fix support for chained certificates
This commit is contained in:
parent
76bd554cd1
commit
d5c318b070
|
@ -36,7 +36,7 @@ class MyMaster(flow.FlowMaster):
|
||||||
|
|
||||||
config = proxy.ProxyConfig(
|
config = proxy.ProxyConfig(
|
||||||
port=8080,
|
port=8080,
|
||||||
ca_file=os.path.expanduser("~/.mitmproxy/mitmproxy-ca.pem")
|
default_ca=os.path.expanduser("~/.mitmproxy/mitmproxy-ca.pem")
|
||||||
)
|
)
|
||||||
state = flow.State()
|
state = flow.State()
|
||||||
server = ProxyServer(config)
|
server = ProxyServer(config)
|
||||||
|
|
|
@ -38,7 +38,7 @@ class StickyMaster(controller.Master):
|
||||||
|
|
||||||
config = proxy.ProxyConfig(
|
config = proxy.ProxyConfig(
|
||||||
port=8080,
|
port=8080,
|
||||||
ca_file=os.path.expanduser("~/.mitmproxy/mitmproxy-ca.pem")
|
default_ca=os.path.expanduser("~/.mitmproxy/mitmproxy-ca.pem")
|
||||||
)
|
)
|
||||||
server = ProxyServer(config)
|
server = ProxyServer(config)
|
||||||
m = StickyMaster(server)
|
m = StickyMaster(server)
|
||||||
|
|
|
@ -16,7 +16,7 @@ def parse_host_pattern(patterns):
|
||||||
|
|
||||||
class ProxyConfig:
|
class ProxyConfig:
|
||||||
def __init__(self, host='', port=8080, server_version=version.NAMEVERSION,
|
def __init__(self, host='', port=8080, server_version=version.NAMEVERSION,
|
||||||
confdir=CONF_DIR, ca_file=None, clientcerts=None,
|
confdir=CONF_DIR, default_ca=None, clientcerts=None,
|
||||||
no_upstream_cert=False, body_size_limit=None,
|
no_upstream_cert=False, body_size_limit=None,
|
||||||
mode=None, upstream_server=None, http_form_in=None, http_form_out=None,
|
mode=None, upstream_server=None, http_form_in=None, http_form_out=None,
|
||||||
authenticator=None, ignore=[],
|
authenticator=None, ignore=[],
|
||||||
|
@ -45,7 +45,7 @@ class ProxyConfig:
|
||||||
self.ignore = parse_host_pattern(ignore)
|
self.ignore = parse_host_pattern(ignore)
|
||||||
self.authenticator = authenticator
|
self.authenticator = authenticator
|
||||||
self.confdir = os.path.expanduser(confdir)
|
self.confdir = os.path.expanduser(confdir)
|
||||||
self.ca_file = ca_file or os.path.join(self.confdir, CONF_BASENAME + "-ca.pem")
|
self.default_ca = default_ca or os.path.join(self.confdir, CONF_BASENAME + "-ca.pem")
|
||||||
self.certstore = certutils.CertStore.from_store(self.confdir, CONF_BASENAME)
|
self.certstore = certutils.CertStore.from_store(self.confdir, CONF_BASENAME)
|
||||||
for spec, cert in certs:
|
for spec, cert in certs:
|
||||||
self.certstore.add_cert_file(spec, cert)
|
self.certstore.add_cert_file(spec, cert)
|
||||||
|
|
|
@ -190,14 +190,14 @@ class ConnectionHandler:
|
||||||
if client:
|
if client:
|
||||||
if self.client_conn.ssl_established:
|
if self.client_conn.ssl_established:
|
||||||
raise ProxyError(502, "SSL to Client already established.")
|
raise ProxyError(502, "SSL to Client already established.")
|
||||||
cert, key = self.find_cert()
|
cert, key, chain_file = self.find_cert()
|
||||||
try:
|
try:
|
||||||
self.client_conn.convert_to_ssl(
|
self.client_conn.convert_to_ssl(
|
||||||
cert, key,
|
cert, key,
|
||||||
handle_sni=self.handle_sni,
|
handle_sni=self.handle_sni,
|
||||||
cipher_list=self.config.ciphers,
|
cipher_list=self.config.ciphers,
|
||||||
dhparams=self.config.certstore.dhparams,
|
dhparams=self.config.certstore.dhparams,
|
||||||
ca_file=self.config.ca_file
|
chain_file=chain_file
|
||||||
)
|
)
|
||||||
except tcp.NetLibError as v:
|
except tcp.NetLibError as v:
|
||||||
raise ProxyError(400, repr(v))
|
raise ProxyError(400, repr(v))
|
||||||
|
@ -264,17 +264,17 @@ class ConnectionHandler:
|
||||||
self.log("SNI received: %s" % self.sni, "debug")
|
self.log("SNI received: %s" % self.sni, "debug")
|
||||||
self.server_reconnect() # reconnect to upstream server with SNI
|
self.server_reconnect() # reconnect to upstream server with SNI
|
||||||
# Now, change client context to reflect changed certificate:
|
# Now, change client context to reflect changed certificate:
|
||||||
cert, key = self.find_cert()
|
cert, key, chain_file = self.find_cert()
|
||||||
new_context = self.client_conn._create_ssl_context(
|
new_context = self.client_conn._create_ssl_context(
|
||||||
cert, key,
|
cert, key,
|
||||||
method=SSL.TLSv1_METHOD,
|
method=SSL.TLSv1_METHOD,
|
||||||
cipher_list=self.config.ciphers,
|
cipher_list=self.config.ciphers,
|
||||||
dhparams=self.config.certstore.dhparams,
|
dhparams=self.config.certstore.dhparams,
|
||||||
ca_file=self.config.ca_file
|
chain_file=chain_file
|
||||||
)
|
)
|
||||||
connection.set_context(new_context)
|
connection.set_context(new_context)
|
||||||
# An unhandled exception in this method will core dump PyOpenSSL, so
|
# An unhandled exception in this method will core dump PyOpenSSL, so
|
||||||
# make dang sure it doesn't happen.
|
# make dang sure it doesn't happen.
|
||||||
except Exception: # pragma: no cover
|
except: # pragma: no cover
|
||||||
import traceback
|
import traceback
|
||||||
self.log("Error in handle_sni:\r\n" + traceback.format_exc(), "error")
|
self.log("Error in handle_sni:\r\n" + traceback.format_exc(), "error")
|
Loading…
Reference in New Issue