facing SSL cipher specification." ) group.add_argument( "--cert-forward", action="store_true", From 5e07fe08ea80a860a215fe65b8430698261c7cb7 Mon Sep 17 00:00:00 2001 From: elitest Date: Mon, 2 Mar 2015 00:19:06 -0600 Subject: [PATCH 7/7] Update Server.py to fix SNI handling Forgot to change ciphers->client_ciphers. --- libmproxy/proxy/server.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libmproxy/proxy/server.py b/libmproxy/proxy/server.py index ebe91d227..cb6d3c701 100644 --- a/libmproxy/proxy/server.py +++ b/libmproxy/proxy/server.py @@ -299,7 +299,7 @@ class ConnectionHandler: cert, key, method=self.config.openssl_client_method, options=self.config.openssl_client_options, - cipher_list=self.config.ciphers, + cipher_list=self.config.client_ciphers, dhparams=self.config.certstore.dhparams, chain_file=chain_file )