fix support for chained certificates

This commit is contained in:
Maximilian Hils 2014-10-08 20:44:52 +02:00
parent 76bd554cd1
commit d5c318b070
4 changed files with 9 additions and 9 deletions

View File

@ -36,7 +36,7 @@ class MyMaster(flow.FlowMaster):
config = proxy.ProxyConfig( config = proxy.ProxyConfig(
port=8080, port=8080,
ca_file=os.path.expanduser("~/.mitmproxy/mitmproxy-ca.pem") default_ca=os.path.expanduser("~/.mitmproxy/mitmproxy-ca.pem")
) )
state = flow.State() state = flow.State()
server = ProxyServer(config) server = ProxyServer(config)

View File

@ -38,7 +38,7 @@ class StickyMaster(controller.Master):
config = proxy.ProxyConfig( config = proxy.ProxyConfig(
port=8080, port=8080,
ca_file=os.path.expanduser("~/.mitmproxy/mitmproxy-ca.pem") default_ca=os.path.expanduser("~/.mitmproxy/mitmproxy-ca.pem")
) )
server = ProxyServer(config) server = ProxyServer(config)
m = StickyMaster(server) m = StickyMaster(server)

View File

@ -16,7 +16,7 @@ def parse_host_pattern(patterns):
class ProxyConfig: class ProxyConfig:
def __init__(self, host='', port=8080, server_version=version.NAMEVERSION, def __init__(self, host='', port=8080, server_version=version.NAMEVERSION,
confdir=CONF_DIR, ca_file=None, clientcerts=None, confdir=CONF_DIR, default_ca=None, clientcerts=None,
no_upstream_cert=False, body_size_limit=None, no_upstream_cert=False, body_size_limit=None,
mode=None, upstream_server=None, http_form_in=None, http_form_out=None, mode=None, upstream_server=None, http_form_in=None, http_form_out=None,
authenticator=None, ignore=[], authenticator=None, ignore=[],
@ -45,7 +45,7 @@ class ProxyConfig:
self.ignore = parse_host_pattern(ignore) self.ignore = parse_host_pattern(ignore)
self.authenticator = authenticator self.authenticator = authenticator
self.confdir = os.path.expanduser(confdir) self.confdir = os.path.expanduser(confdir)
self.ca_file = ca_file or os.path.join(self.confdir, CONF_BASENAME + "-ca.pem") self.default_ca = default_ca or os.path.join(self.confdir, CONF_BASENAME + "-ca.pem")
self.certstore = certutils.CertStore.from_store(self.confdir, CONF_BASENAME) self.certstore = certutils.CertStore.from_store(self.confdir, CONF_BASENAME)
for spec, cert in certs: for spec, cert in certs:
self.certstore.add_cert_file(spec, cert) self.certstore.add_cert_file(spec, cert)

View File

@ -190,14 +190,14 @@ class ConnectionHandler:
if client: if client:
if self.client_conn.ssl_established: if self.client_conn.ssl_established:
raise ProxyError(502, "SSL to Client already established.") raise ProxyError(502, "SSL to Client already established.")
cert, key = self.find_cert() cert, key, chain_file = self.find_cert()
try: try:
self.client_conn.convert_to_ssl( self.client_conn.convert_to_ssl(
cert, key, cert, key,
handle_sni=self.handle_sni, handle_sni=self.handle_sni,
cipher_list=self.config.ciphers, cipher_list=self.config.ciphers,
dhparams=self.config.certstore.dhparams, dhparams=self.config.certstore.dhparams,
ca_file=self.config.ca_file chain_file=chain_file
) )
except tcp.NetLibError as v: except tcp.NetLibError as v:
raise ProxyError(400, repr(v)) raise ProxyError(400, repr(v))
@ -264,17 +264,17 @@ class ConnectionHandler:
self.log("SNI received: %s" % self.sni, "debug") self.log("SNI received: %s" % self.sni, "debug")
self.server_reconnect() # reconnect to upstream server with SNI self.server_reconnect() # reconnect to upstream server with SNI
# Now, change client context to reflect changed certificate: # Now, change client context to reflect changed certificate:
cert, key = self.find_cert() cert, key, chain_file = self.find_cert()
new_context = self.client_conn._create_ssl_context( new_context = self.client_conn._create_ssl_context(
cert, key, cert, key,
method=SSL.TLSv1_METHOD, method=SSL.TLSv1_METHOD,
cipher_list=self.config.ciphers, cipher_list=self.config.ciphers,
dhparams=self.config.certstore.dhparams, dhparams=self.config.certstore.dhparams,
ca_file=self.config.ca_file chain_file=chain_file
) )
connection.set_context(new_context) connection.set_context(new_context)
# An unhandled exception in this method will core dump PyOpenSSL, so # An unhandled exception in this method will core dump PyOpenSSL, so
# make dang sure it doesn't happen. # make dang sure it doesn't happen.
except Exception: # pragma: no cover except: # pragma: no cover
import traceback import traceback
self.log("Error in handle_sni:\r\n" + traceback.format_exc(), "error") self.log("Error in handle_sni:\r\n" + traceback.format_exc(), "error")